[Dailydave] The old speak: Wassenaar, Google, and why Spender is right

[Michal Zalewski]

> Now, of course, it's hard to truly quantify such opinions, and if you
> think otherwise, I think it's quite fine to disagree :-)

To be perfectly clear, I actually strongly agree that indiviual bugs
don't deserve PR releases, media packets, and flashy conference
presentations. All that is just a product of human nature and a couple
of twisted incentives.

At the same time, I don't subscribe to the absolutist view that
vulnerabilities don't matter, chiefly because I see ample evidence of
such findings making developers more interested in security and
improving their code - an because they keep us honest when we invent
new ways to make software more secure. On balance, I do think that
systemic improvements (design practices, sandboxing, mitigations) are
more important where feasible, but I see a strong link between the two
facets of security research.

I'm always surprised when people speak in absolutes - be it when Bes
or you get dismissive or vulns and vuln disclosure, or when
researchers make a big deal out of individual findings and see
themselves as kings of the world.

/mz