From: "Joe Tardo" <joe_tardo@genmagic.com>
Date: Thu, 21 Sep 95 10:23:32 PDT
To: vznuri@netcom.com>
Subject: Re: netscape bug
Message-ID: <n1400443880.87116@qm.genmagic.com>
MIME-Version: 1.0
Content-Type: text/plain


        Reply to:   RE>netscape bug

"Vladimir Z. Nuri" writes:

>I am willing to bet that the netscape bug would have been fixed quickly if it
>had been quietly brought to their attention, without the blaring media
>lights (I enjoy the media circus as much as the next guy, but on the
>other hand, doing some things quietly may actually advance the cypherpunk
>cause further than by making a noisy hullaballoo in cyberspace).

I can't speak for Netscape in particular, but from bitter personal experience 
(in a previous life) I would  be more willing to bet that bringing such a flaw

to management's attention would raise the priority a bit to perhaps just below

whatever their equivalent of the 'cut line' is.  The rationale: "we are so 
resource limited;  can't just keep it under wraps and fix it in the next
release?" 
just rings in my ears.

I can really empathize with what the developers at Netscape must be going
through, but the 'social good' of raising security flaws to the level of the 
front page of the NYT is hard to deny.  Rather than saying "security through
obscurity is bad" you can point to a precedent of the consequences of being 
found out. 

--Joe