Not so. For example here is the privacy statement from a well-known university:

Privacy of Information
Information stored on a computer system or sent electronically over a network is the property of the individual who created it. Examination, collection, or dissemination of that information without authorization from the owner is a violation of the ownerâ(TM)s rights to control his or her own property. Systems administrators, however, may gain access to usersâ(TM) data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules.

Universities usually operate under some concept of academic freedom. Total access by the public to every part of your existence is clearly incompatible with this.

OK with which part? Trying to repress work of scientists for political ends or trying to preserve their work for future study?

One is the despicable work of slimeballs trying to supress scientific inquiry or just simply punish people who have ideas they don't like, and the other is the work of archivists and libraries.

Clearly we have the former going right now. Fortunately the courts came to the right conclusion.

Lots of DC-3's still in use.

Next year the Gooney Bird will turn 80.

Not even close. I have a still working HP-35.

Bought in 1973.

41 year old gizmo.

They still pop up on Ebay from time to time.

Absolutely.

But we were talking about mitigating measures. That is almost never patch and recompile, it's things like turning off a service, changing the firewall rules, moving servers into a different network - things that are very much within the duties of the sysadmin (with proper clearance and risk acceptance by management, etc. etc.)

Basically, if you have a bug that makes your internal network open to the world, but you can avoid it by disabling feature X in the config file, and your company doesn't require feature X, then that's something the sysadmin can do, and he can do it right now, while the vendor is working on a patch.

I agree on that 100%

That depends a lot on the particular problem. In many cases, there are mitigating measures that can be taken until a patch is available, and I'd argue strongly that the people affected should make the call on that, not you or I or anyone else.

By withholding information, you are making decisions for other people. But you are not in a position to make that call, because you are not the one who suffers the consequences.

I advocate for giving everyone all the information so they all can act according to their needs and abilities. I argue for letting people make their own decisions.

See other reply.

Yes, of course, a closed source development that does external code reviews can have more eyes on the project then an open source development that does no external code reviews. But then you're comparing apples and oranges.

I didn't see it's the thousands of eyes that fanatics claim.

I'm simply saying that if your source code is open, your number of eyes on the project is (dev team) + (people looking at it) while for a closed source project the number is (dev team).

Since "people" cannot be negative, by necessity (dev team) + (other people) >= (dev team)

It doesn't.

It does guarantee that the number of reviewers is equal to or higher, provided everything else is equal.

Yes, this argument is being made a million times and it doesn't prove anything because it rests on so many assumptions that may or may not be true that it's total truth value is about as good as tossing a coin.

The two most important:

First, you assume that the official patch is the only thing that can be done. In many, many cases there are other (temporary) measures that can be taken to mitigate a problem or limit its impact. Who are you to decide for everyone on the planet with their different needs and scenarios which is better?

Second, you assume that there are thousands of hackers who didn't know about it. Yes, it is likely that the number of bad guys knowing about the problem was less than 100% before the announcement. But any real professional doesn't care about number of hackers, he cares about risk, which is number multiplied by impact. If the people who are the worst danger to my business and are most likely to target me already have the exploit, I don't give a fuck about a thousand random script kiddies also getting it.

Depends, but yes for many non-essential services, that is indeed an option. Imagine your actual web service doesn't use SSL, but your admin backend does. It's used only by employees on the road, because internal employees access it through the internal network.

Sure you can turn that off for a week. It's a bit of trouble, but much better than leacking all your data.

Or if it's not about your web service, but about that SSL-secured VPN access to your external network? If you can live without home office for a week, you can turn that off and wait for the patch, yes.

Most importantly, who are you to decide that everyone should wait for a patch instead of giving people the opportunity to deploy such mitigating measures?

People don't learn.

We used to do that.

Full disclosure evolved primarily as a countermeasure because vendors took those grace periods not as a "we need to get this fixed in that time", but as a "cool, we can sit on our arses doing nothing for another two weeks".

My preferred choice of being left alone or being beaten to a pulp is being left alone, not some compromise in the middle, thank you. Just because there are two opposing positions doesn't mean that the answer lies in the middle.

I've given more extensive reasoning elsewhere, but it boils down to proponents of "responsible disclosure" conveniently forgetting to consider that every delay also helps those bad guys who are in posession of the exploit. Not only can they use it for longer, they can also use it for longer against targets who don't know they are vulnerable.

Many, many companies run non-essential services that they would not hesitate to shut down for a few days if they knew that there's an exploit that endangers their internal systems. Other companies could deploy mitigating measures while waiting for the patch.

Don't pretend sysadmins are powerlessly waiting with big eyes for the almighty vendor to issue a patch.

There's a black market where you can buy and sell 0-days.

Sure you give it to more people (and for free) than before. But the really dangerous people are more likely than not to already have it.

That is true. However, you also need to take a few other things into account. I'll not go into detail, I think everyone has enough knowledge and imagination to fill in the blanks:

• There is an actual black market for exploits where they are bought and sold.
• Not announcing a weakness withholds the information not just from the bad guys, but also from sysadmins, preventing mitigating measures and proper risk awareness.
• We have over 20 years of history proving that vendors regularily move slower or not at all until a weakness is making headlines
• There have been many cases where several researchers had partial information about an exploit, and only once combined was the true impact known. For example, one research might know about the problem and how to exploit it, but thinks it can't be leveraged to a compromise. Another might know about the potential compromise, but think it can't be triggered in a real-world scenario.

Despite all the theoretical arguments seemingly in favour, security through obscurity does not work and we've known that for like forever.

Yet the overall murder rate trend did not change appreciably - despite the fact that it should have included those massacres. In fact, it briefly went up after the ban, despite there being a massacre immediately before the ban...

Which, I suppose, just goes to show just how small and insignificant those massacres are in the big picture, if you take the media attention they receive out of the equation and look at raw numbers. Yet people keep referring to them as some major factor that should be a significant driver of public policy. It's about as ridiculous as the security theater that followed 9/11.