Slashdot Mirror

← Back to Stories (view on slashdot.org)

On The Costs of Full Security Disclosure

Posted by ryuzaki0 on from the how-much-is-too-much dept.

sasha328 writes "I found reference to this email on the LWN.NET site which was sent to the SecurityFocus mailing list. It asks a very valid question about how much you can disclose before malicious virii can be possible."

2 of 269 comments (clear)

  1. Does this Really apply to Code Red by Darkseer · · Score: 0, Troll

    First of all what does this have to do with code red? The virus is self replicating and the creater was using a, from what I've been reading, unpublished exploit. After the first 50, 60, or some small amount of computers are compromised the thing pretty much runs itself. Theoretically this could have all started with manually cracking one computer and no human intervention after that. Not publising would not have stopped the spread. Its not like 20,000 little crackers were tirelessly manually installing code red on a zillion different computers and then telling their friends how to do it. At least if the exploit is published, the poor slob who gets hit with this virus first has some idea what to look for. IIS is out there and you can't stop people from reverse engineering it no matter haow many laws you pass. The best wepon we have is to keep the "good guys" as well informed as possible. I want to know when the vendor knows, maybe I can't fix it but I sure as hell don't want to be flying blind. &lt sarcasm &gt Yeah, lets intentionally limit the information I have access to so I can be even more unprepared when a virus hits.&lt /sarcasm &gt....riiiiiight good move.

    --

    BOFH, My model for being a sysadmin :)

  2. There's a word for people like Richard by jsse · · Score: 0, Troll

    Troll