lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: listuser at seifried.org (Kurt Seifried)
Subject: Re: Announcing new security mailing list

Perhaps someone can setup full-disclosure-discuss? I thought this list was
for announcements, not the tired/boring/painfully stale "am not" "are so"
arguments. Plus the anologies will start coming out and those really suck.
And then someone will get compared to Hitler and the thread will be closed,
so why not head it off at the pass instead?


Kurt Seifried, kurt@...fried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/


----- Original Message -----
From: "Simon Richter" <Simon.Richter@...bos.fachschaften.tu-muenchen.de>
To: "John Cartwright" <johnc@...k.org.uk>
Cc: <len@...sys.com>; <full-disclosure@...ts.netsys.com>
Sent: Thursday, July 11, 2002 2:01 PM
Subject: [Full-Disclosure] Re: Announcing new security mailing list


> Hi,
>
> >> To me, the term "full disclosure" does not mean "make it available as
> >> fast
> >> as possible", but rather "here is the information, expect it to leak in
> >> the next two weeks, so go out and fix the bug". The current bugtraq
> >> scheme
> >> enforces that, and I believe they are doing a great job.
>
> > We are placing the responsibility with the individual, not with an
> > organisation here.
>
> IMHO an organisation has a greater chance of doing things right than a
> number of individuals. For example, I do not have a complete list of
> Linux/BSD/Unix distributors' security contacts, and I believe many
> others out there haven't either, however such a list is vital for vendor
> notification.
>
> >  What we do not believe in is having a situation where
> > a select few are aware of a problem, but 99% of the internet populace
> > are
> > powerless to defend against it. We are not saying that the vendor
> > should not
> > be informed, we are saying, inform the people and the vendor
> > simultaneously.
>
> What do you gain by informing the people? Many people running servers
> are unable to disallow mail relaying on their boxes, why do you expect
> them to understand how to recompile and reinstall a webserver? Even the
> few competent admins who could understand an advisory and fix things by
> themselves might like an official update from a distributor, packaged
> and ready to install.
>
> >> If we are lucky enough
> >> that the vulnerability is spotted by a whitehat, we should not
> >> jeopardize
> >> the time advantage we have by announcing it publically.
>
> > This situation already occurs. If a researcher leaks information to a
> > few
> > 'allies', if a technique is discovered 'in the wild', or if a vendor
> > silently
> > fixes unknown problems, then there are those who possess the knowledge
> > and
> > those that don't. We are simply providing a forum for those who wish to
> > try
> > and balance out this situation.
>
> If some bug is being exploited "in the wild" there is no sense in
> holding back information; I believe the bugtraq moderators understand
> that (at least they approved postings stating that something was being
> exploited already within a few minutes.
>
> >> In short, I think this is a bad idea because it adds confusion for the
> >> vulnerability spotters, risks early disclosure before fixes are
> >> available
> >> and thus harms the users.
>
> > Early disclosure is important, IMO, as was proved with the recent
> > Apache flaw.
> > I believe there were reports of Gobbles' exploit being active in the
> > wild long
> > before the patched packages were available,
>
> Well, I believe this case was a matter of Gobbles' attitude -- they
> simply didn't follow the rules by sharing their exploit with other
> people before the official release date. There will always be people
> like this (=> "instant fame"), and giving them a forum in which they can
> publicize their exploits to an even wider audience will not make the
> problem go away.
>
> If that happens it is the same thing as with every other exploit being
> actively used -- notify everyone instantly, as there is no point in
> still holding back information. I believe the bugtraq moderators
> understand this, and approve such postings right away.
>
>     Simon
>
> _______________________________________________
> Full-Disclosure mailing list
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ