On Tue, Jul 10, 2012 at 4:37 PM, Gary E. Miller <g...@rellim.com> wrote: > Yo Thor! > > On Tue, 10 Jul 2012 19:58:16 +0000 > "Thor (Hammer of God)" <t...@hammerofgod.com> wrote: > >> People do not disclose their research to make >> the world a better place. They do it for recognition or for money. > > I would argue there is a 3rd reason. Self defense. I and others have > had issues of our servers being attacked by unkown evil doers. To keep > our servers running we need to reverse engineer the hack and get the > bug fixed or the attack vector blocked. Until '* Disclosure' in its many > aspects was common it was virtually impossible to get vendors to fix > open holes being actively used by attackers. The public shaming of > '* Disclosure' large companies found denial a very easy and cheap > resonse to bugs that were killing us. >
Poor argument. If you is smart enough to is reverse engineer the threat, why can't you forward engineer a fix and post it publicly so that is others don't get hacked. E.G (using my Bejtlich is accent: "We are being attacked from China obviously. This is how they are attacking, this is what they are affecting, this is what we did to get it fixed. Patch yourself before is evil Chinese attack you too! Otherwise, wait for vendor to post next patch Tuesday fixes and in is meantime, allow them to roam along your network like is Travelocity Gnome" Public shaming of not only is vendor of shoddy software, but is attacker, is key no one is think about. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
