lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20020711135726.GA27619@www1.grok.org.uk>
From: johnc at grok.org.uk (John Cartwright)
Subject: Re: Announcing new security mailing list

On Thu, Jul 11, 2002 at 01:42:16PM +0200, Simon Richter wrote:

Simon,

You may wish to subscribe to the list so that you and others may debate this 
issue. The list is configured so that non-members may not post.

> To me, the term "full disclosure" does not mean "make it available as fast
> as possible", but rather "here is the information, expect it to leak in
> the next two weeks, so go out and fix the bug". The current bugtraq scheme
> enforces that, and I believe they are doing a great job.

We are placing the responsibility with the individual, not with an
organisation here. What we do not believe in is having a situation where
a select few are aware of a problem, but 99% of the internet populace are
powerless to defend against it. We are not saying that the vendor should not
be informed, we are saying, inform the people and the vendor simultaneously.

> By creating a forum in which vulnerability spotters can get "instant
> fame", you are forcing software vendors to monitor the forum 24/7, as a
> new vulnerability in their software could be disclosed anytime, and at the
> moment it is disclosed, script kiddies are hacking it into their scanners
> while it could be 4 am in the vendor's timezone. If we are lucky enough
> that the vulnerability is spotted by a whitehat, we should not jeopardize
> the time advantage we have by announcing it publically.

This situation already occurs. If a researcher leaks information to a few
'allies', if a technique is discovered 'in the wild', or if a vendor silently
fixes unknown problems, then there are those who possess the knowledge and
those that don't. We are simply providing a forum for those who wish to try
and balance out this situation.

> In short, I think this is a bad idea because it adds confusion for the
> vulnerability spotters, risks early disclosure before fixes are available
> and thus harms the users.

Early disclosure is important, IMO, as was proved with the recent Apache flaw.
I believe there were reports of Gobbles' exploit being active in the wild long 
before the patched packages were available, and being alerted to the problem 
even if there was no fix would have at least given admins a 'heads-up' and 
allowed people to make informed business decisions. Of course, this is our 
personal opinion, but we hope that others concur and wish to share in our 
resource.

- John

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ