lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NMRC.666.6.66.0208251507580.21915-100000@www.nmrc.org>
From: hellnbak at nmrc.org (hellNbak)
Subject: Of course you guys support full-disclosure

On Sun, 25 Aug 2002, Defender Defender wrote:

> Necessary evil huh? Prefered argument of evil doers ;)

Give me a better solution that A.) protects the hapless admins who have no
time or budget to change anything and have to live with an environment,
B.) forces vendors to own up to their mistakes and fix them albiet
eventually and it really should have been done right in the first place,
and finally C.) allows everyone to do as they please on and off the
Internet without worrying about some assclown owning all their computers.

I know the proper solution has "sue the vendors" somewhere in it, but
until someone comes up with one -- full-disclosure is all we have and even
that doesn't completely address all of the issues.

> Sorry, but I believe the poster refered to your common argument that 'all
> you want is help improve software, for free'.

I never said that I wanted to improve sofware for free -- but I do want to
try and force some security improvements on to vendors which hopefully
will eventually mean that I am out of a job as a "security guy" and can go
back to whatever.

The whole, oh you should be doing this for free argument is bullshit.
Does a doctor who practices medicine because he truly wants to help people
do it for free?  No, of course not.  So why should I?  I personally try to
do as much as I can for the security community in general FOR FREE.  But
that doesn't mean that I should feel dirty because I have apparently "sold
out" by doing some consulting work.  My consulting work gives me the money
to do the free stuff that I do work on.  Without it, the free wouldn't
exist because there would be no one to pay for it.

> Like PHC and ~el8 hacks against security professionals?
> You dont give them the tools on this one, you give them the motive ;)

What I find amusing is many members of PHC and el8 are also "security
professionals".  So what is their true motive?  What does PHC and el8
really have to gain?  You can't tell me that they are doing this out of
pure concern for the current state of things.

> And not all security companies disclose bugs. Only those who want to expend
> their market by creating a threat. (hi iss!)

The issue I have with security companies stopping to disclose bugs is that
you then get a situation where company A tells Client 5 that their team
knows of XXX# of issues while Company B tells Client 5 that they have
ZZZZ# of issues in their database.  Not disclosing the bugs helps create
the snake oil salesmen that we all hate.  At least today Client 5 has the
choice of either using public information to do it themselves or if they
don't have the inhouse skills (or for whatever reason) they can hire
someone outside to do the work.

One of the FREE things I am working on is going to help keep all of this
information free and organized for everyone and anyone.

> hat security-breakers you talk of here? You? ;)

If everyone stopped hacking -- security companies would go out of
business and software vendors would make more money because they woudl
stop worrying about security.  But, we all know that will never happen.


-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ