Forwarded from: Patrick S. Harper <patrickat_private> I do not believe that full discloser is the problem. Full discloser in my opinion keeps software manufactures on their toes. I believe that many of the problems come from unqualified people sitting in the sysadmin or network engineer chair. Companies (especially smaller ones) do not want to pay what it cost for someone who knows what they are doing to come in and secure there systems. Too many times have I seen the "Network Administrator" of a company who has no clue. He just happened to like computers and wound up with the job so they could save 20K a year. Then when a disaster hits, a server falls over or they get hacked they have no clue how to recover. The company has to then bring in a consultant for disaster recovery (which for me is 1.75X my normal rate) they loose money and productivity because no e-mail is going out or Joe lost that project that he had been working on for three months with no backup (but it was on a network share???) I think sometimes that incidents like this are good in a way. You learn the importance of getting and keeping good people, keeping them up on training, making sure they have the appropriate equipment, and are ready to do there jobs. just my $.02 worth > -----Original Message----- > From: owner-isnat_private [mailto:owner-isnat_private]On Behalf > Of InfoSec News > Sent: Saturday, August 11, 2001 2:05 AM > To: isnat_private > Subject: [ISN] Security Firm Blamed For Code Red Costs > > > http://www.newsbytes.com/news/01/168934.html > > By Brian McWilliams, Newsbytes > ALISO VIEJO, CALIFORNIA, U.S.A., > 10 Aug 2001, 5:11 PM CST > > The damage toll from the Code Red worm has sparked a new debate over > what security experts call "full disclosure." > > Richard M. Smith, chief technology officer for the Privacy Foundation, > today criticized the company that found and publicized the glitch in > Microsoft's Internet Information Server (IIS) which led to the > creation of the malicious worm and a copy-cat. > > "Was it really necessary for eEye Digital Security to release full > details of the IIS buffer overflow that made the Code Red I and II > worms possible? I think the answer is clearly no," wrote Smith in a > message to the Bugtraq security mailing list today. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 03:26:33 PDT