Reply to: RE>netscape bug "Vladimir Z. Nuri" writes:

I am willing to bet that the netscape bug would have been fixed quickly if it had been quietly brought to their attention, without the blaring media lights (I enjoy the media circus as much as the next guy, but on the other hand, doing some things quietly may actually advance the cypherpunk cause further than by making a noisy hullaballoo in cyberspace).

I can't speak for Netscape in particular, but from bitter personal experience (in a previous life) I would be more willing to bet that bringing such a flaw to management's attention would raise the priority a bit to perhaps just below whatever their equivalent of the 'cut line' is. The rationale: "we are so resource limited; can't just keep it under wraps and fix it in the next release?" just rings in my ears. I can really empathize with what the developers at Netscape must be going through, but the 'social good' of raising security flaws to the level of the front page of the NYT is hard to deny. Rather than saying "security through obscurity is bad" you can point to a precedent of the consequences of being found out. --Joe