[498] in bugtraq
Re: Security through obscurity, etc.
daemon@ATHENA.MIT.EDU (Oliver Friedrichs)
Tue Dec 13 16:22:27 1994
Date: Tue, 13 Dec 1994 11:45:57 -0600 (CST)
From: Oliver Friedrichs <iceman@MBnet.MB.CA>
To: bugtraq@fc.net
In-Reply-To: <199412131504.JAA04929@telecom.ksu.edu>
On Tue, 13 Dec 1994, James M. Chacon wrote:
> Wrong...I've used the information in CERT advisories to give me a good idea
> where and what I'm looking for. I've "reverse-engineered" so to speak a fair
> amount of Cert's announcements into actaul problems I could show people around
> here. All Cert's announcements do is delay the time people get to even know
> a bug exists....I'm not really for the 8lgm concept completely, but at least
> there they don't feel this overwhelming need to not hurt the various
> manufacturers feelings....
Poor comparison. A script that guarantee's root on a site is equal to a
CERT advisory? I don't know which advisories your reading. (send me one?).
The difference is too large to even argue about. A CERT advisory doesn't
give root to someone on any unprotected system on the Internet. Perhaps
1 in 10 people will figure out the problem, would you rather have 10 out
of 10 people be guaranteed to?
Think about it.
- Oliver
