[Gllug] Exposing security flaws.. good or bad
Simon Morris
mozrat at gmail.com
Thu Aug 4 19:04:10 UTC 2005
Just reading this...
http://news.bbc.co.uk/1/hi/technology/4734415.stm
"Last week net giant Cisco and security firm ISS moved to stop
researcher Michael Lynn talking about bugs in routers at a hacker
conference.
Legal action won a pledge from Mr Lynn never to talk about what he knew.
However, copies of his talk have been made widely available online and
hackers are said to be working hard to exploit the bug that he
exposed. "
Should information about security holes in commercial software be
released to the Public Domain?
Obviously Cisco find it embarrassing a little to have security holes
in their software but is that cause to be granted an injunction to
stop people talking about it.
The other argument is of security - if you were to expose a security
hole and go public you could be exposing other organisations and
individuals to risk.
But simply not talking about security holes, or taking injunctions
against people who are prepared to talk doesn't make the hole go away.
Security through obscurity!
Also this update was released several months before anyway. People
should have been aware of it and hopefully patched.
Who is in the right here? Obviously Cisco and ISS had a lot more money
to throw at this problem to "make it right"
Thanks
~sm
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list