| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: peter at bank-connect.com (Peter van den Heuvel) Subject: Yes? Personally I find the last weeks quite stimulating, educational and even entertaining. Although things tend to get meaningless where factions communicate from their local perspective without making the effort to connect to the opposed context. I'm not much of a "hat" at all, though I work in IT, self employed and part of my work is even security related. To me an open source of facts and opinions (like this list) is essential to my survival: we must know the world we're living in. I've never actually used a published exploit, nor have I ever corrected vulnerable code. But the exploits as they were published did however provide a solid understanding that "there's a tiger in the forest and this is what it looks like". I have no actual wish for ALL exploits to be published. Indeed, nothing is more dangerous than the invincible. Once exploits are puplished, specially the larger organization tends to first ignore the fact. When forced into action by incidents and damage they simply plug the hole but mostly fail to make the structural changes that would be required to realy deal with the issue. But even if they did, would that make a big difference? You can improve safety of cars but you cannot prevent their owners from driving like idiots. So although they feed and leech, in the end nothing realy changes. And they will make their money quite as effectively without the help of published exploits. Buying exploit code exclusively? Unless with criminal intent I fail to see the effectiveness in this. Try to sell your private knowledge on one or two specific holes to the keeper of a sieve. At least there's a business opportunity for those that failed to sell viagra, free loans or hot-sluts. I do not hold any hope that something as complex and intricate as a large computer network can be made flawless and 100% secure. That is mainly because of the focus on features instead of reliability and the nature of the humans using it. Open source software is usually not much better than commercial code in that respect. So there's the permanent feeding-ground for both the black and the white hat. White hats and black hats... So funny that all extremes fail to realize that they exist only because of the counter-extreme they oppose. No better legitimacy for security experts than the existence of hackers and vice versa. None will disappear whithout the other going as well. A holy war between the despicable established imperialist mobsters and the criminal lowlife anarchist hackers! How quite effective history has proven holy wars and prohibition to be, specially so if started without the fundamental insight into the broader context. And calling one another names and underestimating the opponent makes such a nice start. Any conflict is the confrontation of the opposite faces of the the same coin; as per definition. So my point: the conflict is simply permanent, feeds on lack of understanding and won't change a thing. I find the recent attempts to outlaw open-source, the publication of exploits (here both factions strive towards the same!) or encryption and to allow large-scale indiscriminate and uncontrolled tapping of communication much more disturbing and relevant than the false hopes that the publication or retainment of some exploits will make a dent. But maybe we all prefer the intimate but futile quarrel over the real threats of life. Peter
Powered by blists - more mailing lists