| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CKEBJFJAKHBEMEJPECBIMELHCGAA.gibby@tabasco.net> From: gibby at tabasco.net (Gibby McCaleb) Subject: RE: it's all about timing (wasn't that a John Denver song?) I think most everyone on this list will agree with your comments about how things "should" be disclosed. However, I think those points are moot. <snip> i'll say V has all the rights in the world to sue the crap out of H, and put him(her) in jail for one thousand years, and i'll applaud that. </snip> A thousand year jail term? Man, where do you live? I think you are missing the issue here. I don't know the laws specific to where you live (although they seem harsh. Have you considered a coup?) but here in the US, I can sue you because I'm offended by the color of your pants (to be honest, they're damn ugly, but some Dockers please). That is not to say I have a chance of winning that suit, but I can still sue you. And again, per my previous post, I don't think winning a suit is necessarily the issue here either. Using Snosoft/HP as an example, if HP sues and wins, a dangerous precedent has been set. If HP loses, Snosoft will still have spent enough cash and time trying to defend themselves against a company with much deeper pockets that it is quite possible that they may not be able to financially recover from winning the suit, if they even get that far. Either way, everyone in the security industry, especially security companies, are going to think twice about publishing a vulnerability in the future. That is bad because the people who will know about future vulnerabilities are the people who don't report them now. (i.e. some 12 year old kid in Yemen with nothing better to do). If HP wins, where does it stop? If ABC Inc. gets hacked out of existence, can ABC sue security focus (Symantec) for archiving all the exploits used to compromise their system? Don't laugh, it's not that far fetched. <snip> And the solution is so simple: DO NOT publish "zero-day exploits" </snip> Wow. I never thought of that. (sorry for the sarcasm) You are preaching to the choir. I believe most of everyone on this list not only agrees with that principle but practices it as well. Why Snosoft/HP is so important is that plenty of time was given to HP to correct the hole. If HP moves forward with litigation (win or lose), this may well open a flood gate of similar actions that could dramatically change how we all do our jobs and the effectiveness of the current exploit exposure scenario. So yes, Florin, in a perfect world we'd all release vulnerabilities the right way and there is a Santa Claus. However, in the real world, there will be responsible people and irresponsible people. There will be responsible people who believe in zero day exposures. There will be people who don't own computers and collect cans from my recycling bins. There is no way to enforce any exposure rules so we all have to keep on doing what we're doing and hope that the "bad" people don't screw it up for the rest of us. However, I do believe that we should explore ways to "pressure" HP into backing off as a previous post mentioned. Send a polite email. If you are at a company and have some purchasing power, tell your HP sales rep that you are so concerned over this matter that you're flying to Austin to meet with Dell (let me know when you're going. I know some good bars on 6th street). Open to suggestions. I'd like to take this opportunity to apologize for my annoying sense of humor. Gibby McCaleb _______________________________________________ "When the going gets weird, the weird turn pro." Hunter S. Thompson _______________________________________________
Powered by blists - more mailing lists