--==_Exmh_-806204580P Content-Type: text/plain; charset=us-ascii On Thu, 18 Feb 1999 21:41:16 EST, Gene Spafford said: > People who really want to improve security find ways to avoid hurting victims > and increase protection. If there is a problem that is not known and not > under attack, notifying the vendor and waiting for a valid fix to appear is > not going to result in anyone being hurt. Posting an exploit widely for a > previously unknown problem suddenly opens up all the current users to attack. Umm.. Gene? I agree with most of your logic, if you can clear up one minor sticking point: How do us white hats determine that a problem isn't already known and being exploited elsewhere by the black hats? Remember that security holes are found in only two ways: during code auditing, and after a break-in. Now, if you find it after a break in, you can safely say it's being exploited in the real world. However, if you find it during a code audit, you *don't* have any way to find out if other people are already getting attacked by it. Remember that the whole reason that Bugtraq is a full-disclosure list is because there's an implicit assumption that the black hats already know about all the holes, and we need to get the information out to the white hats who don't know yet. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech --==_Exmh_-806204580P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNs3hDtQBOOoptg9JAQHlwQP/W0bRtbptYNQ6nW8JZe6UTD+nQGJw6418 h0QmFejv5UlYJtGgpR23hUgBizdD4l3L4wk1SRGuDZ89nUfE3X7tYS4GQ1veBYOB wpy14w3bEgJ1hesbznqay+odEvP6r2ghP0EUoN0xzgMQmhEajExX4XUWqCifbE0o aVCf37Xu4UM= =HEsE -----END PGP MESSAGE----- --==_Exmh_-806204580P--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:15 PDT