On Mon, Apr 26, 2010 at 09:18:04AM -0700, Hubbard, Dan quoted: > If you tell the world about a flaw in operational software/hardware, > you increase the pool of threat agents that know about it, increase > the likelihood they will attack, and increase the chance they will > be successful. All of this happens when you make the information known.
This is a whiney argument for purported security-by-obscurity, and it completely ignores the possibility of independent discovery. If person A has studied piece of software X looking for vulnerabilities, then persons B, C, D, etc. have done so as well...or will soon enough. It is only a matter of who will be successful, when they will be successful, and what they will choose to do when they succeed. There is no point in pretending that B, C, D, et.al. don't exist. There is even less in presuming that they're not as smart or diligent or clueful as A. What really increases the likelihood of attack is bad engineering, especially chronically bad engineering. Because after vulnerability #673 is found in piece of software X, it's a reasonable guess to presume that #674 is there waiting to be found. What increases the likelihood of *successful* attack is using any of the dumb ideas (e.g., default permit, enumerating badness) that we should all be avoiding like the plague. And what exacerbates both are futile attempts to pretend that all of this information can and should be kept secret. It won't. It can't. Yes, I'm quite sure it's inconvenient for some people that the toothpaste can't be stuffed back in the tube. (It's been inconvenient for me on occasion, too.) But petulantly demanding that everyone else do it is a non-starter. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
