lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.SGI.4.44.0208191042550.153330-100000@hexeris>
From: aliver at xexil.com (aliver@...il.com)
Subject: Shiver me timbers.

On Mon, 19 Aug 2002, Ka wrote:
> We would not have computers and software as evolved as they are, if we
> hadn't exchanged help and information from the very beginning.

Nobody is saying that "we" shouldn't exchange help and information in a
general sense. We are talking about the specific case of a person in a
researcher role doing work to find a bug or write a piece of software
which has security implications (ie.. exploit, virus, network scanner,
etc). What I'm addressing is the flawed idea that everybody has to share
this work if it applies to some vendor's product, no matter what.

> In the early times, before 'hacker' was being used in it's modern
> interpretation, holding back information was a sure sign of
> unprofessionality or even incompetence.

To who? You? Sorry, but it doesn't matter how far back you want to go,
doing free research for a greedy company still sucks, and categorically
applying some "ethical" standard is a sure sign of lack of the ability to
think for yourself. Again we are talking about security vulnerabilities,
not just general "information" as you put it.

> Everybody _knew_ that the next bug could very well be discoverd in one's
> own system.

Again, you are over-generalizing and being way too ambiguous. What kind of
bug? A security vulnerability is a specific type of bug with specific types
of implications often greater than a simple "program X won't function in
condition Y."

> Of course it's everybody's right to publish or not to publish anything.

You're damn right it is.

> But hindering the exchange of know-how among fellow hackers is just as
> egocentric as M$ is with it's marketing strategy.

I for one am not suggesting that the "exchange" of know-how among hackers
be hindered. I'm suggesting that a person in a researcher role has the
right to exercise his own judgment before he decides what to do with his
research. I'm also saying that there are many conditions where that
individual might be morally justified by withholding a bug with security
implications from the original vendor. Lastly, I'm suggesting that
one-size-fits-all "ethics" from whitehats publishing silly "RFC" documents
on what I should do are a vile idea.

aliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ