lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Jul 2012 19:58:16 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Justin Klein Keane <justin@...irish.net>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: How much time is appropriate for fixing

"Moral obligation" to disclosing bugs?  Really?  The statement wasn't
about what happens when there is disclosure or the effect it has - the
statement was in regard to the purpose one does the research and
subsequent disclosure in the first place.  It is, quite simply, to be
recognized.  I didn't say anything was "wrong" with that, I was just
stating that it "is."  People do not disclose their research to make the
world a better place.  They do it for recognition or for money.  One may
argue they are related.

Are you telling me that these people intentionally begin researching some
random product because they have some duty to ensure a fix is produced?
If you think that, you are quite naïve.  People certainly report bugs
anonymously, but those are bugs they happen upon, not those they set out
to find.  Just look at how many bugs are released anonymously.
Statistically none.  You paint the picture as if people volunteer hours
upon hours of research into any random product to find a bug so that they
can "insure" a fix is produced as it they have some duty to do so.  Nuts,
man.

Oh, and your reference to Maslow actually makes my point.  The most basic
need is "sex" (getting laid). The next most basic need is "employment"
(getting paid).  The next tier is "sexual intimacy" (getting laid), the
neigh is "achievement" (getting paid) and finally the "acceptance of
facts" that everything you do is to get paid or get laid.

But as Val said, this thread has about run its course, and there's not
been much new material on the subject (even though Григорий Братислава has
provided needed entertainment).


On 7/10/12 9:15 AM, "Justin Klein Keane" <justin@...irish.net> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello,
>
>  I feel compelled to point out that disclosing a bug *is*
>contributing.  It requires a lot of time and effort to find a bug,
>which is a contribution to the target software, even if only seen as
>free quality assurance work.  Disclosure is undeniably inconvenient
>for vendors, but it is demonstrably one of the surest ways to ensure a
>fix is developed.  Security researchers arguably have as much
>responsibility to end users as to vendors.  If a researcher finds a
>bug, unless they believe they are the best person in the world at what
>they do, they must conclude black hats have access to the bug.
>Disclosing the bug is the lowest resistance way for a researcher to
>concurrently inform the user base and provide impetus for the vendor
>to fix the issue.  The proposition that disclosure is purely selfish
>ego stroking ignores the viewpoint that disclosure is a moral
>obligation, which is just as valid.  Maslow's hierarchy of needs
>clearly illustrates that not everyone is motivated by getting paid or
>getting laid.
>
>Justin C. Klein Keane
>http://www.MadIrish.net
>
>
>On 7/10/12 11:42 AM, Mikhail A. Utin wrote:
>> Hello, I completely agree with Thor. We have to do something for
>> free. We have to contribute, not just use. Whoever and whatever.
>> Examples: - This list is ran for free (hardware, software, time,
>> energy are used for) and giving us a chance to communicate - The
>> most of us use Linux, whichever flavor you prefer. The most of it
>> is free time contribution. Somebody pays for that, but we use. It
>> is nice to be paid for something, but consider the alternative.
>> Otherwise our communications will die and we do not have an OS for
>> a fun or profit.
>> 
>> Mikhail Utin
>> 
>> -----Original Message----- From:
>> full-disclosure-bounces@...ts.grok.org.uk
>> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
>> full-disclosure-request@...ts.grok.org.uk Sent: Tuesday, July 10,
>> 2012 7:00 AM To: full-disclosure@...ts.grok.org.uk Subject:
>> Full-Disclosure Digest, Vol 89, Issue 11
>> 
>> 
>> ------------------------------ Message: 7 Date: Mon, 9 Jul 2012
>> 17:24:51 +0000 From: "Thor (Hammer of God)" <thor@...merofgod.com>
>> Subject: Re: [Full-disclosure] How much time is appropriate for
>> fixing a bug? To: Georgi Guninski <guninski@...inski.com>, Stefan
>> Kanthak <stefan.kanthak@...go.de> Cc:
>> "full-disclosure@...ts.grok.org.uk"
>> <full-disclosure@...ts.grok.org.uk> Message-ID:
>> <CC205E3D.3561%thor@...merofgod.com> Content-Type: text/plain;
>> charset="Windows-1252"
>> 
>> I'm not contradicting myself at all - in fact, *you* are the exact
>> type of person I'm talking about.  You couldn't give a rat's ass
>> about the industry or anyone but yourself.  Nothing you have ever
>> done has been "valuable" to anyone other than you; it has been
>> completely self-serving egotistical bullshit.
>> 
>> CONFIDENTIALITY NOTICE: This email communication and any
>> attachments may contain confidential and privileged information for
>> the use of the designated recipients named above. If you are not
>> the intended recipient, you are hereby notified that you have
>> received this communication in error and that any review,
>> disclosure, dissemination, distribution or copying of it or its
>> contents is prohibited. If you have received this communication in
>> error, please reply to the sender immediately or by telephone at
>> (617) 426-0600 and destroy all copies of this communication and any
>> attachments. For further information regarding Commonwealth Care
>> Alliance's privacy policy, please visit our Internet web site at
>> http://www.commonwealthcare.org.
>> 
>> 
>> _______________________________________________ Full-Disclosure -
>> We believe in it. Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>> sponsored by Secunia - http://secunia.com/
>> 
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
>Comment: GPGTools - http://gpgtools.org
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iPwEAQECAAYFAk/8VS0ACgkQkSlsbLsN1gA5RgcApTGAv88GuYgajw8w0FykzmWo
>vowU93XaMyKWNVxarZMfXid+qLtvSMZz5HY57sl24nKADEBbHKI02Nr1+4sU05m0
>Xe7oKXGtJW4uExnNXo+3IpxpGLI5/kbE56SDNGblkTd36kzUUgVnhIw+FRpHT07F
>zzhfQ8Xn2o5vHGXLFhZZSozJ99GAnwI1JnpP/4eMmmuW3Z+vE+rmFLg/HcR6ZG0M
>Bret3FTkm654erG+P0POQk/JqfTn9oFZk9ASCDHEX9vdHh5EdIAfmx+Gkgo7c6kN
>Uw5TjOElJJxmp+xiDTk=
>=tkmh
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists