Lindstrom's Indemnification
Pete Lindstrom has very nicely offered to indemnify me, and pay my outrageous consulting fees when no one else will, if only I break NDAs and disclose which 0day exploits were used against which of my clients. Well, the city of Tokyo…No, I’ve never worked for the city of Tokyo.
Now, as I’ve said repeatedly, I think more detailed disclosure of more security incidents would be a good thing. I keep posting very boring breaches posts to spread the idea that these things happen every day. But that doesn’t mean I’m going to go around violating the trust people put in me.
But wait! Mr. Lindstrom didn’t offer to indemnify me! He didn’t even offer to get me drunk. And I’m certainly not going to go violating customer trust for the sake of a blog post.
Elsewhere in the flame war, Richard Bejtlich has “More Mildly Condescending Comments” which are worth reading, and Tom Ptacek compares crypto to vulns in “And on & on,” [link to http://www.sockpuppet.org/tqbf/log/2005/08/and-on-on.html no longer works] and other reasons not to disclose in “The REAL zero-day” [link to http://www.sockpuppet.org/tqbf/log/2005/08/real-zero-day.html no longer works] Reading Richard’s comments also explains the Mothra. Maybe.
Just to be clear, I’m not claiming that any breach in the breaches list is from 0day. I’m saying that breaches are regular, and should not be cause for shame or panic.