| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: peter at bank-connect.com (Peter van den Heuvel) Subject: Shiver me timbers. I am wondering.... Besides the "I am bad and you cannot stop me" threads, the main issue (of course) seems to be whether to publish exploits/vulnerabilities found. Although one might want to hold one's own moral judgement against others, such appears mostly futile. Thus the personal moral evaluation gets all the more relevant. One aspect I've found missing so far is the distinction between commercial and open/contributed software. The "how dare you charge anyone money for this" factor might make one reluctant to cooperate in any fashion with "the company that tends to ignore such issues anyway". A point made very clear, just like the "if you think you're such a clever security expert" factor might demotivate to "donate the fruits of personal skill and perseverance". Yet, there's software that was gifted to all and that many depend on (like linux, apache, perl, egcs, mysql, cipe, qmail, bind, vim, bash, etc, and as it seems, even outlook express ;^). Would such facts not tip the balance of personal bias? Of course one will assist small and big commercial (and non-commercial) operations by publishing an exploit. But so did the makers of many of the tools being used. Such was their makers choise. And so that might pose obligations to anyone using that software. If it were not soo futile, the obligation to report bugs might have made it into the GPL. Of course one might consider any such software inadequate, but that does not change a thing. Usage obliges the user, payment obliges the supplier. Now what if you just did not pay? I also fail to see the distinct link between (not)publish and morals. Would every must-publish-hat (:>) willingly help that notorious spammer? Or would every must-not-publish-hat deny assistance to the makers of his favorite OS or web-stat tool? I would like to be surprised by any consistent moral motivation by either faction. I'm afraid that moral judgement cannot be made by rules of thumb. Then, I'm also afraid there's always going to be a bit of sacrifice in order to achieve "morals". But hack, none of that's any good for sake of argument. So, indeed, argument is a decent thing. And as far as moral obligations go, there's just the arguments that can be spelled out. So that they can be a mirror to anyone that is compelled to reflect. An RFC to simply formalize the required procedures for any vulnerability found seems to me like a grave over simplification. Peter
Powered by blists - more mailing lists