On Sat, 2010-03-20 at 20:30 +0200, Hank Nussbacher wrote: > On Fri, 19 Mar 2010, William Pitcock wrote: > > > On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: > >> An ongoing area of work is to build better closed, > >> trusted communities without leaks. > > > > Have you ever considered that public transparency might not be a bad > > thing? This seems to be the plight of many security people, that they > > have to be 100% secretive in everything they do, which is total > > bullshit. > > > > Just saying. > > How exactly would being transparent for the following help Internet > security: > > "I am seeing a new malware infection vector via port 91714 coming from the > IP range of 32.0.0.0/8 that installs a rootkit after visiting the web page > http://www.trythisoutnow.com/. In addition, it has credit card and pswd > stealing capabilities and sends the details to a maildrop at > trythisout...@gmail.com" > > The only upside of being transparent is alerting the miscreant to change > the vector and maildrop.
That is not what I mean and you know it. What I mean is: why can't anyone contribute valuable information to the security community? It is next to impossible to meet so-called 'trusted people' if you're new to the game, which is counter-productive. If you're a 15 year old kid and you just discovered a way to own the latest IOS, for example, how do you know who to tell about it? William