[Gllug] Exposing security flaws.. good or bad
Gerard van Schip
gerard at vanschip.com
Thu Aug 4 19:21:44 UTC 2005
The only reason why sites like boingboing reported on this was because
Cisco tried to gag Mr Lynn. If he had just given his presentation the
bug would have brought to the attention of the right people and they
could have plugged their holes.
Someone vinding a hole is not big news, a company trying to hide it is.
Gerard
Simon Morris wrote:
>Just reading this...
>
>http://news.bbc.co.uk/1/hi/technology/4734415.stm
>
>"Last week net giant Cisco and security firm ISS moved to stop
>researcher Michael Lynn talking about bugs in routers at a hacker
>conference.
>
>Legal action won a pledge from Mr Lynn never to talk about what he knew.
>
>However, copies of his talk have been made widely available online and
>hackers are said to be working hard to exploit the bug that he
>exposed. "
>
>Should information about security holes in commercial software be
>released to the Public Domain?
>
>Obviously Cisco find it embarrassing a little to have security holes
>in their software but is that cause to be granted an injunction to
>stop people talking about it.
>
>The other argument is of security - if you were to expose a security
>hole and go public you could be exposing other organisations and
>individuals to risk.
>
>But simply not talking about security holes, or taking injunctions
>against people who are prepared to talk doesn't make the hole go away.
>Security through obscurity!
>
>Also this update was released several months before anyway. People
>should have been aware of it and hopefully patched.
>
>Who is in the right here? Obviously Cisco and ISS had a lot more money
>to throw at this problem to "make it right"
>
>Thanks
>
>~sm
>
>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list