Thomas wrote:
As Craven said, when the Blaster worm exploited the RPC vulnerability, Microsoft had already published a patch for it. So the guy who set the worm loose made a point that didn't need making anymore.
Odd thinking there. Just as there was a patch for the RPC exploit we know that boxcutters are dangerous. The blaster worm was illustrating a new method of loading code onto the user's machine, just as the kid is trying to illustrate that there are still ways to get box cutters on a plane.
If the ability to exploit is the measure by which you deem a point needs to be made then there is a distinct parallel.
Quote: So the guy who set the worm loose made a point that didn't need making anymore. But in the case of homeland security, the appropriate parallel is what Microsoft did in the earlier days of the Web. People report security bugs to Microsoft. Microsoft ignores them. More people report the bug, Microsoft continues to stick its head in the sand. People get fed up, post descriptions of the bug online. Microsoft issues press release that there's no problem, and encourages the bearer of the bad news to shut up or face an encounter with their lawyers. Finally, someone posts an exploit (anonymously unless he's brain dead). Microsoft throws a fit about this illegal irresponsibilty. But the bug gets fixed at last.
I think we live in different worlds. Can you please cite this? Bits and pieces are true (commercialware generally tends more toward security through obscurity than the open source community) but by and large the rest is unrecognizable from what I have followed closely (e.g. cite just ONE example of a reported exploit going unfixed and ignored by Microsoft till disclosure spurred a patch, just ONE).
The concept you are talking about is security through obscurity vs. full disclosure. But the way you reference it makes no sense (it's complete hogwash that MS relied exclusively on security through obscurity) and misses everything the computer security world has learned.
Have you heard of the concept of responsible disclosure as it relates to exploits? That's the middle ground.
You compare it to posting code, that's a flawed comparison. Posting code and executing an exploit are wto different things. What the kid did was execute an exploit when posting the code would have done nicely.