On 3/23/2011 2:13 PM, Theo de Raadt wrote: >> If *any* threat exists, >> that threat is increased by public exposure of unmitigated attack >> methodology > I think you have it wrong. > > Public exposure increases the visibility, and therefore customers > install the patches quicker. > > Without public visibility, they will keep running the old code. You're flawed in your response: "Public exposure increases the visibility, and therefore customersinstall the patches quicker." ... When someone "full discloses" a vulnerability, there is no patch to install quicker. This is obvious because there is no patch until either the vendor releases one, or staff using the product are capable of creating a work-around. In the case of the SCADA environment, we (again) are not talking about the potential of a defacement, blue screen, silly shell, we're talking about sensor, gears and often so much automation that it would be absurd for a SCADA engineer to "go it alone" and try create their own patch. Many of these systems don't have the option of failing or being taken offline. You also state: "Without public visibility, they will keep running the old code" the reality is, no one is going to outright replace some of these systems in these environments. These are not applications and or systems one can plop onto donated boxes. They have no choice BUT to run the code. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
