opinion- full disclosure or cover-up?

[Jon]

Who thinks that in a situation such as the recently highlighted Doomserv security flaw, details of the problem should be fully disclosed to the public (so they know how to avoid the error in some cases) or kept secret while the problem is sorted, perhaps over a considerable time period? Or on the other face of the coin, scant details of the problem revealed so that people could avoid the program concerned until the problem was fixed?

[aurikan]

This article: http://ntsecurity.nu/papers/disclosure certainly deserves reposting. Thank you cph for finding it.

[Jon]

I'll take that as a vote in favour of full-disclosure. Discounting me, that means that full-disclosure is the most popular so far.

[aurikan]

Ooooooh 1-0. But seriously, issues like this aren't popularity contests. What is right is not always popular, what is popular is not .. bah you know the saying.

[Jon]

I know, I'm just interested in peoples opinions.

[Guest AFTERSHOCK]

Count me in favor of full disclosure. The truth should be known.

AFTERSHOCK

[stphrz]

Full disclosure. What other opinion is there?

[myk]

Teppic said:

I know, I'm just interested in peoples opinions.

OK then, I support full disclosure. The other choice equals 'hiding defects' (leave that to the narrow-minded).

[AndrewB]

I don't think there's nearly as much harm in full disclosure as some paranoid people think. I don't know if DW forums were the most appropriate place to fully disclose it, but sure. Full disclosure is fine..

[Jon]

I've thought about this some more- what if aurikan released only the following information: 'to TGO: security issue in shell commands, DOS pipe and redirections can be included plus carriage return ASCII characters'. Any less information would be too cryptic, and I think that just posting this wouldn't solve the problem- the way aurikan did it was quick and shocking as it should have been, since had this incident been absorbed without full impact there would have been time for hackers to manipulate it.

[Guest fod_vile]

stphrz said:

Full disclosure. What other opinion is there?

A programme called ICQ has many many more security issues, well documented, if I was to publish full details here on how to send , say icq#15145682 a virus would anyone be interested?

[cph]

fod_vile said:

A programme called ICQ has many many more security issues, well documented, if I was to publish full details here on how to send , say icq#15145682 a virus would anyone be interested?

This would not be the right forum for such a disclosure. Try http://www.securityfocus.com/forums/bugtraq/faq.html

[stphrz]

fod_vile said:

A programme called ICQ has many many more security issues, well documented, if I was to publish full details here on how to send , say icq#15145682 a virus would anyone be interested?

I am already fully informed about this. That's why I don't use ICQ.

[aurikan]

Teppic said:

I've thought about this some more- what if aurikan released only the following information: 'to TGO: security issue in shell commands, DOS pipe and redirections can be included plus carriage return ASCII characters'. Any less information would be too cryptic, and I think that just posting this wouldn't solve the problem- the way aurikan did it was quick and shocking as it should have been, since had this incident been absorbed without full impact there would have been time for hackers to manipulate it.

Considering TGO was unable to understand my explicit detailed instructions enough to reproduce the flaw, i doubt that any less would have helped. if you are going to disclose, fully is the only way to do so. see point in linked security paper below

[aurikan]

fod_vile said:

A programme called ICQ has many many more security issues, well documented, if I was to publish full details here on how to send , say icq#15145682 a virus would anyone be interested?

That just happens to be my (old) ICQ number.

[fodders]

you got to be joking? Scary or what?
remind me to put the lottery on this week :)