Open Source vs. Closed Source [ was Re: [fw-wiz] Firewall Thr oughput ]

Graham, Randy (RAW)
Mon, 18 Sep 2000 11:42:31 -0400

Hash: SHA1

I can't see how reporting to the various repositories first can in
any way help.  You have to at least give the vendor an opportunity to
fix it before you make a public disclosure, don't you?  I mean, if
you report it to the various lists first, you've just given criminal
hackers another attack venue without any chance of a quick fix from
the vendor.  If you report it to the vendor first, you at least give
a _chance_ that a patch can be made available when you post to the
lists a few days later.  I thought that was customary procedure. 
Sure, in many cases, you'll be ignored until you post, but on those
occasions that the vendor tries to be responsible, don't you want to
give them a chance to save their customers a little headache?

Randy Graham

- -----Original Message-----
From:	Johann van Duyn []
Sent:	Friday, September 15, 2000 7:45 AM
Subject:	RE: Open Source vs. Closed Source [ was Re: [fw-wiz]
Firewall Thr oughput ]

For the record, the source code for Solaris (8) is now freely
available from
Sun Micro. There are a few conditions imposed on anyone who obtains
source code -- it's NOT Open Source -- but it is available.

Also, it makes a lot of sense not to report flaws in the source code
- -- or
any other holes you may discover -- directly to the vendor of a
product, but
rather to organizations like CERT, SANS or BugTraq (or all of them!).
Vendors usually jump quite quickly when flaws are reported on these
Add some example exploit code, and the vendors really get hyped about
producing fixes.

Just my R0.02...

Version: PGP Personal Privacy 6.5.3