Then I don't follow, your argument. My point is that it's a doctors job to explain the treatment options to you, not to just do whatever they think is best. Is that a good thing, or a bad thing?
-
-
Replying to @taviso
I'm saying that your analogy is trying to frame CVD as a discussion between a doctor and a patient, when the closer analogy is between an Epidemiologist and a large, vulnerable population.
3 replies 0 retweets 1 like -
It just happens that we have a real life example of epidemiologists and a large, vulnerable population to point to right now - and what people are doing is mostly accepting "There's a big risk here, wash your hands and stay inside" as the totality of what they need to know.
2 replies 0 retweets 0 likes -
yes. And what
@taviso is saying is that for some people, that's not enough. And I think CD vs FD comes down to "is there ever a case where one is clearly right?" And the answer is: it all depends on your point of view, and so every answer is terrible.1 reply 0 retweets 0 likes -
Replying to @docsmooth @taviso
You've reached the conclusion from the original Tweet that I posted, which was that both parties are right and it depends on whose outcome you're optimizing for.
2 replies 0 retweets 1 like -
Replying to @0xMatt @docsmooth
I wasn't arguing with the conclusion, you characterized full disclosure as "every man for himself", which is just wrong.
1 reply 0 retweets 0 likes -
Replying to @taviso @docsmooth
Ah. Well to that specific point, I acknowledge that it's much more complicated than that. I oversimplified b/c 240 chars.
2 replies 0 retweets 0 likes -
Is it fair to say that Full Disclosure optimizes for full control of things being given to the end user, even when that may disadvantage and harm other end users?
1 reply 0 retweets 0 likes -
Replying to @0xMatt @docsmooth
No. Vulnerability discovery isn't a mutually exclusive event, other people can find and exploit them simultaneously, our concern is that people are at risk while the vendor is trying to hide the problem.
2 replies 0 retweets 0 likes -
Vendor as part of the threat model, rather than part of the solution. Is that part of the reasoning behind the extendable 90 day deadline at P0? Vendors who are trying to patch are a lesser variable in the threat model?
1 reply 0 retweets 0 likes
Vendors are rational actors right, so what is the economic inventive for fixing vulnerabilities? I genuinely don't know, giving users information about vulnerabilities empowers them to direct vendors how they expect them to respond.
-
-
While that's a good point, I think my concern is the huge number of end users who don't consume that information, can't consume that information, and don't know what to do with it even if they stumble across it. But they WILL listen to the vendor say "install this patch".
1 reply 0 retweets 0 likes -
Replying to @docsmooth @0xMatt
Not sure what you mean, nothing about full disclosure prevents the vendor from saying that, and if that's what consumers want, presumably the vendor will deliver it or users will choose a different vendor. That's a good thing!
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.