-----------------------------------------<snip>----------------------------
For the clever attacker, it is to his advantage for those
integrity issues to NOT be discussed.
That's not the question. Is it to his advantage for the discussion to be
private, between the reporter and the developer? The only situations in
which I would go public with a security hole are when it is a generic
problem affected a whole community of developers or when the developers
refuse to fix it.
------------------------------------<unsnip>------------------------------------
I'm not sure that I'd be quite as open about it, but I understand the
sentiment. I'd be more like to attack IBM's "inaction" or apparent lack
of concern by escalating the problem within the IBM corporate structure.
I'd be very hesitant about giving away something that might enable
"destructive influences" to further their aims. Call me chicken if you
like, but I'd hate to be involved in a serious security breach, even if
only indirectly and at a great distance.
Rick
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
