Wednesday, March 26, 2003

Faugh on SecFocus

The Register has an article about a Security news startup whose intent is to replace SecurityFocus as a source of news. Ever since SecFocus's purchase by Symantec, they've conformed to the "responsible reporting ethic" which amounts to "don't let the public know what the bad guys know until the vendor has a patch".

Many, myself included, think this practice is dangerous and poorly designed. Example: If a hackers can gain access to my machine just because a specific feature is turned on in my web browser or mail client, I think I should know about it right away rather than quietly allowing 2-4 weeks for the commercial vendor to publish a patch. 2-4 weeks in Internet time is an eternity.

Anyways, quoting The Register:

Secunia makes no bones in saying that its Security Advisories mailing list initiative is a direct attack against competitor SecurityFocus. The Danes are highly critical of SecurityFocus and security clearing house CERT. And they hope that their Secunia mailing list will replace at the "one source of information regarding the latest vulnerabilities and the security patches released by vendors".

Hopefully, they'll live up to this one. I won't be giving up on SecFocus though, it's still a good source of information, delayed or not. I just wish they'd go back to the old interface on the web. The current one, while looking "pretty", detracts from the site's usefulness.

No comments:

Post a Comment