|
Dailydave
mailing list archives
Re: Speculation
From: "Paul Melson" <pmelson () gmail com>
Date: Sat, 19 Jul 2008 18:19:32 -0400
On Sat, Jul 19, 2008 at 10:22 AM, Paul Vixie <vixie () isc org> wrote:
would you have preferred that the attack vector be completely published on
day 1, rather than a cert advisory with details to follow a month later at
defcon, so that your recommendations could be completely informed? note
that in that case it would also go in the wild before you could patch. is
that what you want the next discoverer to do for you?
What you - and this is the collective "you" referring to the vendors
and researchers on both sides of this argument - seem to forget is
that secops folks aren't left with patching as our only option. We
don't necessarily need a patch to mitigate, even if temporarily, any
particular risk. However, these alternate strategies tend to require
more information about the vulnerability and attack than a patch does.
So while I would always prefer to know about a vulnerability prior to
a first strike attack, I'd still also prefer to be in the loop, not
outside of it.
Risk management and defensive reaction strategies rely on accurate,
timely, detailed information to be highly successful. When vendors
deny us (their customers!) that information, it's no better than when
security researchers publish a PoC to a mailing list without telling
the vendor. It's a blindside either way.
PaulM
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
 By Date 
By Thread
Current thread:
- Re: Speculation, (continued)
Re: Speculation dan (Jul 23)
Re: Speculation Richard Bejtlich (Jul 18)
Re: Speculation Dave Aitel (Jul 20)
Re: Speculation Kris Lamb (Jul 19)
|
Intro
