[240] in bugtraq
Re: Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994
daemon@ATHENA.MIT.EDU (Pete Hartman)
Mon Nov 28 21:54:55 1994
Date: Mon, 28 Nov 94 18:56:06 -0600
From: Pete Hartman <pwh@bradley.bradley.edu>
To: bugtraq@fc.net
Cc: pwh@bradley.bradley.edu
>My key concern is that people on the net, and on these lists in
>particular, spout opinion as proven fact.
And just exactly WHERE is it that your opinion has become proven fact
as opposed to the rest of us poor sods? You don't sound like you're
including yourself in this sweeping criticism.
> This perpetuates folklore,
>just as knocking on wood or avoiding black cats. We have no general
>evidence to prove in any real way that full disclosre helps/hurts more
>people than it hurts/helps. We have no evidence that full disclosure
>hastens/delays release of a fix. And we have no evidence that the
>majority of "black hats" know and use all of these flaws before they
>are publicly announced (although there is some partial evidence to the
>countrary).
What evidence? Seems to me that the contrary evidence is that that is
contrary to your stance.
8lgm published scripts about rdist and /bin/mail and suddenly vendors
were scrambling to patch them, despite the fact that these utilities
have been around almost as long as BSD itself, and should have been
patched then.
So what evidence do you have that there are bugs that have been fixed
that weren't widely distributed first?
>If we are going to improve the way we handle security, we have to
>start by examining what we really know and not what we have
>experienced locally.
When many local experiences are pooled, and all appear to be similar, doesn't
that seem to indicate a trend? Something statistically more significant than
my own personal anecdote?
The pooling of experiences seems to indicate to me that knowledge is
power, and if you deny those who NEED the power sufficient knowledge,
they will be incapable of protecting themselves effectively from those
who DO have the power.
Whether there's an organized "black hat" network or not is irrelevant.
One black hat telling another is more organized than we white hats can
be if we're treated like goddamn mushrooms.
