Trojan Source: out in the open but invisible

In a previous century (1993), bugtraq was sprung to live to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure. Now it’s a given that vulnerabilities are published and it’s not a matter IF vendors are going to issue fixes but more like WHEN this is going to happen.

If we would still be stuck in a reaility where the debate is about wether vulnerabilities allowed to be published and when up to a point that vendors will ripp out pages from textbooks, we would not be able to discuss the vulnerability itself, its potential exploit nor its potential impact. This is a benefit we have achieved in the world. Something to remember in these times when we realize that the internet has not fullfilled the dream of making the world a better place. The free open internet is now a place of firewalled countries, censored websites, tracking websites, spying applications and pushing encryption to the masses wherever possible to avoid mass surveillance. At least there is Full Disclosure now.

Without that kind of transparancy we would no tbe able to discuss the subtleties of the Trojan Source vulnerability/exploit, that it looks fine to the human eye (out in the open) but nasty to the computer that we are actually dealing with an invisible vulnerability. (Invisible to the human eye as pointed out by Ross Anderson in an interview with KrebsOnSecurity.