lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200208192223.29624.ka@khidr.net>
From: ka at khidr.net (Ka)
Subject: Shiver me timbers.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Aliver,

you misunderstood my intention. I was simply expressing
my point of view, I'm not intending to tell anybody,
what to do or what not to do.

I'm appreciating this list very much, in fact after recognizing
that for example bugtraq is withholding critical information
often for weeks, I was looking forward to such a list (as is
formulated in its goal and yet to be realized). 
And I was answering to one of your posts, because I saw from 
your statements, that you are not buying a ready-made
philosophy but expressing your own point of view in clear words.

Having said that (sorry for the flattery .o) I just want to explain
my point: what about the colleagues (like me), who are neither
experienced in exploit-writing nor unexperienced in programming
and willing to learn? And of course learning on an actual problem,
trying to verify and fix the imminent software flaw before exploits
are im wide use. That's more to my taste, than just waiting for the 
rpm from the distributor and then simply installing it (and having 
to install it immediatedly, because so many weeks have allready
passed after the first detection).



At Montag, 19. August 2002 19:57 aliver@...il.com wrote:
> [...] What I'm addressing is the flawed idea that everybody has to share
> this work if it applies to some vendor's product, no matter what.

Sure. 


> [...] doing free research for a greedy company still sucks,

Certainly. One of the reasons I quit my last job.


> [...] and categorically
> applying some "ethical" standard is a sure sign of lack of the ability to
> think for yourself.

Absolutely.


> Again we are talking about security vulnerabilities,
> not just general "information" as you put it.

Not agreeing on that one. Security concerns have 
become general. The whole net depends more and more on 
it (negatively or positively).


> Again, you are over-generalizing and being way too ambiguous. What kind of
> bug? A security vulnerability is a specific type of bug with specific types
> of implications often greater than a simple "program X won't function in
> condition Y."

I don't play this black-n-white game, sounds too much of 007-movies to me.

A bug in a compiler or OS can be far more costly than a defaced website.
The only difference I see in the security sector is that there is the _intention_
of the intruder, an intention which is far too easily named "malicious"
for my taste. "Malicious" has nothing to do with hacking or not hacking,
it's a different dimension -- one can be malicious within the letters of the 
law (and without). Yet - a good tester will allways have the "malicious"
intend to bring the developed system down. The IBM black-team was feared
for that (long ago .o)


> I for one am not suggesting that the "exchange" of know-how among hackers
> be hindered.

Fine.

> I'm suggesting that a person in a researcher role has the
> right to exercise his own judgment before he decides what to do with his
> research.

I agree. But a lot of people might not.
This is against the basis of our so called "modern"
society, which is in fact anti-individual in large areas.


> I'm also saying that there are many conditions where that
> individual might be morally justified by withholding a bug with security
> implications from the original vendor. Lastly, I'm suggesting that
> one-size-fits-all "ethics" from whitehats publishing silly "RFC" documents
> on what I should do are a vile idea.

Sure, I never understood you otherwise.

Ethics stink, may they come from society or anti-society.
But at least this RFC was a try to make the decision processes
public and transparent. After all it's a "request for comments".

That we don't need more RFCs but more individuals is not the
fault of the authors of the RFC. That _some_ of the "disturbing"
postings to this list showed the resp. hacker's individuality 
was also not allways recognized.


Greetings
Ka

P.S.
This email has become quite personal (and OT to this list). 
Nevertheless I post it to the list in the hope, that my 
standpoint might help communication between black-n-white.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9YVPA72vu22ltWBERAlYCAJ9XbftP54GxzqiIVDR+S+TdtSrfwgCfY/eX
TW3r+gRcm/sDoptGoBRVvQU=
=H2m8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ