In message <m0rCHck-000AfbC@legless.demon.co.uk>you write: >Firstly, apologies for not replying to everyone who has contacted us >directly, I'd be here all night if I did. > >Before I start, I'd like to confirm that both Karl and myself are 100% >behind full disclosure. > >However, if you recall, due to a lot of criticism of the way we were >publishing advisories, we requested comments on how we should provide >further information. This new style was defined by the user community >at large, we didn't decide on it. If you want to vent your feelings, >go on comp.security.unix and do it there, thats where you will find >the creators of this new style. Surely there is a third way: time-lapsed full disclosure. When a problem is discovered, don't announce it until there's a patch, then announce the problem and the patch together, without exploitation information. After a suitable time (weeks?) has passed, the rest of the information can be announced. But don't post scripts to exploit the bug; it gives root to too many newbies. Announcing: "there's a problem here, go bug your vendor" isn't very helpful. Announcing: "there's a problem here; here's how to use it to become root" is dangerous, because you set up a race between sysadmins and hordes of newbies all trying to exploit the bug before it is patched. Regards, John -- John DiMarco <jdd@cdf.toronto.edu> Office: EA201B Computing Disciplines Facility Systems Manager Phone: 416-978-1928 University of Toronto Fax: 416-978-1931 http://www.cdf.toronto.edu/personal/jdd/jdd.htm