> > If 8lgm had only reported to SCO and Sun, I bet it would have taken > just as long (short). > > --spaf > Look, the guy from SCO posted that they had time to fix the bugs reported by 8LGM and they didn't. Only when 8lgm said they were going to go full disclosure, did they start to work on binary patches for all their systems. It's obvious some people don't understand how corporate America thinks. The 1st question they ask about a problem is how many people know. With that in mind, the problem takes on a priority determined by what the public knows. I do not really think a lot of people need scientific proof to understand this concept and hard core data to back it up. Maybe CERT could provide us a graph of which companies were reported bugs, how long it took to fix them? whether they were publicly disclosed? how many bugs that are ancient that still aren't fixed? etc, etc. <grin> Let's see my tax money put to good use here. Another point I would like to make is that full disclosure should not only motivate vendors to provide fixes, but EVEN more importantly, it should provide motivation to admins who like their jobs, to install the patches. I think I would take the time to install a patch that has been fully disclosed and know that most no-brain wannabe hackers are going to be trying it on my system, versus a patch that fixes a problem that only SCO and CERT know about and I will probably never have a problem with. Plus, it would easier to justify to management more money to spend on installing security patches and such, if you can say,'These problems are well known by everyone on the Internet and are being exploited everywhere so we need to spend $$ to fix them before we really get hit hard.' versus,'Yea, VendorX's just released some patches that no one knows what they fix, if they really fix anything, nor are there a lot of people exploiting the problems'. For Spaf's satisfaction, the above statements are just my own opinions and not hard core facts, nor do they reflect reality except for what I have seen in the business place and colleagues of mine also have said is true. -- Christopher William Klaus <cklaus@shadow.net> <iss@shadow.net> Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030