lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: simon at snosoft.com (ATD)
Subject: Security Industry Under Scrutiny: Part One

Sockz, 
	In response to this post....




You said: * security advisories are rarely based on original concepts

Response: Maybe not but they are based on original bugs that could be 	 
threatening to the infrastructure of many companies. 

You Said: * most of them are filled with lots of crap used to build up the reputation of
            the whitehat.
Response: I'd like to see the evidence that you have to support this 	 
claim.
You said: * whitehats should contact vendors and not public forums as only the vendors can
	   release an update.
Response: When vendors are contacted they are not always inclined to do
	  what is right, but would rather save face.  If we did this,    	  and
did not post to the public we would be A: denying the 	   public
knowledge of a threat and B: allowing vendors to lie to 	  clients. 
Also, look at what happened to us when we tried to  	  contact HP about
Tru64.

You said: * "proof of concept" toolz are used to fuel script kiddies so as to justify the
	  employment of security professionals.  kinda like the CIA bombing a sky
 	 scraper to get more funding.
Response: Proof of concept code is just that, used to prove a 	  	 
theory/concept. Without the code vendors would probably not 
	  respond to issues. Plus, who said the code had to have a 	  malicious
pay load? I know how to write non-malicious proof of 
	  concept code, don't you? 

things we can do to make the security industry better:
 
You said: * dont post to public forums.  contact the vendor directly.  make vendors more
	>   responsible for their products.
Response: The aforementioned HP incident with SNOsoft (us).
You said: * stop producing "proof of concept" code/tools, as these are more often used to
	 harm, rather than to heal.
Response: See above I don't choose to be redundant.
You said: * care more about security and less about money.
Response: Knowledge is power and thus education will make the community
	  more powerful.  Sharing information in public lists is one way 	  to
educate people.    

For all of those who are anti full disclosure, why are you signed up for
this list?  I think that I speak for the majority here (correct me if I
am wrong). I think full disclosure is a powerful asset to the security
community and I have yet to see any convincing arguments to counter
that.  The majority of the arguments that I see against full disclosure
are opinion based and emotional.(some almost childish) The arguments
that I see for full disclosure are supported by facts and history.




-- 

-ATD-

http://www.snosoft.com
-------------------------------------------------------------
Secure Network Operations |     Strategic Reconnaissance Team
Cerebrum Project	  |	cerebrum@...soft.com
-------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021114/970fe413/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ