ygerman said...
> "I have not sent any admins on wild goose chases. It is just that alot of
>the mailing lists you mentioned also seem to hide the information. I would
>wish there was a list where the people would be pre-registered like with my
>firewall vendor list or the way you have a secure mailing list through ISS.
>So that there are only Sysadmins/security people on the list and free sharing
>of security holes could be accomplished without worrying about a cracker
sitting on the list getting information."
Russ says...
You're not seriously suggesting that many Black Hats don't work in the
security industry, are you? Are we back to the thread on polygraphs
again? Just because someone has a registered email address, or works for
a reputable company, or has purchased a Firewall product, does not
translate to someone you can trust with your inner-most secrets!!! This
sounds like the thread about the Satan application form!
There is no way you will have a secure mailing list, ever!, not in the
sense that you imagine. The only issue is whether or not CERT (or some
other list) posts information about hacks (or attempts) before, or
after, a fix has been made by the vendor(s) in question.
Someone from CERT previously spoke up about this in a thread at the
beginning of the year (check the archives). If I can try to summarize,
their opinion was simply that it didn't make a whole lot of sense to
tell the world (since its impossible to have a secure mailing list),
that a hole exists in a piece of code prior to the vendor figuring out
how to plug it. Sure, by doing so they put the pressure on the vendor to
make a fix quickly, but at the same time they also expose the possible
exploit to people whom might otherwise not have figured it out yet,
thereby leading to more exploits of the hole. Besides, putting pressure
on the vendors neither guarantees a quick fix, nor a reliable one.
Cheers,
Russ
...running MS Exchange Server 4.0 on NT 4.0, the future is here now.
>
Follow-Ups:
|
|
