Bugtraq mailing list archives
Re: Can we afford full disclosure of security holes?
From: antirez <antirez () invece org>
Date: Fri, 10 Aug 2001 21:32:23 +0200
On Fri, Aug 10, 2001 at 02:39:06PM -0400, Richard M. Smith wrote:
This $20 million figure begs the question was it really necessary for eEye Digital Security to release full details of the IIS buffer overflow that made the Code Red I and II worms possible? I think the answer is clearly no.
The 'no' answer is clear only for you (and few additional people). 1) The next time the code red authors may be the same guys that discovered the vulnerability, so your no-disclosure policy fails anyway, while it creates the condition to make the next worm more aggressive, see the next points. 2) Full disclosure provide to the comunity a lot of information and expirience to make better protecion, more secure code and security culture around the world. Also create the 'case' and the customers will think that maybe that vendor does not provide very secure code. This should stimulate the vendor to write better code. 3) The lacks of full disclosure and proof of concepts exploit helps to create an unsane security feeling about the actual software, sysadmin will probably be less responsive upgrading they systems so when we reach the point 1) the result is very catastrophic. 4) A motivated attacker can anyway obtain information about the vulnerability examining the patch in the case of opensource software (or the differences between the last and the current version), so this (dont) works only for proprietary software, without to consider that it is anyway possible to guess informations about the vulnerability with two different binaries (one patched the second vulnerable). regards, antirez -- Salvatore Sanfilippo <antirez () invece org> http://www.kyuzz.org/antirez finger antirez () tella alicom com for PGP key 28 52 F5 4A 49 65 34 29 - 1D 1B F6 DA 24 C7 12 BF
Current thread:
- Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)
- RE: Can we afford full disclosure of security holes? Marc Maiffret (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- Re: Can we afford full disclosure of security holes? Ryan Russell (Aug 10)
- Re: Can we afford full disclosure of security holes? Scott Blake (Aug 10)
- Re: Can we afford full disclosure of security holes? antirez (Aug 10)
- Re: Can we afford full disclosure of security holes? Alun Jones (Aug 10)
- RE: Can we afford full disclosure of security holes? Guy Helmer (Aug 10)
- Re: Can we afford full disclosure of security holes? Chris Wolfe (Aug 10)
- Re: Can we afford full disclosure of security holes? Randy Taylor (Aug 10)
- <Possible follow-ups>
- Re: Can we afford full disclosure of security holes? aleph1 (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- RE: Can we afford full disclosure of security holes? bodzincm (Aug 10)
- RE: Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)