On Mon, 28 Nov 1994 19:47:52 -0500 I wrote: > Pat, > > In the spirit of your message: > > You've been skipping your Prozac again. Naughty, naughty! > > --spaf > > Part of the intergalactic conspiracy to keep widely known security information > away from Pat. Several people berated me for the above post, pointing out that I was beginning to stoop to Pat's level of insulting behavior. However, after 14 years on the net, I *still* find it difficult to ignore slanderous rants directed at me. But if I had responded to the content of Pat's message, it would have somewhat dignifyed it. I obviously should have ignored it, as most readers of this list undoubtedly viewed Pat's insults and falsehoods for what they were (those that didn't aren't worth worrying about). So, my apologies to everyone on bugtraq for that minor lapse in professional behavior. Also, my thanks to all of you who wrote personal mail to me about it, pro and con (but special thanks to those of you offering humorous follow-ups). ------------- As to this whole thread on disclosure, it maybe doesn't belong in bugtraq, although bugtraq is about bugs and Unix security. There really isn't another good forum for the discussion, however, and it is directed at one of the precepts of bugtraq's charter. It is also interesting to note how many people fail to understand the difference between folklore and fact, between superstition and proof. Many people want it stopped because they have no doubts about full disclosure being the best thing to do. One cannot reason with belief (they have different foundations). They may be right, they may be wrong, but they don't want their beliefs challenged, so perhaps we should let the thread die off (or maybe someone will create another list?). I've answered over 50 pieces of mail on this general topic in the last few days. There's not much more to say, which is good, because my fingers are getting quite tired and many of you have had enough! Luckily, I'm headed out of town for a research meeting, so I can give my keyboard a rest (so please don't write me for a while!) ------------- Let me recap some points that keep coming up. Many of these should be obvious to people, but curiously aren't: 1) one or two (or three) instances does not establish a proof 2) cause and effect are not proven by temporal order; pigeons can be trained to peck at a key expecting food to appear by having that happen randomly a few times. I would hope no pigeons are posting to bugtraq, but statements such as "We'll look at recent disclosures and subsequent patch releases -- that will prove disclosure works" leads one to wonder. 3) Most vendors could do a better job 4) Some vendors could do a MUCH better job 5) Very few people in this community seem to be asking themselves how to constructively encourage #3 and #4, and many instead prefer extortion. 6) Remember Hanlon's Razor when talking about vendor response: "Never attribute to malice that which can be adequately explained by stupidity." :-) Screwups and overwork probably lead to more problems than do conspiracy and evil intent. 7) Only telepaths have a hope of discerning the true motivations behind another's behavior. 8) The situation continues to change, and things are probably better now than they were even as recently as a year ago I also note that many people seem to think that I have lots of secret vulnerability information, or that I get lots of exploit scripts. (Maybe that explains why there are so many attempts to break into machines here?) The truth is, people almost never report new bugs to me, vendors and CERT don't share the ones they hear about, and I don't keep secret any that I hear about -- they all get passed on to the vendors. Furthermore, the only exploit scripts I recall seeing in the last 18 months have come from bugtraq -- including all the ones we have captured from clumsy crackers. (And please don't send me any to make up for this! I have no use for exploit scripts, and I don't want to have any around to tempt people; my research is into underlying technology rather than hacking tools.) I've been asked to give a talk at SANS next year...I think I'll try to do a paper on the pros and cons of disclosure. Of course, as a member of the intergalactic conspiracy, we won't allow any of you to get a copy. :-) Finis, --spaf