I think I side with Cliff Stoll on this: You're not doing any favors by obscuring the vulnerabilities, because the bad guys already know. Go ahead and talk about them. Be explicit. Get that knowledge into the hands of the good guys too.
Or put it this way: ~Some~ of the bad guys know about the holes - the default passwords that never get changed, for example. The solution isn't to minimize the number of bad guys who know, because as soon as one knows the exploits will begin. The solution, once that's out, is to maximize the number of good guys who know too, so as to maximize the number of systems that are secured. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Unspecified error; smash forehead on keyboard to continue. */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Nightwatch RenBand Sent: Tuesday, May 7, 2019 10:50 Publishing "success stories" is a two edged sword. Don't and other installations cannot protect against the attach. Do and you spread the idea among the bad guys. It would seem that the best solution is: 1) Only discuss with people who have clearances and a "need to know", 2) Come up with a fix immediately 3) Put the fix in required maintenance and require that installations stay current. Never mention what is in the fix. Of course this great power to the vendor comes with great responsibility. (thanks, Stan Lee) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
