Re: Call to arms - INFORMATION ANARCHY

From: Yi-Lei Wu (iwscol@HOTMAIL.COM)
Date: 11/03/01


Message-ID:  <F444BvRnfvcySa4k3z600000465@hotmail.com>
Date:         Fri, 2 Nov 2001 21:58:28 -0500
From: Yi-Lei Wu <iwscol@HOTMAIL.COM>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hi all,

In my opinion the action of "Full Disclosure" certainly has its advantages
and disadvantages. The advantages are that system admins could be informed
of vulnerability of their systems, and thus like the man of the household
who knows where the thief will come and prevents his treasure from being
stolen beforehand. The disadvantages are that "Full Disclosure" could also
be used as a weapon against the people who are not aware of the
vulnerabilities of their system.

Thus the establishment of "Full Disclosure" requires modern admins to be
more aware of the issues at hand and of their own systems and their
vulnerabilities. To prevent "Full Disclosure" to become a vulnerable threat
to the community that is not aware of its own problems, we must let the
admins know the new issues before the knowledge is passed to the hand of a
black hat. And I certainly see that this mailing list works exactly as that
function.

However I believe we are unable to distinguish exactly who are the white
hats and the black ones, and by this I mean we could be passing information
to the hands of black hats too. And thus admins are further required to act
before the black hats.

But I believe the above is not the issue we should discuss here, the issue
we are to discuss is Microsoft's standpoint of security. I see that
Microsoft's action also has its advantages and disadvantages. The advantage
is that since information is not passed in such a public way, it perhaps
will save many admins some work to work so hard in order to keep their
systems secure. But at the same time admins are made less aware of their own
systems.

To make my point more clearly, Microsoft is using exactly the same principle
of the establishment of "Full Disclosure" to attack it. It is like turning
the sword back to its own user. And of course, the world today, and the
systems are full of vulnerable threats. The movement Microsoft is trying to
make is certainly with an intention. An intention that can only be judged by
its future result.

At this point I am unable to say whether Microsoft is with a good intention
or not. And I am unable to comment on both side's actions.

Yi-Lei,
A Newbie.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp



Relevant Pages

  • RE: [Full-Disclosure] No Subject (re: openssh exploit code?)
    ... exploit or practical exploit methodology disclosure for an issue that is ... > You fail to understand that many admins can't simply take ... Let me quote from CERT Advisory CA-2003-24: ... practical, public, exploitation of the problem. ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] No Subject (re: openssh exploit code?)
    ... exploit or practical exploit methodology disclosure for an issue that is potentially devastating. ... > You fail to understand that many admins can't simply take ... Let me quote from CERT Advisory CA-2003-24: ... practical, public, exploitation of the problem. ...
    (Full-Disclosure)