lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3D61734C.6F66A44E@bank-connect.com>
From: peter at bank-connect.com (Peter van den Heuvel)
Subject: Shiver me timbers.

I am wondering....

Besides the "I am bad and you cannot stop me" threads, the main issue
(of course) seems to be whether to publish exploits/vulnerabilities
found. Although one might want to hold one's own moral judgement against
others, such appears mostly futile. Thus the personal moral evaluation
gets all the more relevant. One aspect I've found missing so far is the
distinction between commercial and open/contributed software.

The "how dare you charge anyone money for this" factor might make one
reluctant to cooperate in any fashion with "the company that tends to
ignore such issues anyway". A point made very clear, just like the "if
you think you're such a clever security expert" factor might demotivate
to "donate the fruits of personal skill and perseverance".

Yet, there's software that was gifted to all and that many depend on
(like linux, apache, perl, egcs, mysql, cipe, qmail, bind, vim, bash,
etc, and as it seems, even outlook express ;^). Would such facts not tip
the balance of personal bias?

Of course one will assist small and big commercial (and non-commercial)
operations by publishing an exploit. But so did the makers of many of
the tools being used. Such was their makers choise. And so that might
pose obligations to anyone using that software. If it were not soo
futile, the obligation to report bugs might have made it into the GPL.
Of course one might consider any such software inadequate, but that does
not change a thing. Usage obliges the user, payment obliges the
supplier. Now what if you just did not pay?

I also fail to see the distinct link between (not)publish and morals.
Would every must-publish-hat (:>) willingly help that notorious spammer?
Or would every must-not-publish-hat deny assistance to the makers of his
favorite OS or web-stat tool? I would like to be surprised by any
consistent moral motivation by either faction. I'm afraid that moral
judgement cannot be made by rules of thumb. Then, I'm also afraid
there's always going to be a bit of sacrifice in order to achieve
"morals". But hack, none of that's any good for sake of argument.

So, indeed, argument is a decent thing. And as far as moral obligations
go, there's just the arguments that can be spelled out. So that they can
be a mirror to anyone that is compelled to reflect. An RFC to simply
formalize the required procedures for any vulnerability found seems to
me like a grave over simplification.

Peter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ