ericm replied about my post on limes of communication (trying to save bytes):
>your orginal post said that you don't think disclosure of a new hack is needed
>since you can ring up and find out the details. i took that to mean
>that you know enough people in the security community to be able to
>get someone on the phone who's already heard about the hack and
>can tell you the details.
Close but not quite. What I meant was that I had numbers of People I Trust
who can tell me what the *fix* is and I do not really care what the hole
was (sometimes when I have free time I ask others who know what the
hole was so I can play with it but this comes under "hobby" and not "job".
True, sometimes a node fix is on the firewall and not the platform itself
but then the Platform people tell me that and I ask the Firewall people
(the secret to being a Generalist lies in having Specialists you can call
when necessary 8*).
Occasionally it turns out that there is no fix and that when I earn my
salary (& usually pubish the result or at least an understandable warning).
Preferably all that is necessary is a detailed note to one of the PITs to
give them the opportunity to publish first but the "big schtick" is that they
know I will publish if they do not - often that is an advantage when talking
to *their* management.
Is what the English used to call "an opportunity to do The Right Thing."
(actually was brought up to the Aulde English Ethic - why I find it
difficult to say "No" since feel that saying that or putting a person
in a position where *they* need to say it is impolite. Also have been
shot at (fortunately by poor marksmen) so know when to ditch the civilization
& turn into a Junk Yard Dog 8*).
But for the most part I really do not care *what* the hole is, just that
it exists. From there the fix is the only important thing. Anything else
is left for "sandbox time".
Warmly (and a Boatanchor swap meet tomorrow 8*),