| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: choose.a.username at hushmail.com (choose.a.username@...hmail.com) Subject: Re: it\'s all about timing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I get the impression that some government type may have whispered in your ear "go out into the IT community and get a 'peoples' consensus on a guidline that we expect to put into legislation in the near future". This way it is the 'peoples' guidline and not the governments. All this continual talk about it does nothing other than give it legitimacy and a footing when in fact had the status quo been maitained, nobody would be the wiser. In other words someone has come up with the brainwave to do something about nothing. On Mon, 5 Aug 2002 21:51:50 -0400 (EDT), full-disclosure@...ts.netsys.com wrote: >choose.a.username@...hmail.com said: > >>What are the penalties now for not abiding by this guideline, or any >>other guideline that might be out there. > >We explicitly stayed away from defining what the penalties are. >That's outside the scope of the recommendations - the "marketplace" >may decide, or perhaps, the legal community may decide. If there are >no guidelines at all, then perhaps "the government" will decide (which >obviously has its own issues, in an international community such as >information security.) > >>Pretend that your (as in this) guideline was already implemented. How >>on earth would you expect it to have stifled the release by both the >>individual in (or a part of) SnoSoft and ISS. > >It at least establishes a point of discussion. Whether you agree with >the particular points of the draft or not, they can be compared to the >facts (or apparent facts) of the situation. > >For the ISS/Apache issue, it seems that nobody disputes that ISS gave >Apache less than 7 days to respond to the initial report, before they >published. This is not consistent with the spirit of the disclosure >draft (I just took a look at it, and while it requires the vendor to >respond within 7 days, it doesn't have a complementary suggestion that >the reporter should give 7 days to the vendor! whoops). In the >ISS/Apache case, we have the further complication that multiple >vendors were involved (a difficult issue that is not addressed by the >current draft, except in its recommendations for involving >coordinators). Without community-defined guidelines, there are no >clear boundaries to say whether ISS did things "reasonably" or not. > >The SnoSoft/HP issue is more complicated and not cleanly addressed by >the disclosure draft, which does not cover accidental or unauthorized >releases, and is not comprehensive on the role of third party >coordinators. I think it demonstrates some of the complexity in >vulnerability disclosure. Some people have argued that this means >that there shouldn't be *any* guidelines, but I believe that we should >try to be as detailed as possible in the guidelines to reduce >confusion, provide flexibility where it is needed, and do what is >possible to avoid regulations that may come from outside the IT >community. > >- Steve >_______________________________________________ >Full-Disclosure - We believe in it. >Full-Disclosure@...ts.netsys.com >http://lists.netsys.com/mailman/listinfo/full-disclosure > - -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmYEARECACYFAj1RaaofHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT 5JkCl0iMkP31AJsHv2J3QICwlKsvoCiK+I8STNAedACgtn0/KLwugGTn/ldKdFLGhWBj 0dg= =0E/o - -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmYEARECACYFAj1RabofHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT 5JkCl0iMkOlEAKCS2Yvrfwy0GPLnvwhiedke61qCzwCgjUcQqPUeRjQGTDvZt1hNjjGp 8kI= =Vlls -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
Powered by blists - more mailing lists