Comments on: Comments on Core Security’s Wonderware advisory http://www.computerdefense.org/2008/05/comments-on-core-security/ Sharing my thoughts with the world. Sat, 02 Jan 2010 04:08:36 -0500 http://wordpress.org/?v=2.8.5 hourly 1 By: LonerVamp http://www.computerdefense.org/2008/05/comments-on-core-security/comment-page-1/#comment-77416 LonerVamp Mon, 19 Jan 2009 14:20:06 +0000 http://www.computerdefense.org/?p=482#comment-77416 Oops, wanted to add just one more thing. Third parties should really never get upset about responsible disclosure. If *anyone* has a beef with the responsibility of a disclosure, the target organization should get first and final dibs on it. They have absolutely the most at stake in the situation. Oops, wanted to add just one more thing. Third parties should really never get upset about responsible disclosure. If *anyone* has a beef with the responsibility of a disclosure, the target organization should get first and final dibs on it. They have absolutely the most at stake in the situation.

]]> By: LonerVamp http://www.computerdefense.org/2008/05/comments-on-core-security/comment-page-1/#comment-77417 LonerVamp Mon, 19 Jan 2009 14:20:06 +0000 http://www.computerdefense.org/?p=482#comment-77417 It doesn't help that we sometimes have security pros who, by their actions and complaints, would rather *feel* secure and not show everyone the vulnerabilities because it might make hackers out of the masses. They won't ever outright say that "security by obscurity" works [in a vacuum], but requests to stifle information exchange after a fix is available implies such an attitude. As if the information would be kept secret if the researcher hushed up... Uh huh. That's a mighty fine rose-colored world one could live in! <br /> <br /> I wonder if one could work the line that such security pros don't have a hacker ethic? <br /> <br /> At the end of the day, if my security posture is weak enough that I have to worry about the disclosure level of vulnerabilities that may affect my environment, I'm doing something wrong. It doesn't help that we sometimes have security pros who, by their actions and complaints, would rather *feel* secure and not show everyone the vulnerabilities because it might make hackers out of the masses. They won't ever outright say that "security by obscurity" works [in a vacuum], but requests to stifle information exchange after a fix is available implies such an attitude. As if the information would be kept secret if the researcher hushed up… Uh huh. That's a mighty fine rose-colored world one could live in!

I wonder if one could work the line that such security pros don't have a hacker ethic?

At the end of the day, if my security posture is weak enough that I have to worry about the disclosure level of vulnerabilities that may affect my environment, I'm doing something wrong.

]]>