Re: Announcing new security mailing list

[full-disclosure () lists netsys com (Steve)]

On Thursday 11 July 2002 09:57 am,  you wrote:
> Early disclosure is important, IMO, as was proved with the recent Apache
> flaw. I believe there were reports of Gobbles' exploit being active in the
> wild long before the patched packages were available, and being alerted to
> the problem even if there was no fix would have at least given admins a
> 'heads-up' and allowed people to make informed business decisions. Of
> course, this is our personal opinion, but we hope that others concur and
> wish to share in our resource.

The choice is between helping those who work hard to stay on top of security 
issues and those who don't. (Rest assure that the underground knows about 
holes very early on, often before bugtrack reports it. Even if they don't on 
any single issues, that policy is still too high of a risk to gamble on.) 

It is clear that if you are at least aware of the situation you can decide 
how or what you want to do about it. You can disable, modify or ignore it, 
and even push the developer to do it, but at least it's your call.

Some animals in the wild use the defense of being one of many as their 
defense from being targeted as dinner. However obscurity is only slightly 
better than nothing. 

The fact that most admins don't understand or have the time readily available 
to spend on security is a flaw, a deviation from the ideal scene and cannot 
be used as an excuse to put those who work hard to keep security in, at risk.

It is a sad reflection of society at large that we have to go through all 
this pain just to operate a business, but it is also the world we live in so 
get organized and do what you can to stay on top of it.
-- 
 
Steve Szmidt
V.P. Information Technology
Video Group Distributors, Inc.