Re: UnixWare

c617666sgi7.phlab.missouri.edu

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Pat Myrto: "Re: Source of trojan.pl enclosed"
• Previous message: Matthew Gream: "Re: Pro Disclosure (was Re: UnixWare)"
• In reply to: Gene Spafford: "Re: UnixWare"
• Next in thread: der Mouse: "Re: UnixWare"

On Sat, 30 Apr 1994, Gene Spafford wrote:

> > 
> > No, but I had thought they had advertised themselves as a worthwhile
> > place to report them, and my perception, and apparently that of many
> > other people here, is that this is not the case.
> 
> It depends on your definition of "useful."  If it is defined as "gets
> the bug reports to all the vendors without also disclosing it to any
> real or potential bad guys in the process; follows up the report to
> make sure that the vendors are maybe working on it; and then provides
> a wide-ranging, trusted announcement method to alert people when the
> fixes are available" then it *is* worthwhile.

I think you're being pretty naive in assuming that telling only the
vendors avoids "disclosing it to any real or potential bad guys."  Not
only might there be "bad guys" at the vendor, but it's also quite possible
that the "bad guys" were the first to discover the hole and are running
around happily exploiting it while CERT waits to "make sure that the 
vendors are maybe working on it."

-Paul

• Next message: Pat Myrto: "Re: Source of trojan.pl enclosed"
• Previous message: Matthew Gream: "Re: Pro Disclosure (was Re: UnixWare)"
• In reply to: Gene Spafford: "Re: UnixWare"
• Next in thread: der Mouse: "Re: UnixWare"