INFOWORLD GRIPE LINE BY ED FOSTER Bookmark this page

  
Display: Sort:
Censoring Security Information | 15 comments (15 topical) | Post A Comment
Why publish the exploit?[ Reply to This ] (none / 0) (#2)
by Garminski on Tue Apr 05, 2005 at 06:58:10 AM PDT

I have never understood the need for companies or people to publish the exploits they find to make it easier for the bad guys to write malicious code. If you find a bug, report it to the vendor. If they do not take care of it, I can understand publishing some information to light a fire under their butt. Nothing like angry/scared customers to make a company responsive. But to bug hunt and then give details on the exploit after a fix is published seems more like bragging then doing the public any good.

[ Reply to This ]


It's called "peer review".[ Parent | Reply to This ] (none / 0) (#3)
by Anonymous User on Tue Apr 05, 2005 at 10:14:03 AM PDT

It's called "peer review". It means that the problem can be independently verified by others with the unfixed version -- and that its absence can be verified in the "fixed" version without merely taking the vendor's (or someone else's) word for it that it's fixed.

[ Parent | Reply to This ]


Re: Why publish the exploit?[ Parent | Reply to This ] (none / 0) (#5)
by Anonymous User on Tue Apr 05, 2005 at 10:54:37 AM PDT

There is a hope that we can learn from the mistakes of others. If details are not published, others will repeat the same mistakes.

[ Parent | Reply to This ]


Good point[ Parent | Reply to This ] (none / 0) (#13)
by Garminski on Thu Apr 07, 2005 at 01:24:00 PM PDT

Excellent point. I had not considered that.

[ Parent | Reply to This ]


Other way arround[ Parent | Reply to This ] (none / 0) (#9)
by Jarulf on Wed Apr 06, 2005 at 03:14:21 AM PDT

So? Must everything one do be of any "public good" (other posters have allready pointed out some good with it though)? I would put it the other way arround, why NOT publish it? What is the problem with that? if everything anyone says, publish or put out to the public must have a general godness for the public and not be bad for anyone, there is a LOT of things that we have to remove from the public.

[ Parent | Reply to This ]


No...[ Parent | Reply to This ] (none / 0) (#14)
by Garminski on Thu Apr 07, 2005 at 01:36:32 PM PDT

Of course not EVERYTHING must be done for the public good. Only a complete fool would think or argue that. My point was that often you hear the "it's for the public/community/etc good" as an excuse to do something. Censorship in general is bad, after all whose "rules" are you going to follow? However, with that said some responsiblity must then fall to the person or organization that is going to publish information to evaluate that information. Doing (publishing) something because you can but the result is that it puts people at risk would not seem to make much sense. As other posters have pointed out very well however, there is a good reason to publish this information to prevent others from making the same mistakes. I did not understand the specifics of what was being published and thought that more information was given then apparently is. I stand corrected (and better informed).

[ Parent | Reply to This ]


People at risk...[ Parent | Reply to This ] (none / 0) (#15)
by Mason on Thu Apr 07, 2005 at 07:37:14 PM PDT

I know you've kind of seen the light on this.... but to add:  People are already at risk.  If I can evaluate a published report, I can actually judge the risk level and take action (or not) as warranted.

[ Parent | Reply to This ]


Publishing vulnerability information[ Parent | Reply to This ] (none / 0) (#10)
by Anonymous User on Wed Apr 06, 2005 at 06:32:02 AM PDT

I personally have read several dozen discoveries NGSSoftware have found in Windows, Oracle, DB2 and other widespread, enterprise software packages. They sometimes wait half a year or more until the vendor releases a patch as long as the vendor is responding positively to the issue. It's my understanding NGS lends their technical knowledge to vendors in repairing these products. Their announcements are sometimes over-detailed, but never completely explicit - they generalize descriptions adequately so only the very knowledgeable could use it to create an exploit.

So what if publishing the discovery adds to their bottom line by selling their products - it's advertising. In essence, though, it's a regressive tactic in that they are minimizing the need to own their product by helping fix the problems it would discover. And, considering the time, money and effort put into educating themselves in complex software programming techniques, I don't slight them in the least for bragging a little.



[ Parent | Reply to This ]


Censoring Security Information | 15 comments (15 topical) | Post A Comment
Display: Sort:

Menu
· create account
· faq
· search

Login
Make a new account
Username:
Password:

 HOME  NEWS  COLUMNS  BLOGS  PODCASTS  TECHNOLOGIES  TEST CENTER  EVENTS  CAREERS  IT EXEC-CONNECT   About Awards Contact Us 

Copyright © 2006, Reprints, Permissions, Licensing, IDG Network, Privacy Policy.
All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses,
phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

 ComputerWorld :: LinuxWorld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no :: IDG.pl

create account | faq | search