Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier On Full Disclosure

Posted by Hemos on from the interesting-reading dept.

Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.

4 of 232 comments (clear)

  1. Re:I am for full disclosure but... by jmauro · · Score: 5, Informative

    This is the vulnerability of our Nuclear Piles

    This is where you can cross the border undetected

    This is how to make a Fake ID?

    Well maybe I didn't say every single tiny little syllable but basically I said em, basicly.

  2. Re:I am for full disclosure but... by Captain+Nitpick · · Score: 2, Informative

    Unfortunately, it isn't that simple. Read the history of the Manhatten Project. The FBI actually succeeded in its goal of not allowing a single leak of information out of the project [1].

    You're kidding, right? Anyone who's read Feynman's book on the subject would know that the security was a joke. Fences with holes in them, inattentive guards, insecure safes, and poor whistleblowing policies were all part of the Manhattan Project's "security". Secondly, the security was handled by the military, not the FBI.

    It was the lack of published information on atomic research in the US in 1940 and 1941 that told Kurchatov that something was "up"

    Neat trick, since the Manhattan Project started in 1942. The absence of public information did tip off Kurchatov, but keeping your people from publishing in journals isn't hard. It's keeping spies from passing secrets to a foreign agent outside a diner 50 miles from the secure facility that presents a problem.

    [1] OK, the Soviet Union had spies inside the project before it started, but that doesn't count!

    David Greenglass, the mole who provided many of the secrets the Russians obtained from the Manhattan Project (and who served as a prosecution witness against the Rosenbergs), wasn't assigned to the project until 1944. There were of course other spies, and infiltrating before a project starts most definitely does count, but I felt like going after the factual error.

    --
    But then again, I could be wrong.
  3. Re:Regardless by rodgerd · · Score: 5, Informative

    You sound suspiciously like someone who doesn't have sufficient experience in the NT world.

    Windows patches and hotfixes are a whole world of pain. SP2 for NT4 erased filesystems. SP6 crippled people running Notes. Hotfixes regularly blow each other away. They're a *mess*, and a good Windows admin will be *very* cautious about applying either hotfixes or service packs for NT/W2K/XP because the QA on them seems to be so low, so often.

  4. See also Richard Frono's article by otmar · · Score: 2, Informative
    Another opinion on this issue: The Freedom to Innovate Includes The Freedom to Obfuscate: Why Microsoft's New "Security Framework" is Just Another .NET Vulnerability.

    (also on The Register).

    /ol