lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: John.Airey at rnib.org.uk (John.Airey@...b.org.uk)
Subject: Security Industry Under Scrutiny: Part One

> -----Original Message-----
> From: sockz loves you [mailto:sockz@...il.com]
> Sent: 07 November 2002 10:13
> To: full-disclosure@...ts.netsys.com
> Cc: vuln-dev@...urityfocus.com; vulnwatch@...nwatch.org;
> bugtraq@...urityfocus.com
> Subject: [Full-Disclosure] Security Industry Under Scrutiny: Part One
> 
> 
> Hello Full-Disclosure.
*snip the rest - it goes downhill from here*

Well Sockz, you've made some interesting points, although I would have to
admit that there is at least as much noise in your posts as anyone elses, if
not more.

This would be a good time to give a far more reasoned argument for Full
Disclosure than the one you have given, even if you are a troll or
flame-baiter.

I shall make two important points, the historical basis for Full Disclosure
and comparisons with other parts of life (there is more to life than
computers, so my wife tells me...)

First of all, is there any historical basis for Full Disclosure? Yes, and
I'll give the example of the translation of the Bible into English. At the
time it was opposed by the church of Rome because they would lose their
power over the people. They could read for themselves that salvation didn't
come through the church or even its traditions (A modern day equivalent
would be what Microsoft and others are attempting with Palladium, ie you
trust us to supply you with "good" code, everyone elses is "bad"! That is a
swipe at Microsoft in case anyone thinks otherwise). 

Now we have thousands of weird cults with all kinds of odd beliefs (eg the
Wacko from Waco) based on various misinterpretations of scripture. Should we
revert to the old system, where there was only one church and people were
told what to believe? Clearly there are disadvantages and advantages to
allowing people to find things out for themselves. 

The situation with information about computer systems is much the same
today. Do we trust one mega-corporation to tell us what it wants us to
believe, or do we trust each other to share information to benefit each
other with the risk that someone might abuse it?

Second, can you compare this to other parts of life. Would you oppose
someone making public the problems with Ford Explorer tyres, as this would
"inconvenience" Ford into making safer tyres? Would you prevent the sale of
Swiss Army knifes on the grounds that someone could injure another person?
Would you censor the media so that only state approved information would get
published? Some countries still do that, but we don't consider them free.

Of course, here in the UK we're into banning everything. We banned handguns
nationally (thus losing ourselves Olympic medals) because one mad person
slaughtered an infant school class (I have a young boy in infant school, so
don't think I'm completely heartless, nor would I wish a gun culture like
the US which is depopulating that country at an alarming rate). We banned
any sharp instruments on planes even though you can probably do much more
harm with a tray table (not that I've tried).

I spend most of my working day on security issues, that is very inconvenient
to me, but what would be more inconvenient would be a system that was
attacked and I was completely ignorant as to how it was done.

There is nothing wrong with the security community that is any different to
the rest of mankind. (personkind for the PC). If anything, more transparency
like the Full Disclosure list is needed as those intent on damage are
already trading their information through other means. Unfortunately vested
interests have taken over some of the security lists so that only
information that makes the owners look good gets out (you know who you are).

I once heard it said that real freedom is the freedom to do what is right,
which of course requires knowledge in the first place.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@...b.org.uk 

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ