lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 23 Mar 2011 11:53:03 -0700
From: Mike Hoskins <michoski@...co.com>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

On 3/23/11 9:46 AM, J. Oquendo wrote:
> How about we reflect reality?

We can't honestly do that, we all only have our perception.  It's funny 
how we can get stuck in a trap of 0 and 1.

My perception is we'll always disagree on disclosure technique, or at 
least nitpick some minor detail into infinity like we do with politics 
or religion.  We're human after all.

That said, bugs exist whether we find them or not, every software has 
them, and if the author had never reported them that in no way implies 
they were not already known and/or being used for subversive means with 
the potential intent to cause harm.

I guess I'm oldsk00l enough to like responsible disclosure, but also 
anti-authoritarian enough (who's making the rules?  why are they god?) 
to believe this is not black and white.  Scare away those who disclose 
(regardless of method), and you're left with undisclosed vulnerabilities 
the bad guys with the most to gain ($$$ to invest in teams of 
hacke^H^H^Hengineers, not just script kiddies) still know about and can 
most effectively leverage.

I say the only bad disclosure is no disclosure.  If vendors can't move 
fast enough, they'll be usurped by those who can make better use of new 
processes and technologies to keep up with trends.

PS: Is this really "hot" now?  My only thought when I read the original 
post was "about time" -- SCADA has been known (as in publicly aired on 
broadcast television) to have many gaping vulnerabilities for at least a 
decade.  The (obviously bogus) justification was usually it's restricted 
deployment model.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ