| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: hellnbak at nmrc.org (hellNbak) Subject: Of course you guys support full-disclosure On Sun, 25 Aug 2002, Defender Defender wrote: > Necessary evil huh? Prefered argument of evil doers ;) Give me a better solution that A.) protects the hapless admins who have no time or budget to change anything and have to live with an environment, B.) forces vendors to own up to their mistakes and fix them albiet eventually and it really should have been done right in the first place, and finally C.) allows everyone to do as they please on and off the Internet without worrying about some assclown owning all their computers. I know the proper solution has "sue the vendors" somewhere in it, but until someone comes up with one -- full-disclosure is all we have and even that doesn't completely address all of the issues. > Sorry, but I believe the poster refered to your common argument that 'all > you want is help improve software, for free'. I never said that I wanted to improve sofware for free -- but I do want to try and force some security improvements on to vendors which hopefully will eventually mean that I am out of a job as a "security guy" and can go back to whatever. The whole, oh you should be doing this for free argument is bullshit. Does a doctor who practices medicine because he truly wants to help people do it for free? No, of course not. So why should I? I personally try to do as much as I can for the security community in general FOR FREE. But that doesn't mean that I should feel dirty because I have apparently "sold out" by doing some consulting work. My consulting work gives me the money to do the free stuff that I do work on. Without it, the free wouldn't exist because there would be no one to pay for it. > Like PHC and ~el8 hacks against security professionals? > You dont give them the tools on this one, you give them the motive ;) What I find amusing is many members of PHC and el8 are also "security professionals". So what is their true motive? What does PHC and el8 really have to gain? You can't tell me that they are doing this out of pure concern for the current state of things. > And not all security companies disclose bugs. Only those who want to expend > their market by creating a threat. (hi iss!) The issue I have with security companies stopping to disclose bugs is that you then get a situation where company A tells Client 5 that their team knows of XXX# of issues while Company B tells Client 5 that they have ZZZZ# of issues in their database. Not disclosing the bugs helps create the snake oil salesmen that we all hate. At least today Client 5 has the choice of either using public information to do it themselves or if they don't have the inhouse skills (or for whatever reason) they can hire someone outside to do the work. One of the FREE things I am working on is going to help keep all of this information free and organized for everyone and anyone. > hat security-breakers you talk of here? You? ;) If everyone stopped hacking -- security companies would go out of business and software vendors would make more money because they woudl stop worrying about security. But, we all know that will never happen. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak@...c.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Powered by blists - more mailing lists