OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1994: Re: Security through obscurity, etc.

Re: Security through obscurity, etc.

Jim Littlefield (littleragnarok.hks.com)
Wed, 14 Dec 1994 08:17:22 -0500

On Dec 13,  9:04am, James M. Chacon wrote:
:
: ....I'm not really for the 8lgm concept completely, but at least
: there they don't feel this overwhelming need to not hurt the various
: manufacturers feelings....

8lgm gives the vendor some "incentive" to correct the problem in a timely
manner, unlike CERT where the problem is reported only to the affected vendors.
We never hear a peep until (a) we find the same bug as a result of a breakin of
our site, or (b) CERT announces that the vendor (months/years later) has a fix
available. Sorry folks, I'll take (c) 8lgm (or equivalent) providing full
disclosure. The initial announcement means a scramble to disable/work around
the problem, but at least I know if my systems are vulnerable.

-- 

Jim Littlefield             "I've got a bad feeling about this..." -- Han Solo
<littlehks.com>