From: silvio at big.net.au (Silvio Cesare)
Subject: ranting.. was Re: (no subject) PS

On Tue, Nov 26, 2002 at 09:56:22AM +0100, Boris Lorenz wrote:
> Yuppa,
> 
> Euan Briggs wrote:
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > P.S - I forgot to mention, I did not make that post because I support
> > blackhats and what they do. I made that post because I support the
> > intellectual freedom the internet gives us, and I believe it is
> > something very precious indeed. I don't want to see it locked down by
> > governments and crippled due to a paranoid response to the security
> > risks, made so evident by people such as PHC. You are only providing
> > them with another excuse to limit our electronic freedom, which is
> > much more valuable than the freedom to break into machines with 0-day
> > exploits.
> 
> spot on, Euan. I couldn't have said it better myself.
> 
> > Euan
> 
> Boris
> ---

The problem with this idea, is that freedom is doubtfully freedom, if one
cannot excercise freedom. (let me explain).

In sociology, they will often say that power is not power unless it is
excercised.  It is like saying "well, I could do that _if i wanted_ too",
knowing full well that that mr/mrs X would not be happy if you
did that - so you never excercise your ability of power, even though you
might be induced into beleiving you have power.

when your mother gives you a stern look in the eye, and says, "well.. if you
really want it, I'll *, but think wisely before you make a decision" ;-)
That is a classic example, of being given a choice reflective of having
power, but it's not really a choice at all - hence, you have no power unless
you actually excercise it.

its also why retaliation is an attempt to show power, because if you do not
retaliate, then it may be indicative of being powerless.  on the
contrary however, if a retaliation is not made when everyone believes it
will be made - is also indicative of power.

Even if you believe you are able to excercise power (as in your mother's
sterns word above), and try to exercise this power thinking that
its not going to lead to retaliation by your mother, then you might be
wrong..

The above can be examplified through that of civil rights; which is 
also perhaps why the US consistition etc goes through a frenzy on occasion.

Think back to Hustler/Larry Flint, when it was seen that what he was
doing through hustler and his humour was actually consitutionaly
protected [hope I get my history right here].

Before he actually tested the consitution, he couldn't be sure that he
indeed had the freedom or power defined by the consitution.  And this
uncertainity was valid, because his "freedom" as defined by the constituation,
required a significant court/legal process to establish that indeed he was
protected.  Even though it was established that he was legally protected,
he was still attacked through legalaslation because he tried to
excercise something that was "not accepted" - even though he did in "theory"
have the ability to excersise his freedom.

Then the question is of course.. was he "always" able to do those things
that the government at the time disputed?
Did he "always" have the power and freedom defined by his countries own
consitution (later to be found that he was constitutionally
protected)?

Or was it until he actually tried to excercise his rights, that he
discovered that the constitutuion at the time was not able to defend his
rights (even though in "theory" it always had).

civil rights issues are always like this it seems ;-)

now onto full-disclosure.. the question is then, should we all be "mature"
and disclose "responsibly".  If a vendor makes no attempt to fix problems, yet
by nature of disclosing, we open possibility of mass exploitation (lets
say apache or openssh), do we still have the freedom or power of disclosure if
we choose not to disclose?

If the government tells us that by disclosing such software, you are indeed
helping the "blackhats", does that leave any "power" for the "whitehats"
through disclosure?

At the same time, if a "blackhat" discloses, does this mean the "whitehats"
are powerless because they are the only ones supposedly allowed to
disclosue?

Full-Disclosure, as I see it, is a personal choice -

However -
If it is established that disclosure is either good or evil (black/white), and
we are forced to live with that (primarily through legislation, check out the
DMCA and even the RedHat advisories), it simply means that the disclosure is
no longer excercising freedom (intent no longer applies now, since it
is legislated), but simply a false freedom given to us by the powers that be,
whenever they see fit.

Disclosure is often seen about individual responsibility.  This I fully
agree with - and It is not up to the "powers that be", wether it be
the Government or Bill Gates, to enforce _our_ freedom upon us, and take
it away without remorse.

Is disclosure about freedom then?  I believe so.

The public is perhaps one of the largest contributers to the "security" of the
internet.  It is through disclosure that many, many vulnerabilities are
fixed - even those which vendors would often like us to ignore.

If _you_, if _we_ had not found a vulnerability in various software and
disclosed it - are you sure that your vendor would have done this
instead?  Am I, are we not all, entitled to see how safe our software is, if
only by reading the number of vulnerabilities disclosed against certain
software? [software as I understand it, isn't exactly the most well
defined of scientific pursuits - though automated bug checkers currently
seem to be heading us towards better quality software, though likely
a long time from now before we see this]

None of the above dictates that user freedom is defined by disclosure
in and all by itself.  It is again, always a personal choice (and often
dictated by our employers - another story), but it is certainly defined that
the freedom for the users of software are taken away, when they, when we,
are required _not_ to disclose.

</rant>

--
Silvio

Powered by blists - more mailing lists