>While I would love to know security problems out of both need and curiosity,
>I'm glad the information is not readily accessible.
>
I've always assumed, perhaps incorrectly, that people who crack systems
have little or no compunction about sharing what they've found out. I've
never heard this assumption disputed. If there is some hard evidence that
it is incorrect, I'd love to hear it.
Based on that assumption, by the time you receive a CERT advisory on a
security hole almost by definition that information is available to the
"cracker community" (unless the hole was uncovered by vendor or independent
testing).
By not making details of the hole freely available, you are again in the
position of the bad guys having the information and at least a large
percentage of the "good guys" in the dark because they have never made
the physical acquaintance of someone in the know. Granted, by hiding
this information you MAY keep it away from SOME "casual" crackers,
but again by definition these are not the people you are worried about when
it comes to industrial espionage.
The "patronage" system of security information distribution is a lose.
No one can possibly know personally everyone who has a legitimate
interest in such information (and certainly not well enough to make
a character judgement). Even some sort of registry would not eliminate
the problem of a legitimate system administrator who engages in industrial
espoinage over the Internet. The alternative of leaving the information
in the hands of a few individuals who by chance more than virtue have
possession of it is unacceptable.
Andy
Follow-Ups:
References:
|
|
