I disagree. Wider disclosure of a vulnerability means a greater chance that it's leaked to those who would exploit it for malicious purposes. There are lots of operating systems that run on the 32 and 64 bit AMD/Intel architecture. Should every single OS developer be notified of the vulnerability? Alternatively, notify those who have the largest user base, while trying to limit the disclosure. There is no perfect solution, but I favor limited disclosure. Frankly, OpenBSD just isn't that widely used, and if
Wider disclosure of a vulnerability means a greater chance that it's leaked to those who would exploit it for malicious purposes.
This has a very poor underlying assumption: White hats always know about exploits prior to Black hats. Considering the latter are far better funded, have better incentives, and don't disclose; I think the betting is that it is already used for malicious purposes.
Additionally, this is the information age, not the dead tree, secret squirrel, stamped "for your eyes only" days. In this age, does it really matter if 100 or 10000 people know a confidential piece of information? You only need ONE individual in
That’s what I was wondering too. Seems too easy for it to leak, whilst most everyone who is actually affected is kept in the dark.
My takeaway message, for me, is that, any secret key or whatever, on a machine which ran newly downloaded and possibly untrusted code, now needs recreating on a fresh system. And it would have been nice to have known that months ago, even if no fix was available.
This is like the old days where the doctor doesn’t inform you of terminal illness, because they think they’re better judge of how to manage you.
Disagree (Score:0, Interesting)
I disagree. Wider disclosure of a vulnerability means a greater chance that it's leaked to those who would exploit it for malicious purposes. There are lots of operating systems that run on the 32 and 64 bit AMD/Intel architecture. Should every single OS developer be notified of the vulnerability? Alternatively, notify those who have the largest user base, while trying to limit the disclosure. There is no perfect solution, but I favor limited disclosure. Frankly, OpenBSD just isn't that widely used, and if
Re: (Score:3)
Wider disclosure of a vulnerability means a greater chance that it's leaked to those who would exploit it for malicious purposes.
This has a very poor underlying assumption: White hats always know about exploits prior to Black hats. Considering the latter are far better funded, have better incentives, and don't disclose; I think the betting is that it is already used for malicious purposes.
Additionally, this is the information age, not the dead tree, secret squirrel, stamped "for your eyes only" days. In this age, does it really matter if 100 or 10000 people know a confidential piece of information? You only need ONE individual in
Re:Disagree (Score:2)
That’s what I was wondering too. Seems too easy for it to leak, whilst most everyone who is actually affected is kept in the dark.
My takeaway message, for me, is that, any secret key or whatever, on a machine which ran newly downloaded and possibly untrusted code, now needs recreating on a fresh system. And it would have been nice to have known that months ago, even if no fix was available.
This is like the old days where the doctor doesn’t inform you of terminal illness, because they think they’re better judge of how to manage you.