RE: Vulnerabilities in some SCADA server softwares
Michal,
First; while I agree with your statement regarding the overuse of car analo=
gies, the comparison is accurate and fair in this case. The vendor's custo=
mers are now potentially at greater risk because of this announcement that =
includes no mitigation.
Second; I fundamentally disagree with the idea that public disclosure as a =
means of vendor notification serves any purpose beyond tooting one's own ho=
rn and causing a panic state for the application vendor and users. Anyone =
who honestly believes that the "bad guys" are not watching the same lists w=
here the "good guys" are communicating is operating far too close to a famo=
us Egyptian river. IMHO, "public disclosure" only serves to increase the t=
hreat for the vendor's customers.
Third; it is in lists exactly like this on where opinions on security matte=
rs and behaviors may be aired (to a degree; that's what moderators and comm=
on sense are for). While it's true that a person will act as he sees fit, =
you may also reasonably expect that differing opinions on that behavior wil=
l be expressed when the opinions are as polarized as in the responsible vs.=
public disclosure debate.
HTH,
Jim
-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@coredump.cx]=20
Sent: Tuesday, March 22, 2011 2:24 PM
To: J. Oquendo
Cc: Luigi Auriemma; bugtraq@securityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares
> Analogy: Car owner has his car speed up ending up in almost near=20
> catastrophe. Car owner goes to media outlets condemning the
> manufacturer: "How could you be so reckless! Thousand of lives..."
> Reality: Car manufacturer was never made aware of the issue. How do=20
> you propose a manufacturer fix an issue?
Yes, the discussion definitely needed a car analogy...
The author decided to follow a particular route, probably not out of malice=
, but because he believes that his responsibilities to inform the public ou=
tweigh the responsibility to assist the vendor. You wouldn't do the same, b=
ut you haven't discovered these bugs.
Unless your view is that you would rather not know about about security pro=
blems at all, than see a disclosure mode you do not agree with, I do not th=
ink it's fair to lash out against the reporter; and it's not particularly f=
itting to do so on BUGTRAQ.
/mz
討論串 (同標題文章)