ComputerWorld: Debate erupts over disclosure of software security holes
Jul 28, 2000, 15:12 (9 Talkback[s])
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
"In a contentious keynote speech that created an uproar at the
Black Hat Briefings security conference here yesterday, security
researcher Marcus Ranum charged that the full disclosure of
software vulnerabilities isn't improving computer security.
Instead, Ranum said, it only encourages attacks by what he called
"armies of script kiddies."
"Ranum claimed that many disclosures of security holes are
"rock-throwing" incidents done by companies or individuals to
attack vendors such as Microsoft Corp. or for the purposes of
self-promotion, financial gain or ego gratification. And, he said,
such disclosures give malicious attackers point-and-click tools
that they can use to take down Web sites."
"But other attendees at the Black Hat conference - an annual
precursor to the Defcon hackers convention that features sessions
aimed at corporate users - said they're skeptical that limiting the
disclosure of vulnerability information would benefit companies.
Mudge, a vice president at Cambridge, Mass.-based security
consulting firm @Stake Inc. who uses only one name, rejected what
he called the "metered dissemination of information" about
potentially damaging security holes."