Jason Coombs wrote:Actually, I'm one of the people who believe that if there's a bug or a vulnerability, it needs to be known about--keeping it secret only doesn't help. Let's say I write "Happy E's web server and megalo-database combo," and a group finds a way to get information from my database without me knowing. Let's say we keep it a secret, and while I'm working on it, some rouge group comes in, and steals the credit card information from web sites that use my server. It was "Just me and the security group" who knew about the exploit...so who do people want to blame? The "what if's" drag on, and people are left, in a worse-case scenario, with a lot of fradulent charges on their card.My comment to you is this: You're behaving as though if we all just agree to filter our thoughts in a particular way then nobody will think anything that is prohibited, or if anyone does then at least the prohibited thoughts won't spread. I believe that when you find something wrong with something, you notify everyone at the same time once someone else can confirm it. It doesn't have to be the software vendor, it be a trusted colleague, or someone with more computing/security experience than you do. I stay up to date because I like to know what software packages are vulnerable, and I like to know what makes them that way. You can ask some people who know me....I'm a very vocal person when it comes to free speech. I don't want anyone's thoughts or ideas supressed in any way. I was just posting this so some people can read, get a good chuckle, and go about their day. I wasn't planning on this becoming a flame-fest. It was an interesting read to me because it didn't seem like the way to handle that type of thing to me. I didn't really appreciate being called "delusional," and I honestly didn't think that one could come up with a valid judgement of a person based on just one post. Ian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html |
