Slashdot Mirror

I recently attended the atlanta linux showcase and listened to Marcus Ranum's speach on intrusion detection and his stance towards the "hacker" community and I'd have to agree with his sentiments. I'd wager to guess that 80% of the active "cracker" people are script kiddies who basically find their latest hax0r sk1llz with info they got from the "open disclosure" of a vulnerability. Notify the vendor first. If they dont acknowledge that there is security issue and that their working on it _then_ publicise it. All immediate posting of exploits nonsense leads to millions and millions of script kiddies running around using _no_ thought at all just running the latest greatest exploit which was detailed word for word in it's explanation. It dosent have to be that way and it shouldn't be that way. It's unreasonable not to notify a vendor about a security hole and post it on some webpage instead. Anyhow just my opinion.