Security through obscurity does not work. Folks need to understand that vendors will not openly fix problems in a timely fashion unless brought to the community attention first, thus spurring a concern to fix the problem to avoid future problems in general, and also reduce the chances of new ones once word of the exploit gets out. It's not a smooth process, but a necessary evil and an acceptable de facto compromise between the two. Those that make the Gloom-And-Doom position that the public discussion of vulnerabilities is bad for the Internet are living in a fantasy world. Just because the "politically-correct" method is to fork over large sums to be part of a Vunerability Club of vendors - or ONLY tell the vendor - does not mean that such information will not get out into the world. I don't need to go into the social ramifications that the Internet has brought to the world of communications. Think of software as a subscription - you pay for it up front, but you're at the mercy of the vendor's schedule and decision whether or not to address any problems that are reported to them. In such a case - which is what several propose - unless external pressure is placed on the vendor - through the community's common concern and discussion in forums free from vendor control and subjectivity - I wager most of the problems would never get addressed, the exploits will remain, and folks will carry on none the wiser, but still at risk. Software vendors would LOVE such a situation. How many sites were impacted by a vulnerability between the time CERT or a vendor received word of the exploit until the time they actually release a public warning? Most system administrators I wager, would prefer to know about potential problems IMMEDIATELY so they can monitor or take preventive measures to protect themselves......and not "fiddle while Rome burns" and their networks get compromised. Once news of a vulnerability is public knowledge, it is incumbent on system admins to act on that analysis and patch their systems. More to the point, community discussion of security vulnerabilities and exploits is perhaps the public's best guarantee that someone is looking out for THEIR interests and not just corporate profits....the peer review of products outside of the vendor's control - through any number of open, interactive, free lists, forums, and sites - provides a "check and balance" to vendor claims that their products are secure, stable, and reliable. Once word of a problem spreads, the community consensus (and media reports of such) typically spurs the vendor to address the issue. Otherwise, we're forced to trust the vendor's word that their products are secure, reliable, and safe.......and we all know that major software companies are more concerned with making money and insuring their marketplace positions than they are on producing secure, robust, and reliable software. The real world has Underwriters' Labs, Consumers Reports, and any number of third-party test and evaluation organizations......in the intertwined world of the internet and software, we have full disclosure discussion lists not under the thumb of software vendors.....sort of a "peer-review Underwriters' Lab" for software and network technologies. That's why UCITA and DMCA are so popular with the software industry. Rather than actually do good QA on products before they go out the door, or take responsibility for a product's fallacies when it's discovered in the world, they prefer to litigate the problem away, at the expense of the US taxpayers and the public's safety. Security through obscurity doesn't work, and any attempt to develop exclusive fee-based exclusive membership Vulnerability Clubs will only obfuscate, not clarify and assist, the examination and resolution of security issues. Just my 2 cents.... rf Richard Forno infowarrior.org / incidentresponse.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 18:01:54 PDT