+1 for Bob. I don't know who knows what. The bad guys do not check what you have, they try their tools and ce sera sera.
Best, ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Sun, Feb 13, 2022 at 3:19 PM Bob Bridges <[email protected]> wrote: > This is the old problem: Do you publicize what the problems are, so that > the bad guys will find out? Or do you not detail the vulnerabilities, so > that the good guys don't know how to protect themselves? > > I come down on Cliff Stoll's side. The bad guys out there already know; > in his book he gives the details so the good guys can fix the problems. > One might think "only SOME of the bad guys know; do we want them ALL to > know?". But the bad guys are telling each other where the holes are. And > since our work is defensive, not offensive, it doesn't matter whether there > are a thousand bad guys who know the factory-default password, or only a > hundred; all it takes is one and I'm vulnerable if I don't change it. > > So on the whole, I'm in favor of publishing the holes. I suppose if a fix > can be implemented in a day or two, it might make sense to hold off that > long. But if it's a matter of a week, I think publishing is better. > That’s my vote, anyway. > > --- > Bob Bridges, [email protected], cell 336 382-7313 > > /* Shoveling the driveway before it has stopped snowing is like cleaning > your house before your kids are grown. */ > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Itschak Mugzach > Sent: Sunday, February 13, 2022 02:23 > > very responsible. Meanwhile, the client is open for attacks. However, he > can't protect himself since no one reported it affects his MF. > > --- בתאריך יום א׳, 13 בפבר׳ 2022 ב-3:42 מאת Seymour J Metz <[email protected] > >: > > I believe that developing a fix before you disclose the vulnerability > > is the responsible thing to do. > > > > ________________________________________ > > From: David Crayford [[email protected]] > > Sent: Saturday, February 12, 2022 6:17 PM > > > > Are you sure the attacker doesn't have the code? A huge percentage of > > hacks come from insider threats. In the case of Solar Winds the > > attackers had the code and access to the build pipeline. > > > > --- On 13/2/22 3:38 am, Itschak Mugzach wrote: > > > If someone develops code that is vulnerable, only the organization > > > he works for is (potentially) affected and the attacker does not > > > have access to the code to play with. With open source, the code is > > > accessible to everyone, and the problem hits millions of > > > organizations. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
