I don't propose to "make sure" that only good guys know, I just suggest that it is better to not spread the info publicly when you don't know who is listening in. Why make the bad guys job easier?
The bad guys already know. They're often the ones who discover the problems in the first place and even if they aren't you can be sure they'll find out once the "experts" do.
I know. The smart bad guys almost always find these holes before the good guys. But there are lots of not-so-smart bad guys and these folks are far more likely to actually use their knowledge maliciously. These people are not neccessarily plugged in to the same channels of info as the smart bad guys and these not-so-smart folks are the ones that we can slow down by being more discreet about what we discuss in public.
All that happens when people try and restrict information about incidents is that the number of people focusing on the solution is reduced, often drasically to below the critical mass necessary to solve the problem once and for all.
My experience is that it only takes one or two smart people to solve this kind of problem. And I strongly doubt that those people will be on this list since they are much more likely to be on lists that discuss theoretical issues.
However this group in particular should be making wide and frequent use of this list and others like it to notify each other (and the experts) of things they should be looking out for and precautions that should be taken.
The experts can be notified in private rather than by shotgunning various public mailing lists. This list is better used for practical actions that people can take today. ******************************************************** Michael Dillon voice: +1-415-482-2840 Senior Systems Architect fax: +1-415-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." ********************************************************