On 06 Oct 2005, at 20:14, Tim Cavanagh wrote:
If you do all of those things then you will have pretty good protection. I am concerned that smurf seems to trolling for ways to circumvent LittleSnitch as much as trying to harden the app. Why did you not send your concerns directly to the developer instead of publishing it one the net? I am sure that if you did not get a satisfactory response from obdev you could have aired your concerns publicly.
Without putting words in his mouth, I have this to say. When we discovered the mentioned issues, we felt it was important that everyone know about the vulnerabilities. I certainly understand the view that the developers might deserve the first crack at an issue. However, the internet post that led to the discovery that the daemon could easily be brought down occurred on a public forum where any might see it. Opener and previous LS mailing list posts prove that this is not the first time the idea has been brought up.
Additionally, as I've thought has been apparent from some recent posts the mailing list audience is very interested in these issues. Several posts have indicated that an iron clad LS is of key importance. If iron clad status is a false image, I think everyone deserves to know.
I eagerly look forward to the ObDev developer responses, but I don't know that the proper vein for discussion is a private forum. This very issue is often heatedly debated and far from settled. My view is that security by obscurity isn't security at all and that private discussion with developers is obscurity. It's clear that this view is not the runaway majority, but I think it's far from a minority.
-- -- arno s. hautala /-\ [EMAIL PROTECTED] -- -- _______________________________________________ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
