Re: In reply to comments about new policy

[jdd () cdf toronto edu (John DiMarco)]

In message <m0rCHck-000AfbC () legless demon co uk>you write:
> Firstly, apologies for not replying to everyone who has contacted us
> directly, I'd be here all night if I did.
>
> Before I start, I'd like to confirm that both Karl and myself are 100%
> behind full disclosure.
>
> However, if you recall, due to a lot of criticism of the way we were
> publishing advisories, we requested comments on how we should provide
> further information.  This new style was defined by the user community
> at large, we didn't decide on it.  If you want to vent your feelings,
> go on comp.security.unix and do it there, thats where you will find
> the creators of this new style.

Surely there is a third way: time-lapsed full disclosure. When a problem is
discovered, don't announce it until there's a patch, then announce the problem
and the patch together, without exploitation information. 

After a suitable time (weeks?) has passed, the rest of the information can be
announced.  But don't post scripts to exploit the bug; it gives root to too
many newbies.

Announcing: "there's a problem here, go bug your vendor" isn't very helpful. 
Announcing: "there's a problem here; here's how to use it to become root" is
dangerous, because you set up a race between sysadmins and hordes of newbies
all trying to exploit the bug before it is patched.

Regards,

John
--
John DiMarco <jdd () cdf toronto edu>                        Office: EA201B
Computing Disciplines Facility Systems Manager            Phone: 416-978-1928
University of Toronto                                     Fax:   416-978-1931
http://www.cdf.toronto.edu/personal/jdd/jdd.html