Whether security geeks like it or not, the fact is that at any point in time---10 years ago, today, or 10 years in the future---90% of the systems out there will not be secured well enough to avoid "new" exploits. Sadly, many users see OS upgrades as their security patch mechanism of choice.
I believe the solution here is to create a standard methodology for this kind of stuff, which would go something like this: 1) Exploit is discovered and announced in very generic terms. No tools or detailed exploit instructions are released. This could be an "announcement" on bugtraq. 2) 30-day clock starts ticking. Release the tool to the vendor but no one else. 3) If at end of 30 days the vendor has not provided an effective patch, release the tool and detailed exploit info. 4) If the vendor has provided a patch, don't release the tool. At all. Ever.
Q: How hard is it screw up M$-bashing? A: Pretty easy, if you don't know what you're talking about. It's that much more embarassing if you've muffed a technical fact. "Win32" is an interface, not an implementation. It's actually a family of interfaces that share a common subset of functions. Individual implementations may use 32-bit code, 16-bit code or some combo.
Slashdot Mirror
Whether security geeks like it or not, the fact is that at any point in time---10 years ago, today, or 10 years in the future---90% of the systems out there will not be secured well enough to avoid "new" exploits. Sadly, many users see OS upgrades as their security patch mechanism of choice.
I believe the solution here is to create a standard methodology for this kind of stuff, which would go something like this:
1) Exploit is discovered and announced in very generic terms. No tools or detailed exploit instructions are released. This could be an "announcement" on bugtraq.
2) 30-day clock starts ticking. Release the tool to the vendor but no one else.
3) If at end of 30 days the vendor has not provided an effective patch, release the tool and detailed exploit info.
4) If the vendor has provided a patch, don't release the tool. At all. Ever.
Q: How hard is it screw up M$-bashing? A: Pretty easy, if you don't know what you're talking about. It's that much more embarassing if you've muffed a technical fact. "Win32" is an interface, not an implementation. It's actually a family of interfaces that share a common subset of functions. Individual implementations may use 32-bit code, 16-bit code or some combo.