On Mon, 28 Nov 1994, Pat Myrto wrote: > "In the previous message, Gene Spafford said..." > > You've been skipping your Prozac again. Naughty, naughty! > > That the best you can do? The air must be very rarified up there on > Snob Hill... Yeeeow! Looking over the stated positions of both Pat and Spaf over the past twenty posts, I'm having trouble finding the significant differences in their opinions. While at first Spaf seemed to come off (rather arrogantly, IMHO, whether it was intended to be or not) against full disclosure at any point in time, one of his followup posts stated that he was in favor of full disclosure, after a period of time to allow vendors etc. to work on a fix. Pat seemed to make the same point - that full disclosure was a Good Thing as long as people had a week or so to close the hole in some way. So what are we disagreeing on, now? If you're both pro-full disclosure, are you differing on the amount of time between the problem announcement and full exploit details? Are we all just flaming each other for the hell of it? While I'm typing: personally, I'm in favor of full disclosure, for the following reasons: - I've learned quite a bit about security holes from knowing where others have made security mistakes. I know of others, both crackers and sys admins, who also have learned more about writing secure programs via full disclosure - we shouldn't restrict knowledge just because it has the 'possibility' of falling into so-called 'bad hands' - we are doing ourselves as much of a disservice. - Full disclosure allows many people to analyze holes to determine if they are present elsewhere in the system, as opposed to merely trusting the vendor's engineers or the discoverer of the bug. I liken it to cryptanalysis: how do you know if an cryptographic algorithm is anywhere near secure without seeing the algorithm itself? - Full disclosure allows third parties to issue better patches, if they so desire. An example (albeit a slightly flawed one) would be 8lgm's patch for SunOS bin/mail. - I do believe that vendors respond much more quickly to a 'full-disclosure' alert than a more suppressed one. For example, if I was an OS vendor and someone released a 'censored' security alert about my suid_exec, for example, I would assume that I could take my time releasing a patch if the method for exploiting that hole would not be widely known. On the other hand, if I knew that someone was going to come back in a week or two and post exploit info, I'd make that patch a high-priority release! - Paul "Shag" Walmsley <ccshag@everest.cclabs.missouri.edu> "The only difference between myself and a madman is that I am not mad." - Salvador Dali