"My opinion on disclosure is simple: put up or shut up! If you go the full-disclosure route and announce the bug and full details immediately, that is great. Or if you want to coordinate disclosure with vendors and keep the bug secret until a patch is released, that is great too. But if you go with the coordinated approach (which vendors refer to as “responsible disclosure”), there is no point announcing and hyping the bug before a patch is released and you're ready to disclose details. I don't tell people how to report vulnerabilities—disclosure has long been one of the most personal and political issues in the security community. So I let them decide for themselves. But when people decide on the partial disclosure fear-mongering approach, I reserve the right to speculate on the issue as I do here. I recognize their vague description of the attack and results because I've written and used a similar DoS tool. I was not the first to do so, either."
And I was around at the time of synflooding to teardrop. The botnets already have the power to DoS the whole Internet for a while by attacking key infrastructure elements. The question is why they don't do it or perhaps why would they do it. Ransom won't work. And zombies are valued assets to use for more profitable tricks like spamming, installing spyware, or 419-style scams.
"My opinion on disclosure is simple: put up or shut up! If you go the full-disclosure route and announce the bug and full details immediately, that is great. Or if you want to coordinate disclosure with vendors and keep the bug secret until a patch is released, that is great too. But if you go with the coordinated approach (which vendors refer to as “responsible disclosure”), there is no point announcing and hyping the bug before a patch is released and you're ready to disclose details. I don't tell people how to report vulnerabilities—disclosure has long been one of the most personal and political issues in the security community. So I let them decide for themselves. But when people decide on the partial disclosure fear-mongering approach, I reserve the right to speculate on the issue as I do here. I recognize their vague description of the attack and results because I've written and used a similar DoS tool. I was not the first to do so, either."
And I was around at the time of synflooding to teardrop. The botnets already have the power to DoS the whole Internet for a while by attacking key infrastructure elements. The question is why they don't do it or perhaps why would they do it. Ransom won't work. And zombies are valued assets to use for more profitable tricks like spamming, installing spyware, or 419-style scams.