lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 24 Mar 2005 20:31:01 -0300
From: shadown <shadown@...il.com>
To: Simple Nomad <thegnome@...c.org>
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: Re: [VulnWatch] Details of Sybase ASE bugs withheld


Simple Nomad made the best analisys I've read up to know.
Bugs always will be discovered and exploits developed by people, and
If no one can disclose them, we'll you trust this software? I don't
think so.

Cheers,
  shadown

On Wed, 23 Mar 2005 09:03:21 -0600, Simple Nomad <thegnome@...c.org> wrote:
> On Tuesday 22 March 2005 14:53, Marchand, Tom wrote:
> > And what happens when the vendor won't  indemnify the researchers?  No more
> > security bulletins?  Wouldn't the vendors love that.  Or would security
> > researchers become outlaws?
> 
> It gets worse if you consider that the researcher may be researching a COTS
> product on behalf of a client who wants the software evaluated before it is
> implemented/purchased. Now where does the EULA lie? Company X bought the
> software, but pays me to evaluate it in a cubicle on Company X's property.
> Does the EULA apply to me? What if Company X already installed it on a
> computer, and *they* clicked "I Agree" during the license question and I am
> just there to rip things apart bit by bit?
> 
> This is why EULAs don't work in this context.
> 
> Additionally, myself and/or NMRC has been threatened with legal action from
> several companies or have done "legalish" things to try to scare us ("please
> GPG sign NMRC's disclosure policy with *your personal* GPG key and email it
> to us before releasing your advisory we don't want published"). My experience
> through my employer BindView also leads me to believe that given the chance
> any and all vendors will do anything to prevent public disclosure of bugs.
> 
> <tinfoilhat>
> IMO, several large vendors are waiting for one of the smaller companies to
> risk the bad publicity of going after a security researcher (criminal, civil,
> or both) so a precedence has been set. Assuming the courts decide in favor of
> the company instead of the researcher, security research as we know it will
> end as all the vendors come after us like biblical locust swarms, and we will
> go back underground, old school style.
> </tinfoilhat>
> 
> --
> # Simple Nomad  --  thegnome@...c.org                #
> # C1B1 E749 25DF 867C 36D4  1E14 247A A4BD 6838 F11D #
> # http://www.nmrc.org/~thegnome/                     #
> 
> 
> 


-- 
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown@...il.com

This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have
received it by mistake please let us know by e-mail immediately and
delete it from your system; should also not copy the message nor
disclose its contents to anyone. Many thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ