Re: Full Disclosure works, here's proof:

randybinternex.net

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Karyn Pichnarczyk: "Re: Got this - not sure of authenticity. Better safe etc..."
• Previous message: Steve Kotsopoulos: "Re: a program named spoon"
• Maybe in reply to: Christopher Klaus: "Full Disclosure works, here's proof:"

> Getting code right is hard.  Getting code right in a complex system is
> *very* hard.  While one can, I claim, do better for security stuff than
> in the general case, I do not think it is humanly possible to build
> a large system with no security flaws.  (And yes, I put firewalls in
> that category -- which is why good firewalls are as small and simple
> as possible.)
Absolutely.  I've been a SysAdmin for a while now and I learned very quickly
that it's just not a bright idea to install a patch unless you need it.  This
can be said for a lot of things.

If you subscribe to chaos theory (and I do) then you would be better off
accepting that you *will* introduce new bugs (and possibly security bugs) while
fixing old ones.  In that case, you should release the source with the patch,
or your customers need to accept that you may get it wrong the first time.

--Randy

• Next message: Karyn Pichnarczyk: "Re: Got this - not sure of authenticity. Better safe etc..."
• Previous message: Steve Kotsopoulos: "Re: a program named spoon"
• Maybe in reply to: Christopher Klaus: "Full Disclosure works, here's proof:"