> Anyways, both sides of the disclosure fence suffer from one fatal > flaw. A flaw that Brad Spengler AKA Spender has been incessantly > pointing out for years and it's that bugs don't matter. Bugs are > irrelevant. Yet our industry is fatally focused on what is essentially > vulnerability masturbation.
To be very frank... I think you're a bit guilty of the same oversimplification that you attribute to the 0-day crowds :-) Containment and detection matters. So does proper system design. And yup, every enterprise should plan for getting owned, instead of assuming that the AV software on their workstations will be able to stop bad guys in their tracks. But squashing bugs matters, too - not on an individual scale, but because all other principles aren't worth much if any attacker is likely to have a cache of trivial 0-days for *every* single layer of defense that you have in place. I'm sure that neither you nor Brad are running 15-year old copies of Apache and OpenSSH, or browsing the web with Netscape Navigator, and then putting all your faith in containment frameworks. Now, that aside... I don't really follow parts of your argument against vulnerability disclosure as a concept - or more specifically, I don't see the inherent connection to privacy worries, to government oppression, to black hat mercenaries, or to flashy conference showmanship. That said, I think it's hard to have a perfectly rational discussion about such deeply-held beliefs, and I recognize that my own views are hopelessly subjective =) > Having said that, if you gave me a billion dollars today, what > percentage of the Google security team could I employ tomorrow? Here, I'd just say what I mentioned to Dave in an earlier thread: people have strong beliefs about P0, and I think it's fine. But from what I recall, P0 amounts to somewhere under 5% of Google's security & privacy headcount - so projecting these beliefs onto the entire security org just doesn't seem right. /mz _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
