[linux-help] Re: security list

["M. Osten" <lists@xxxxxxxxxxxx>]

On Thu, 2003-10-02 at 13:01, John Goerzen wrote:
> On Thu, Oct 02, 2003 at 12:46:16PM -0500, M. Osten wrote:
> > Bugtraq is heavily moderated and censored (due to corporate interests),
> > so I wouldn't call it a "good" list.
> 
> Sometimes I want a moderated and censored list.  If you want to find out
> about patches for software you run and some security headlines, it's a good
> place to be.

Hum, what about when your vendor doesn't release a patch for an extended
period?  Don't you want to know if there is an exploit in the wild so
you can take some sort of action?  Or even better yet, how about when a
vendor puts pressure on Bugtraq to not post an advisory when there is
exploits in the wild?

You could get what your wanting on slashdot.


> I've found that full disclosure has such a low signal-to-noise ratio that
> it's nearly useless.  I don't care about exploit code except perhaps to
> verify that a fix has worked, so that's no extra benefit for me.

Hence Full Disclosure=no censorship, you have to take the good with the
bad.  I agree that the amount of noise is great, but how else is there
to be reactive about security? (Waiting for the vendor to release the
advisory/patch shouldn't be an option for anyone).

-- 
--------------------------
M. Osten
www.bleepyou.com

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi