Steve
Thu Aug 07 21:59:58 CDT 2008
Dan, the way you phrase your opinions makes it sound like you think hiding
information, or knowing something unknown by others, is something to be
proud of. In actually, this is rarely the right stance. Responsible full
disclosure is far more valuable for everyone. The bad guys will _always_
discover vulnerabilities eventually, because it's pretty much their
full-time job. So keeping such knowledge hidden benefits no one. On the
other hand, responsible disclosure benefits everyone because then vendors
can rapidly work up fixes (whether they be patches or configuration changes)
and customers can rapidly deploy them. This makes everyone safer.
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Dan" <Dan@discussions.microsoft.com> wrote in message
news:DDAC58B8-E29A-494D-B172-394CAB63FECA@microsoft.com...
> Okay, so sometimes I fall on being less public about disclosure than more
> public about disclosure but this is my own choice.
>
> "Paul Adare - MVP" wrote:
>
>> On Sun, 3 Aug 2008 02:22:01 -0700, Dan wrote:
>>
>> > True, but we cannot say too much in a public newsgroup. Sorry, it will
>> > have
>> > to be part of responsible reporting. see us-cert.gov if you live in
>> > the
>> > States.
>>
>> This has nothing at all to do with responsible reporting. There's simply
>> nothing to report. Slav's comment was referring to the fact that
>> depending
>> on how one configures networking in the application, a virtual machine
>> may
>> not have a unique MAC address or IP address presented on the network.
>> Such
>> is the case in VPC when using NAT.
>> To state that nothing can be said about this in a public news group
>> demonstrates a lack of understanding of both the reporting process and
>> the
>> issue at hand.
>>
>> --
>> Paul Adare
>> MVP - Identity Lifecycle Manager
>>
http://www.identit.ca
>> A CONS is an object which cares. -- Bernie Greenberg
>>