Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier On Full Disclosure

Posted by Hemos on from the interesting-reading dept.

Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.

3 of 232 comments (clear)

  1. What Culp actually said... by JMZero · · Score: 4, Insightful

    Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:

    "Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....

    "Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...

    --
    Let's not stir that bag of worms...
  2. That innocent little list o' worms by carambola5 · · Score: 5, Insightful
    Anyone else notice the peculiarity of the list at the beginning of Culp @ Microsoft? Let's see....
    • Code RedMicrosoft worm.
    • LionLinux worm
    • SadmindSolaris worm that affected Microsoft OS's (*ack* if you can call them OS's!)
    • RamenLinux worm
    • NimdaMicrosoft worm
    Now that means that a "representative" list of worms would contain 50% Microsoft worms, 40% Linux worms, and 10% Solaris worms. It's good to see Microsoft presenting a legitimate picture of what's going on. C'mon!! Windows practically breeds worms! Linux has had how many? 4, 5? Morris, Ramen, Lion, Adore. That's all I can come up with. Now, do I start listing the Microsoft worms (not to mention virii)?...
    -------------
    All your sig are belong to us.
    --
    IWARS.
    People, in general, disappoint me. Politicians even more so.
  3. Beware of the "Fire" argument by kingdon · · Score: 4, Insightful

    The argument that you can't just shout "fire" in a crowded theater entered the law in Schenck v. United States, 249 U.S. 47, 52 (1919). This was a Supreme Court case concerning whether the government may suppress pamphlets encouraging people to resist the draft. Although I think that case may have been correctly decided (with the distinction being expressing opposition to the draft versus encouraging people to violate the draft law), I wonder if the Court realized they were treading on, or near thin ice, when they used the "Fire" analogy.

    So it is with people who use the analogy today. Whenever someone start comparing some kind of speech to shouting "Fire" in a crowded theater, don't get carried away by the emotional appeal but keep an eye on your rights, lest someone try to make off with them.