I don't normally post on lists like this. I certainly don't have the knowledge or abilities that eEye or many of the others here have and I certainly don't pretend to. But I am here primarily to listen, to learn what I can. I am a System Administrator by trade as an independent IT consultant. I need to know where the next attack is coming from before the vendor gets around to patching it or to recognize a hole in my security plan at my customer's site. My customer's site is not the same as any other customer site that is around. Every one is unique. Their configuration is determined by money, expertise, needs and available technology. Where this varies widely is what Internet connectivity is available at what price. And this is within a very major metropolitan area. So in the end, one size does not fit all. How I react and cover up any particular security hole depends on a couple of things, primarily, 1) How vulnerable is this customer to this threat? 2) How do I protect this customer from this threat and at what cost? #2 requires the knowledge of how the threat spreads and what it does and how the customer's infra-structure is built. I, for one, cann't do my job without the help of full disclosure as I sure cann't depend on Microsoft or any other vendor to release information found here on a timely fashion to make sure my customers are covered. If this were a better world and the software vendors did a better job at disclosing the problems, maybe just maybe full disclosure wouldn't be needed. As it is now, I cann't depend on the vendor to give me the information I need to make good decisions. Lyle
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 18:31:24 PDT