[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <34125.212.113.187.169.1036686603.squirrel@webmail.pair.com>
From: joao at silvaneves.org (João Miguel Neves)
Subject: Security Industry Under Scrutiny: Part One
>> my clients' computers. They also help better
>
> This isn't a shot at the author of this reply but his comment about the
> existance of tools help him help his clients helps illustrate something
> that lately has been making me sick enough to start rethinking things.
>
[...]
No offense taken. I agree with your point. I think the habit that existed
on bugtraq of posting exploits with errors that would be obvious if you
understood the issue was a nice filter, even if, in practice, ineffective.
>> And what to do when they ignore you ? The mechanics of "full
>> disclosure" (or "posting to public foruns" as you put it) is that
>> vendors will not correct software problems just because they exist,
>> but they'll do it to protect theur image and reputation. Before "full
>> disclosure" it wasn't strange to have a software company like Sun to
>> take years to produce a fix for a security bug. I don't want to go
>> back to that dark age.
>
> I think this issue is black and white. Vendor ignores you release
> information on vulnerability. That does not however mean you release a
> point and click script.
>
I was thinking of information. The scripts are useful because it wouldn't
be the first time the first report of a vulnerability was wrong, but
people were able to 1) discover there was a real problem because the
script worked and 2) zero in on the problem because people had a test
case.
> I am asking myself what is worse, the clueless using
> lists like this to get rich or companies at least paying those who can
> find vulnerabilities a fat salary to then resell the vulns to their
> clients. I don't think either improves security.
>
I started as a system administrator almost a decade ago. I saw how most
people went from keeping their secrets to full-disclosure. Right know my
belief is that security is dynamic: the only want to secure something is
by implanting detection, correction and containment measures. Reducing the
amount of information available will make my ability to detect and react
slower, effectively reducing my security. But this is just one opinion
(even if I know I'm not alone on this one).
> Why doesn't someone sue a vendor?
>
Law. Software is protected under copyright, not contract law. That means
that there is no basis for a liability claim against the vendor.
Powered by blists - more mailing lists