Debian attacker may have used new exploit
JoeHill
joehill-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org
Wed Dec 3 20:23:44 UTC 2003
On Wed, 3 Dec 2003 15:23:31 -0500
John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:
> Nope, we cannot stop them. But delayed disclosure
> will, in at least some cases, reduce the number of
> malicious users with such knowledge before a fix
> is available.
In both of your posts, you start from the assumption that immediate public
disclosure contributes nothing, but that's all it is, an assumption. I am
positing that putting any limits on the free exchange of this information is
inherantly worse than any *potential* harm (never once demonstrated, only
theorized) done by such disclosure. Straw men, babies, and bathwater, are all
cute, but I have yet to see a strong argument, with evidence, that the free
exchange of all security-related information, an important part of not only
awareness and education, but also development of new tools to combat
vulnerabilities (or the proper eradication of software which is unfixable, ie.
Internet Exploder), somehow does more harm than good.
There isn't even any evidence that having one "script-kiddie" releasing a worm
or virus into the wild is somehow a better or less damaging situation than
having two, or five. The point is there are *enough* that one or two more are
not going to make one whit of difference. Constraining information, therefore,
has no purpose, at least that can be quantified, whereas the uninhibited
dialogue on security has enormous positive benefits.
The current "regime", as it were, is not working. The internet is gradually
sliding away from us into a spam and virus-ridden pit, and it is precisely
because certain proprietary software vendors have been allowed to hide their
flawed approach to software design, and blame everything on script-kiddies and
other malcontents. Instead, we should be exposing these flaws as they become
apparent, and if it means that "risk reduction" means using, say, Mozilla,
instead of an inferior and insecure product like Internet Explorer, so be it.
Extrapolate that analogy as you see fit ;-)
--
JoeHill ++ ICQ # 280779813
Registered Linux user #282046
Homepage: www.orderinchaos.org
+++++++++++++++++++++++++++
He who controls others may be powerful, but he who has mastered himself is
mightier still.-- Lao Tsu
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list