lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.SGI.4.44.0208251306170.132902-100000@hexeris> From: aliver at xexil.com (aliver@...il.com) Subject: Of course you guys support full-disclosure On Sun, 25 Aug 2002, hellNbak wrote: > Give me a better solution that A.) protects the hapless admins who have > no time or budget to change anything and have to live with an > environment, I personally have a hard time feeling sorry for "admins". They are usually people who are "into" computers but were too lazy to actually learn the intrinsics. The latter being fairly helpful in securing your systems. There is something to be said for the bad ol' days when being a "computer person" meant having a double-E. I also find the excuse of "not having budget" pretty weak since that kind of thing is usually due to the tired old practice of spending more money on marketing and bonuses for sales people and executives than on their core business, or protecting their assets. The real point is that full-disclosure doesn't really protect hapless admins as much as it benefits greedy megacorps. It benefits both the ones who are in the "security industry" since they get free tools and PR, and it benefits the rest by making their boxes more secure in the long run. Notice here that I agree that full-disclosure does foster an environment where software becomes more secure in the long run. > B.) forces vendors to own up to their mistakes and fix them albiet > eventually and it really should have been done right in the first place, > and finally You mean like HP has been doing? Increasing the trend seems to sue the researcher, insinuate that they are terrorists, and then ignore or mishandle the actual problem. Again, in the long run there are bugs being fixed, but personally I find the cost to people like myself too high. I'm not going to risk getting sued or branded as a terrorist on some CNN tech story for providing free help to some company like Hewlett Packard. > C.) allows everyone to do as they please on and off the Internet without > worrying about some assclown owning all their computers. I don't think full-disclosure is the panacea you imply here. There is always the possibility of "some assclown" finding a vulnerability, creating an exploit, and using it on you. You can't force full-disclosure down everyone's throat. > I know the proper solution has "sue the vendors" somewhere in it, I agree that the should be sued. Anything that weakens them is in my cool-book. > The whole, oh you should be doing this for free argument is bullshit. We also agree on this point. > Does a doctor who practices medicine because he truly wants to help > people do it for free? No, of course not. So why should I? Well, I'm a programmer who really _doesn't_ want to help "people". Since, in this case "people" either means corrupt, greedy corporations. or ignorant and/or lazy folks who usually deserve what they get. > I personally try to do as much as I can for the security community in > general FOR FREE. Yet the "community" always seems to ask for more, for example with the responsible disclosure RFC. I don't like working for ingrates, and certainly not for free. > But that doesn't mean that I should feel dirty because I have apparently > "sold out" by doing some consulting work. In my opinion "selling out" means turning 180 degrees from what you really believe in so you can make some cash. If you were never a hacker, then you certainly aren't a sellout if you are engaged in some whitehat-type work. It doesn't sound like you have ever espoused "the blackhat position", so even if I think you are wrong, I don't think you are a sellout. > My consulting work gives me the money to do the free stuff that I do > work on. Without it, the free wouldn't exist because there would be no > one to pay for it. I was looking at your web page. I was wondering what free work you have done in the past. I'm not saying you've done nothing, but I'm just curious about you as a whitehat test-case. Have you written any exploits or tools to speak of? > What I find amusing is many members of PHC and el8 are also "security > professionals". I also think this is very amusing. > So what is their true motive? Hopefully, they want to pay the bills while at the same time using the consulting firms they work for as a way to finance their OJT in exploit writing. This would make things even more ironic and amusing. > One of the FREE things I am working on is going to help keep all of this > information free and organized for everyone and anyone. I thought Technotronic was pretty organized, and it was free. I never really heard what happened to them. Seems like anyone who sets up an exploit & vulnerability database goes belly up sooner or later, but good luck to you just the same. > If everyone stopped hacking -- security companies would go out of > business and software vendors would make more money because they woudl > stop worrying about security. They don't worry too much about security now. Witness HP and friends. > But, we all know that will never happen. Of course not. aliver
Powered by blists - more mailing lists