Re: Call to arms - INFORMATION ANARCHY

From: Kevin Simmons (k.simmons@MASSEY.AC.NZ)
Date: 11/03/01 

Message-ID:  <000a01c16410$b7c9e200$43577b82@massey.ac.nz>
Date:         Sat, 3 Nov 2001 15:39:09 +1300
From: Kevin Simmons <k.simmons@MASSEY.AC.NZ>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I have no problem with full disclosure, including example exploits, as long as I receive them *after* notification from the Vendor of how to get the appropriate patch for my system. I know that I will patch my systems (it's my job) even the thousands of admins out there with their heads in the sand don't. The example exploits may even help the 'security researchers' find similar attacks which the vendor did not patch at the same time.

Unfortunately we have all heard of vendors who sit on a newly discovered hole in their software taking months to fix it (or not at all - their answer being to upgrade to the latest version...). Then it becomes an issue of how to force those vendors to patch their product. This is where the threat of full disclosure comes to the rescue. No vendor likes bad publicity, especially if there is an ounce of truth is the accusations.

What we need to agree on, I think, is a balance.

We all know that the many exploits in Microsoft products is not all due to the inability of Microsoft developers to learn from their mistakes, but also due to the popularity of the software itself. Let's face it, finding an exploit in a Microsoft product receives far more media attention than a product from any other vendor.

All this posturing by all the participants in the security area is just a waste of resources. Those of us who keep abreast of the latest issues would rather that the researchers get on with their research, and the vendors get on with issuing patches [that work] and learning from their mistakes.

As for an independent overseeing body to enforce this, why doesn't anyone consider the customer here (Microsoft has a few million of them...) ?
Isn't this supposed to be one of the greatest by-products of the free market - Voting with your feet (or abusing the vendor in the free press) ?

Kevin Simmons
System Administrator
EpiCentre, Massey University.

Quantcast