Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Disclosure Debate - yet again
From: Michael Watterson (wattyEIRCOM.NET)
Date: Fri Oct 08 2004 - 17:34:19 CDT
At 21:57 08/10/2004, you wrote:
>Can we get consensus, even if just among the current group in this
>discussion, that "user friendly" PoCs are bad?
The Drugs locker lock can be easily picked like so.. It's much less likely
to be raided if we only tell the locker manufacturer how to pick it easily.
I think it is an "ego" thing this POC publishing, in some cases only one
step from being a malware writer. The PoC publish creates a temptation.
And indeed I find over last ten years of PC programming, planing networks
and IT admin that good firewall, mailserver with content filter, users not
admin rights etc and other best practices protect against most exploits.
I run no AV software or anti-spyware on my Home network connected to
internet, nor on the last IT Admin site, I find they don't get updated and
give users false sense of security. I find education of users more
effective than AV software.
I have to fix many sites setup by others always with AV and other "security
products" needing viruses, trojans, spyware etc removed!
Education, Education and only PoC / Full Disclosure to the offending
Vendor. By all means publicise the malise and workaround.
11 Laurel Park
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.