mailing list archives
Re: Announcing new security mailing list
From: full-disclosure () lists netsys com (Steve)
Date: Thu, 11 Jul 2002 12:13:40 -0400
On Thursday 11 July 2002 09:57 am, you wrote:
Early disclosure is important, IMO, as was proved with the recent Apache
flaw. I believe there were reports of Gobbles' exploit being active in the
wild long before the patched packages were available, and being alerted to
the problem even if there was no fix would have at least given admins a
'heads-up' and allowed people to make informed business decisions. Of
course, this is our personal opinion, but we hope that others concur and
wish to share in our resource.
The choice is between helping those who work hard to stay on top of security
issues and those who don't. (Rest assure that the underground knows about
holes very early on, often before bugtrack reports it. Even if they don't on
any single issues, that policy is still too high of a risk to gamble on.)
It is clear that if you are at least aware of the situation you can decide
how or what you want to do about it. You can disable, modify or ignore it,
and even push the developer to do it, but at least it's your call.
Some animals in the wild use the defense of being one of many as their
defense from being targeted as dinner. However obscurity is only slightly
better than nothing.
The fact that most admins don't understand or have the time readily available
to spend on security is a flaw, a deviation from the ideal scene and cannot
be used as an excuse to put those who work hard to keep security in, at risk.
It is a sad reflection of society at large that we have to go through all
this pain just to operate a business, but it is also the world we live in so
get organized and do what you can to stay on top of it.
V.P. Information Technology
Video Group Distributors, Inc.