lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0207111823400.20821-100000@parka.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: Re: Announcing new security mailing list


Dang!  I always liked the Hitler comparisons...

...practically live on analogies...


Thanks,

Ron DuFresne

On Thu, 11 Jul 2002, Kurt Seifried wrote:

> Perhaps someone can setup full-disclosure-discuss? I thought this list was
> for announcements, not the tired/boring/painfully stale "am not" "are so"
> arguments. Plus the anologies will start coming out and those really suck.
> And then someone will get compared to Hitler and the thread will be closed,
> so why not head it off at the pass instead?
>
>
> Kurt Seifried, kurt@...fried.org
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://seifried.org/security/
>
>
> ----- Original Message -----
> From: "Simon Richter" <Simon.Richter@...bos.fachschaften.tu-muenchen.de>
> To: "John Cartwright" <johnc@...k.org.uk>
> Cc: <len@...sys.com>; <full-disclosure@...ts.netsys.com>
> Sent: Thursday, July 11, 2002 2:01 PM
> Subject: [Full-Disclosure] Re: Announcing new security mailing list
>
>
> > Hi,
> >
> > >> To me, the term "full disclosure" does not mean "make it available as
> > >> fast
> > >> as possible", but rather "here is the information, expect it to leak in
> > >> the next two weeks, so go out and fix the bug". The current bugtraq
> > >> scheme
> > >> enforces that, and I believe they are doing a great job.
> >
> > > We are placing the responsibility with the individual, not with an
> > > organisation here.
> >
> > IMHO an organisation has a greater chance of doing things right than a
> > number of individuals. For example, I do not have a complete list of
> > Linux/BSD/Unix distributors' security contacts, and I believe many
> > others out there haven't either, however such a list is vital for vendor
> > notification.
> >
> > >  What we do not believe in is having a situation where
> > > a select few are aware of a problem, but 99% of the internet populace
> > > are
> > > powerless to defend against it. We are not saying that the vendor
> > > should not
> > > be informed, we are saying, inform the people and the vendor
> > > simultaneously.
> >
> > What do you gain by informing the people? Many people running servers
> > are unable to disallow mail relaying on their boxes, why do you expect
> > them to understand how to recompile and reinstall a webserver? Even the
> > few competent admins who could understand an advisory and fix things by
> > themselves might like an official update from a distributor, packaged
> > and ready to install.
> >
> > >> If we are lucky enough
> > >> that the vulnerability is spotted by a whitehat, we should not
> > >> jeopardize
> > >> the time advantage we have by announcing it publically.
> >
> > > This situation already occurs. If a researcher leaks information to a
> > > few
> > > 'allies', if a technique is discovered 'in the wild', or if a vendor
> > > silently
> > > fixes unknown problems, then there are those who possess the knowledge
> > > and
> > > those that don't. We are simply providing a forum for those who wish to
> > > try
> > > and balance out this situation.
> >
> > If some bug is being exploited "in the wild" there is no sense in
> > holding back information; I believe the bugtraq moderators understand
> > that (at least they approved postings stating that something was being
> > exploited already within a few minutes.
> >
> > >> In short, I think this is a bad idea because it adds confusion for the
> > >> vulnerability spotters, risks early disclosure before fixes are
> > >> available
> > >> and thus harms the users.
> >
> > > Early disclosure is important, IMO, as was proved with the recent
> > > Apache flaw.
> > > I believe there were reports of Gobbles' exploit being active in the
> > > wild long
> > > before the patched packages were available,
> >
> > Well, I believe this case was a matter of Gobbles' attitude -- they
> > simply didn't follow the rules by sharing their exploit with other
> > people before the official release date. There will always be people
> > like this (=> "instant fame"), and giving them a forum in which they can
> > publicize their exploits to an even wider audience will not make the
> > problem go away.
> >
> > If that happens it is the same thing as with every other exploit being
> > actively used -- notify everyone instantly, as there is no point in
> > still holding back information. I believe the bugtraq moderators
> > understand this, and approve such postings right away.
> >
> >     Simon
> >
> > _______________________________________________
> > Full-Disclosure mailing list
> > Full-Disclosure@...ts.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> >
>
> _______________________________________________
> Full-Disclosure mailing list
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ