ComputerWorld: Debate erupts over disclosure of software security holesJul 28, 2000, 15:12 (9 Talkback[s])
"In a contentious keynote speech that created an uproar at the Black Hat Briefings security conference here yesterday, security researcher Marcus Ranum charged that the full disclosure of software vulnerabilities isn't improving computer security. Instead, Ranum said, it only encourages attacks by what he called "armies of script kiddies."
"Ranum claimed that many disclosures of security holes are "rock-throwing" incidents done by companies or individuals to attack vendors such as Microsoft Corp. or for the purposes of self-promotion, financial gain or ego gratification. And, he said, such disclosures give malicious attackers point-and-click tools that they can use to take down Web sites."
"But other attendees at the Black Hat conference - an annual precursor to the Defcon hackers convention that features sessions aimed at corporate users - said they're skeptical that limiting the disclosure of vulnerability information would benefit companies. Mudge, a vice president at Cambridge, Mass.-based security consulting firm @Stake Inc. who uses only one name, rejected what he called the "metered dissemination of information" about potentially damaging security holes."
0 Talkback[s] (click to add your comment)