On Wed, 01 Mar 2000, you wrote:
Bruce Schneier has a very good piece about this. In it he condems publishing exploits, and *demands* that those who find exploits give the vendors ample time (not just a few days) to fix the hole.
I read that newsletter, and I have to fully disagree with him.
Exploits points a finger, and says "look, its *very* vulnerable, fix it,
quick". You don't know if you're the only one that knows about the
vulnerability. The only responsible thing to do, is to publish the exploit to
as many security-mailinglists as possible, and let admins disable the buggy
service.
Also, when you publish the exploit before a patch has been made, you light a
fire under the program-makers asses. They have to work faster, and will
release a patch earlier. They won't wait until their press-department has
finished making a really nice looking press-release. THey will release the
patch as soon as its finished, without delay.
Give the program-developers a couple of days, at least if its only an unchecked
buffer or something that can be fixed in a matter of seconds.
(and before anyone starts ranting on about poor serveradmins getting their
servers cracked because of exploits .. I've been cracked.. by the qpopper 2.2
exploit .. it was a horrible experience, but I do NOT blame the one who
released the exploit. And I don't blame the makers of crowbars for breakins,
or the weapon manufacturers for murder).
--
"Rune Kristian Viken"