-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bruce Schneier has a very good piece about this. In it he condems publishing exploits, and *demands* that those who find exploits give the vendors ample time (not just a few days) to fix the hole. This is just good security practice. It is hoped that, in turn, the other vendors will do the same. On Sun, 27 Feb 2000, Avi Schwartz wrote:
No, we are not talking about security through obscurity. It is common to notify the maintainers of a piece of software about a security hole before you notify the public to give them chance to fix the problem.
If you find that the door locks are broken in your subdivision due to a manufacturing error, are you going to announce on the radio that the doors cannot be locked and invite every thief for a visit or are you going to replace the locks first and then notify everyone else about the problem?
Avi
cogNiTioN wrote:
How do we know it was unknown. Unpublished, probably; unknown, almost certainly not. It is logical that if you found the hole, you're not the only one capable of finding it, and therefore not the only one who has.
Tell us we're not back to security through obscurity?
How many other unknown bugs are people able to compromise us using?
I thought one of the whole benefits of OSS was that security holes could be found quicker, published to the community (BugTraq anyone?), and patched by individuals while waiting for the vendor to do so.
-- Avi Schwartz Get a Life avi@CFFtechnologies.com Get Linux
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
__ L. Sassaman System Administrator | "All of the chaos Technology Consultant | Makes perfect sense..." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Joe Diffie -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: OpenPGP Encrypted Email Preferred. iD8DBQE4vQFyPYrxsgmsCmoRAl8QAJ95fAX6/0WNPrPuzjAFXRaxoUZhSwCfaYfV yHNcN32ixCzoMtdxdqExIK0= =1i6G -----END PGP SIGNATURE-----