-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 01 July 2003 00:58, [EMAIL PROTECTED] wrote: > The ZDNet article hit the point right on the head. It is irresponsible to > leave the vendor uninformed before going public. Doing that helps > absolutely nobody. If you're going to take the interpretation of full > disclosure literally, notification of the vendor and the public is > simultaneous. There will be radicals who say that notifying none is what > should have happened here -- and even that policy is better than blindly > rifling off details of a remotely exploitable buffer overflow to every > kiddie in the world without a workaround of any kind. The > poorly-structured original post didn't even make the faulty code clear.
While I agree, that you should at least provide some kind of workaround, I strongly disagree with criminalizing anyone who stands for full disclosure. I, as user and administrator, personally would rather have someone disclose a vulnerability prematurely with a workaround that I can use than someone being quiet while piling up a huge dDoS host collection / passing his t00lz around in the blackhat community. Not everyone is as good a person as microsoft wants to have them - and frankly - if I discovered a bug I would not do "cooperation" that stretches endlessly over weeks and eventually after half a year the hole is patched. In fact they should be grateful for everyone who does not hold back information about bugs in their software. Quote: "A bug like this could be triggered via a number of means...through e-mail, simply browsing a web page, perhaps browsing a network share," he wrote in an e-mail to CNET News.com. HTML and all the more Java Script simply _does_not_have_to_do_anything_at_all_with_emails_ I do not understand why things like support for this can be turned on by default. The result of this lax security policy could be seen in recent worms. And this is what really makes me sick: Trustworthy Computing Campain, but when it really comes down to the dirty work of patching they moan about everyone who does not follow their strict guidelines on reporting vulnerabilities. - Thilo Schulz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/AXqeZx4hBtWQhl4RAp09AJ9oHsRK4pkOC8oX+JChkZ+7Ktrf+ACgiXgT 5UIvmVbSoXVW/l0hNrETJ1M= =JlEK -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
