----- Original Message ----- From: "Mariusz Mazur" <mariuszat_private> > Ok... So we know that there is a bug... It's a critical one, ppl can > "turn it off" by editing something in the registry and Microsoft is > working hard to fix it. Oh... and we know that for the next 60 days some > people can cause some damage to me and I have no way to protect myself. Welcome to the world of partial disclosure. > Is this just me or maybe more people think that releasing this > "advisory" (though this should be called "intimidator") was completely > irresponsible and plain stupid? Actually, I think that non-full disclosure is irresponsible and plain stupid. Of all the points on *both sides* of the argument, the one that I think is most important, is that without full disclosure or an equivalent audit process, there is no pressure other than market share and perception for software vendors to provide enough data for me to protect myself *OR* to validate that the software vendor is doing their job and protecting me. And this is a near perfect example of this: Enough data for me to protect myself - the registry file to import - will likely provide enough detail for a cracker to create an exploit. -Rob
This archive was generated by hypermail 2b30 : Thu Nov 22 2001 - 21:51:09 PST