Bugtraq mailing list archives

Re: Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

From: pwh () bradley bradley edu (Pete Hartman)
Date: Mon, 28 Nov 94 18:56:06 -0600

My key concern is that people on the net, and on these lists in
particular, spout opinion as proven fact.


And just exactly WHERE is it that your opinion has become proven fact
as opposed to the rest of us poor sods?  You don't sound like you're
including yourself in this sweeping criticism.

                                              This perpetuates folklore,
just as knocking on wood or avoiding black cats.  We have no general
evidence to prove in any real way that full disclosre helps/hurts more
people than it hurts/helps.  We have no evidence that full disclosure
hastens/delays release of a fix.  And we have no evidence that the
majority of "black hats" know and use all of these flaws before they
are publicly announced (although there is some partial evidence to the
countrary).


What evidence?  Seems to me that the contrary evidence is that that is
contrary to your stance.

8lgm published scripts about rdist and /bin/mail and suddenly vendors
were scrambling to patch them, despite the fact that these utilities
have been around almost as long as BSD itself, and should have been
patched then.

So what evidence do you have that there are bugs that have been fixed
that weren't widely distributed first?

If we are going to improve the way we handle security, we have to
start by examining what we really know and not what we have
experienced locally.


When many local experiences are pooled, and all appear to be similar, doesn't
that seem to indicate a trend?  Something statistically more significant than
my own personal anecdote?

The pooling of experiences seems to indicate to me that knowledge is
power, and if you deny those who NEED the power sufficient knowledge,
they will be incapable of protecting themselves effectively from those
who DO have the power.

Whether there's an organized "black hat" network or not is irrelevant.

One black hat telling another is more organized than we white hats can
be if we're treated like goddamn mushrooms.

Current thread:

Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994, (continued)
- - - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Karl Strickland (Nov 28)
    - Full vs. Partial Dsiclosure Nathan Lawson (Nov 28)
    - (fwd) In reply to comments about new policy (fwd) Paul 'Shag' Walmsley (Nov 28)
    - Re: (fwd) In reply to comments about new policy (fwd) anthony baxter (Nov 28)
    - Old vulnerability disclosure please? (fwd) Jeon Young-mi (Nov 29)
    - Re: (fwd) In reply to comments about new policy (fwd) Pug (Nov 30)
    - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Robert M. Haas (Nov 29)
  - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Casper Dik (Nov 29)
    - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Doug Siebert (Nov 29)
  - STOP! Aleph One (Nov 29)
- Re: Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Pete Hartman (Nov 28)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Gene Spafford (Nov 29)
  - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Pat Myrto (Nov 29)
    - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Karl Strickland (Nov 30)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 RAS () CACDVAX CACD ROCKWELL COM (Nov 29)
  - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Gene Spafford (Nov 30)