lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <F159cGf1TxxKuOMoVAu00013402@hotmail.com> From: defender242 at hotmail.com (Defender Defender) Subject: Re: Valid disclosure analogy > >On Sunday, Aug 25, 2002, at 12:05 US/Pacific, hellNbak wrote: > >>What ever happened to get your money out of Bank A and inform all of Bank >>A's other customers via a public forum (media) in order to protect the >>general public from being abused by Bank A and their lack of >>security/process/whatever.......??? >> >>Sure, change banks, but I think there is a greater responsibility here as >>well. > >What Defender Defender (what a name) fails to mention is, that if a bank >misrepresents the security of its money and an accountant (affiliated or >not) stumbles across this misrepresentation he IS required to report it. In >the case of software vulnerabilities, we encounter a huge number of >situations in which the bank ("software vendor") knowingly misrepresents >("unbreakable") the security of assets stored within. That is a very true point. I did not mention it because it does not justify to disclosure of vulnerability information on public lists. I am also an advocate of criminal charges against misrepresentation of security in any product (ex. oracle's unbreakable database). I would also support any movement that would force vendors to represent the security of their software correctly. However, I am not willing to put people at risk for that purpose, and I believe irresponsible any action that does. We also both know that if vendors were forced to rectify their marketing methods, they would most likely choose to put end to their pretentions as opposed to investing tons of $$$ in fixing their software. Corporations will always lie if they aren't forced not to do so. That is the problem that should be fixed. > >Defender Defender (still amused) tries to liken the freedom to talk about >mishandling of information or money in the bank with an actual break in, >theft and destruction. This is an easy way to argue, especially if the >intention is to criminalize the other party. Under quite similar >circumstances Godwin's Law would prevent him from doing so. I dont talk of crimes. I talk of acts and consequences. Please dont speculate on my intentions. > >What Defender Defender fails to mention is the fact that disclosure does >not happen "because vendors have been soooo diligent in the past" but >because they have not. No need to mention it. If a vendor does not pretend to offer a level of security it does not, it's up to him to act with diligence or not in regard to yet undisclosed vulnerabilities in its code. - Defender Defender > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
Powered by blists - more mailing lists