This is the old problem: Do you publicize what the problems are, so that the bad guys will find out? Or do you not detail the vulnerabilities, so that the good guys don't know how to protect themselves?
I come down on Cliff Stoll's side. The bad guys out there already know; in his book he gives the details so the good guys can fix the problems. One might think "only SOME of the bad guys know; do we want them ALL to know?". But the bad guys are telling each other where the holes are. And since our work is defensive, not offensive, it doesn't matter whether there are a thousand bad guys who know the factory-default password, or only a hundred; all it takes is one and I'm vulnerable if I don't change it. So on the whole, I'm in favor of publishing the holes. I suppose if a fix can be implemented in a day or two, it might make sense to hold off that long. But if it's a matter of a week, I think publishing is better. That’s my vote, anyway. --- Bob Bridges, [email protected], cell 336 382-7313 /* Shoveling the driveway before it has stopped snowing is like cleaning your house before your kids are grown. */ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Itschak Mugzach Sent: Sunday, February 13, 2022 02:23 very responsible. Meanwhile, the client is open for attacks. However, he can't protect himself since no one reported it affects his MF. --- בתאריך יום א׳, 13 בפבר׳ 2022 ב-3:42 מאת Seymour J Metz <[email protected]>: > I believe that developing a fix before you disclose the vulnerability > is the responsible thing to do. > > ________________________________________ > From: David Crayford [[email protected]] > Sent: Saturday, February 12, 2022 6:17 PM > > Are you sure the attacker doesn't have the code? A huge percentage of > hacks come from insider threats. In the case of Solar Winds the > attackers had the code and access to the build pipeline. > > --- On 13/2/22 3:38 am, Itschak Mugzach wrote: > > If someone develops code that is vulnerable, only the organization > > he works for is (potentially) affected and the attacker does not > > have access to the code to play with. With open source, the code is > > accessible to everyone, and the problem hits millions of > > organizations. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
