lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: belal-fulldisclosure at caldera.com (Bela Lubkin)
Subject: Symantec Buys SecurityFocus, among others....

I know better than to step into a discussion like this, but...

Advocating "full disclosure" and then trying to restrict the flow of
vulnerability information does not make sense!  Either you want it fully
disclosed to everyone, or you don't.  What I seem to hear being
advocated is something like "vulnerabilities should be fully disclosed
to people who support full disclosure, and _nobody else_".  But that is
not full disclosure at all, that's a closed, insular universe.

There's a lot of anger on this list against "commercial use" of
vulnerability information, directed against "security companies".  What
about commercial software vendors?  How can you "protect" exploit
information against "commercial use" without also preventing commercial
entities like distro houses from using it?

If you did somehow successfully prevent the Red Hats, Calderas and Suns
from using your exploit information to tighten up their products, in
what way would this be a good thing?  (A few readers are unconditionally
against all commercial software houses; the rest of us are aware of
that.  If you're unconditionally against it then this is another tiny
bit of ammo; fine.  I'm trying to ask this question of people who _do_,
to whatever degree, appreciate commercial software.)

Meanwhile, I haven't heard that Symantec has actually _done_ anything
that would harm bugtraq.

Instead of boycotting bugtraq, people should continue to use it as
before, but keep a sharp eye on it.  If you post a vulnerability there,
does it show up promptly?  Then the list is working as it should,
and there's nothing to get so excited about.  The list is public --
if your vuln shows up, it's available to everyone, thus proving that
Symantec/SecurityFocus are not holding it back in order to gain some
sort of advantage in the marketplace.

If they _do_ start delaying things, it'll be obvious to participants,
and the list will die naturally.  It would no longer be serving its
purpose, so people would stop using it and it would die.

And maybe, just maybe, _this_ list will some day take over the role.
Ain't gonna happen any time soon, not when the sound(vuln info):noise
(flamewars about who-bought-who) ratio is so low.

>Bela<

(yeah, I'm repeating some of what others have said, but -- I hope -- a
little more coherently and with a lot less swearing...)

Reply-To: /dev/null  (this is the wrong venue for this discussion)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ