telnetd oops

The recent telnetd vuln brings two things to mind.

First, as a QA guy myself, I imagine there’s some QA person at Sun saying “D’oh!”.

Second, it makes me think of the full-disclosure argument.

(Wait, doesn’t everything make you think of the full-disclosure argument? Moving on…)

For the sake of discussion, assume you’re against disclosing unpatched vulnerabilities under any circumstances. In this case, we have a fine example of how this might work. You have a perfect opportunity to keep things from yourself. Delete all the emails, blog posts, and news articles that might inform you about the problem. Ignore any IDS signatures and third-party patches. Ignore the fact that absolutely no exploit code is needed, and that any script kid, no matter how unskilled, can pull this hack off.

Don’t disable telnetd on your Solaris 10 machine. Wait for Sun to tell you there’s a patch.
That’s one extreme end of the disclosure debate spectrum. You can refuse to participate in the disclosure game on a personal level.

I can’t stop you.

  • Ethical

    Tongue in cheek:

    …where’s the argument?….

    The premise is, to disclose or not to disclose. Poor Yorick we did not even get to know him or his gests, disclosure is present tense. Speaking in general.

    Is the argument a myth?, it cannot be stopped.

    Are we not dealing with a morally ambigious premise anyway?

  • Aviram

    Unfortunately the FD argument is not a myth. No, it cannot be stopped, but people are paying a price with their reputation whenever researchers are blamed as “reckless”. And then we all pay the price since those researchers (and in one case a security research firm) stop publishing information.