Gary McGraw [mailto:[EMAIL PROTECTED] writes:
The main thing I wonder is, what do you think? When you have a hot
demonstration of an exploit, how do you responsibly release it?
This isn't so much about that, in the usual sense. This was, as you say, a
well-known vulnerability, one screamingly obvious to anybody who bothered to
think about how to get around the No-Fly List. Bruce Schneier wrote about it on
his blog long ago, as did many others.
What role do such demonstrations play in moving software security forward?
It could help dramatically. Not so much because of the demo itself, which will
of course be ignored by the Powers that Be, but the publicity around it. That
might possibly eventually make enough of a dent in the public consciousness, to
wake them up to the fact that what the PTBs have been doing is almost all just
However, it depends how much the media gives background. Unfortunately, even a
brief blurb like this flaw in the No-Fly List concept has been well known for
several years is unlikely to be aired or printed, since it takes valuable
time/space away from the latest scandals of skanky socialites and other such
much more important news. Without this little bit of trivia, the sheeple will
just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor
in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag.
Specialization is for insects. -Heinlein
Secure Coding mailing list (SC-L)
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php