[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: simon at snosoft.com (ATD)
Subject: Security Industry Under Scrutiny: Part One
Sockz,
In response to this post....
You said: * security advisories are rarely based on original concepts
Response: Maybe not but they are based on original bugs that could be
threatening to the infrastructure of many companies.
You Said: * most of them are filled with lots of crap used to build up the reputation of
the whitehat.
Response: I'd like to see the evidence that you have to support this
claim.
You said: * whitehats should contact vendors and not public forums as only the vendors can
release an update.
Response: When vendors are contacted they are not always inclined to do
what is right, but would rather save face. If we did this, and
did not post to the public we would be A: denying the public
knowledge of a threat and B: allowing vendors to lie to clients.
Also, look at what happened to us when we tried to contact HP about
Tru64.
You said: * "proof of concept" toolz are used to fuel script kiddies so as to justify the
employment of security professionals. kinda like the CIA bombing a sky
scraper to get more funding.
Response: Proof of concept code is just that, used to prove a
theory/concept. Without the code vendors would probably not
respond to issues. Plus, who said the code had to have a malicious
pay load? I know how to write non-malicious proof of
concept code, don't you?
things we can do to make the security industry better:
You said: * dont post to public forums. contact the vendor directly. make vendors more
> responsible for their products.
Response: The aforementioned HP incident with SNOsoft (us).
You said: * stop producing "proof of concept" code/tools, as these are more often used to
harm, rather than to heal.
Response: See above I don't choose to be redundant.
You said: * care more about security and less about money.
Response: Knowledge is power and thus education will make the community
more powerful. Sharing information in public lists is one way to
educate people.
For all of those who are anti full disclosure, why are you signed up for
this list? I think that I speak for the majority here (correct me if I
am wrong). I think full disclosure is a powerful asset to the security
community and I have yet to see any convincing arguments to counter
that. The majority of the arguments that I see against full disclosure
are opinion based and emotional.(some almost childish) The arguments
that I see for full disclosure are supported by facts and history.
--
-ATD-
http://www.snosoft.com
-------------------------------------------------------------
Secure Network Operations | Strategic Reconnaissance Team
Cerebrum Project | cerebrum@...soft.com
-------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021114/970fe413/attachment.bin
Powered by blists - more mailing lists