It is obvious that the weakest link, and justification in all of this is vendors/developers not taking responsibility to fix these security holes. We can speculate on drawbacks all we want, but until there is some incentive for the vendors/devlopers to take that responsibility, we are merely treading water. Microsoft, for example, has not been deterred by hundreds of security problems in their myriad of applications, so we do know that the simple fact of the holes being exploited is not directing these companies to respond more promptly. The bottom line is we still buy/use the products. Every year we go through a new Outlook/IE bug that crashes thousands of systems, and the next year rolls around and we buy the next version of Windows, or update to the latest IE. What gets at these companies is the money. A far fetched plan would be to adopt some sort of spin-off from the child endangerment laws, but apply them to computing. It isn't that hard to prevent something from accessing the addressbook and sending mass e-mails, so why not punish them for not preventing things that are aiding virus epidemics? Just a thought, far fetched at that, but we have to start somewhere.
I do agree we have a right to know, but I think we need to go about full disclosure in a different way. I don't think the methods of exploiting a bug need to be revealed in order for them to be fixed. Simply saying "There is a problem with the way badFunction() handles non-ASCII characters causing a core dump" should be sufficient information for anyone with desires to fix the problem, rather than exploit it. Sure, some cases may require more, but I don't think full disclosure is a good idea. You bring up many good points though. There is no clear cut solution until vendors take more responsibility and maybe have databases on their sites for their own products.
I don't agree with "...vendors have this much time to patch..." I don't just disagree with it on this database, but all of them. That is just defeating the whole purpose. "We'll give you this long to fix it, and if not, we release our dogs!" That is inherently stupid, for lack of a better word. Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version. The vendors, sure, they need to know so they can fix it. It is a good idea, but hey, so is BT on securityfocus, and we all know how that has been abused.
Slashdot Mirror
Your post was a bigger waste of time.
Just cut your power down a bit, then you will get that light green color.
It is obvious that the weakest link, and justification in all of this is vendors/developers not taking responsibility to fix these security holes. We can speculate on drawbacks all we want, but until there is some incentive for the vendors/devlopers to take that responsibility, we are merely treading water. Microsoft, for example, has not been deterred by hundreds of security problems in their myriad of applications, so we do know that the simple fact of the holes being exploited is not directing these companies to respond more promptly. The bottom line is we still buy/use the products. Every year we go through a new Outlook/IE bug that crashes thousands of systems, and the next year rolls around and we buy the next version of Windows, or update to the latest IE. What gets at these companies is the money. A far fetched plan would be to adopt some sort of spin-off from the child endangerment laws, but apply them to computing. It isn't that hard to prevent something from accessing the addressbook and sending mass e-mails, so why not punish them for not preventing things that are aiding virus epidemics? Just a thought, far fetched at that, but we have to start somewhere.
I do agree we have a right to know, but I think we need to go about full disclosure in a different way. I don't think the methods of exploiting a bug need to be revealed in order for them to be fixed. Simply saying "There is a problem with the way badFunction() handles non-ASCII characters causing a core dump" should be sufficient information for anyone with desires to fix the problem, rather than exploit it. Sure, some cases may require more, but I don't think full disclosure is a good idea. You bring up many good points though. There is no clear cut solution until vendors take more responsibility and maybe have databases on their sites for their own products.
I don't agree with "...vendors have this much time to patch..." I don't just disagree with it on this database, but all of them. That is just defeating the whole purpose. "We'll give you this long to fix it, and if not, we release our dogs!" That is inherently stupid, for lack of a better word. Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version. The vendors, sure, they need to know so they can fix it. It is a good idea, but hey, so is BT on securityfocus, and we all know how that has been abused.
You could just chain a bunch of those 1/8 splitters together until you had enough inputs to your sound card for all of your speakers...