| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lcamtuf at ghettot.org (Michal Zalewski) Subject: [Fwd: Copyright abuse on online.securityfocus.com] On Wed, 18 Sep 2002, Georgi Guninski wrote: > FYI Of course, technically, they have - most likely unintentionally - violated your request / license... but this and so many other posts (Solar Eclipse, TESO, etc) are pretty surprising. It's a bit funny when people who owe their reputation to the idea of full disclosure - or to all the side effects of this phenomenon, such as the increased security awareness that eventually turned hobbyist research into something that can generate paychecks for many folks who enjoy this kind of work - the same people who can maintain this reputation only by publishing security research on a regular basis and reaching an audience as broad as possible... well, it's funny when they start to fight over completely bogus and irrelevant issues because they can't get along with the fact other security folks also want a paycheck, and they decided to do it by sharing a systematized and digested information about the disclosed problems. It's not only security research that counts. It's not like you are doing _all_ the real work, and companies like SF are just nasty parasites. They are doing a valuable work many others are willing to pay for. Most companies don't have the expertise and resources needed to understand and classify the stream of hundreds and hundreds often vague or bogus messages from many sources every day, 24/7. They want the essential information, sorted, formatted and served in a timely manner, so they can deal with important problems as they appear. They want to outsource the process, and are willing to pay for it. Their alternative - hiring an extremely expensive professional to do the job. What's wrong or immoral about their choice? Why do you want to stop those people from getting important information? Just because they paid SF, as opposed to hiring a new employee they probably couldn't afford and would be firing by now? Disclosure is getting hairy, many folks are not really playing by the rules. Oh-so-many organizations, including some most reputable ones, have "tru$ted" partners for advance notification services without author's consent; many buy and sell unpublished vulnerability information without permission; some vendors use threats and lawyers to fix vulnerabilities in their products; and quite a few sources don't bother to credit authors, hoping to mislead the customer. I am a believer in ridiculing those practices in public, and expressing general discontent in such business models. I do believe they are in most cases immoral morons and should be taken down. But SF happens to have rather good record in the matter of ethics and plays nice with the community, compared to the industry average. -- mz
Powered by blists - more mailing lists