lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.SGI.4.44.0208191042550.153330-100000@hexeris> From: aliver at xexil.com (aliver@...il.com) Subject: Shiver me timbers. On Mon, 19 Aug 2002, Ka wrote: > We would not have computers and software as evolved as they are, if we > hadn't exchanged help and information from the very beginning. Nobody is saying that "we" shouldn't exchange help and information in a general sense. We are talking about the specific case of a person in a researcher role doing work to find a bug or write a piece of software which has security implications (ie.. exploit, virus, network scanner, etc). What I'm addressing is the flawed idea that everybody has to share this work if it applies to some vendor's product, no matter what. > In the early times, before 'hacker' was being used in it's modern > interpretation, holding back information was a sure sign of > unprofessionality or even incompetence. To who? You? Sorry, but it doesn't matter how far back you want to go, doing free research for a greedy company still sucks, and categorically applying some "ethical" standard is a sure sign of lack of the ability to think for yourself. Again we are talking about security vulnerabilities, not just general "information" as you put it. > Everybody _knew_ that the next bug could very well be discoverd in one's > own system. Again, you are over-generalizing and being way too ambiguous. What kind of bug? A security vulnerability is a specific type of bug with specific types of implications often greater than a simple "program X won't function in condition Y." > Of course it's everybody's right to publish or not to publish anything. You're damn right it is. > But hindering the exchange of know-how among fellow hackers is just as > egocentric as M$ is with it's marketing strategy. I for one am not suggesting that the "exchange" of know-how among hackers be hindered. I'm suggesting that a person in a researcher role has the right to exercise his own judgment before he decides what to do with his research. I'm also saying that there are many conditions where that individual might be morally justified by withholding a bug with security implications from the original vendor. Lastly, I'm suggesting that one-size-fits-all "ethics" from whitehats publishing silly "RFC" documents on what I should do are a vile idea. aliver
Powered by blists - more mailing lists