[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200301122251.h0CMpcD16981@netsys.com>
From: ratel at mailvault.com (ratel)
Subject: Fwd: fuck symantec & boycott bugtraq
-----BEGIN PGP SIGNED MESSAGE-----
[Full-Disclosure] Fwd: fuck symantec & boycott bugtraq
O.C.Rochford O.C.Rochford" <orochford@...t-sec.org
>hello
>that is quite frankly a lot of bollocks.
>fact is that you can't research everything yourself, the amount of
>information is just too great, all this does is remove a place where
>peoples own research can be speeded up without having to reinvent the
>wheel, as well as sharing the findings of research.
The community of people genuinely interested in finding exploits and
sharing them with each other will adapt. The community of leeches who
need everything handed to them on a silver platter--being too
dimwitted/undermotivated to spend five minutes on Google--will suffer.
Which is as it should be.
Besides, isn't there something inherently problematic with the kind of
mentality that deliberately chooses to rely on a narrow range of sites
as "the definitive source" for information about a given subject?
Especially something as complex and important as computer security? You
should.
I can assure you that anyone interested in spreading disinformation
couldn't be more delighted to find a sizable chunk of people in a field
so uncritically dependent on one source of information. Getting rid of
single points of failure in any information dissemination system is a
good thing. If this inspires more people to wake up and do more
independent critical thinking on their own, where's the downside?
I have a problem with the idea of lulling people into thinking their few
sanitized sources will provide all the answers for them. It's a sucker's
game.
>If you are saying you can audit the code of a whole OS yourself, than
>you must be a code god, and all of these people who bitch about
>"sciptkiddies" and the like just stealing other people's research
>should only say so if they have never made use of these sources
>themselves.
Putting the question of my credentials and abilities aside for a minute,
ask yourself: when was the last time you saw exploit code coming out of
Ft. Meade(or an NSA-affiliated FFRDC)?
You think they haven't written any?
No amount of handwaving will ever change the fact that many talented
people (for whatever reason)are motivated to keep exploits to
themselves. Given that you'll always be vulnerable, where's the sense in
tricking people into thinking that as long as they keep up with what's
happening at SecurityFocus they'll be safe?
Dropping the "full disclosure" posturing in favor of the infinitely more
honest "exploits for customers" policy makes explicit what cynics have
known all along. It's not about "responsible disclosure", it's about not
giving away a marketable commodity for free.
Fine. Now maybe it'll be a little harder to avoid owning up to who's
actually been doing the work.
>You have to start somewhere to learn, and you have to be able to pool
>resources to share the load in auditing the amount of code and
>programs available today.
True, but none of this will change for people genuinely interested in
finding community--nobody worth mentioning is going to stop learning and
sharing. It's just going to move away from SecurityFocus and potentially
raise the bar a little. Which is fine with me.
Ratel.
***
"Americans used to roar like lions for liberty. Now we bleat
like sheep for security." - Norman Vincent Peale.
-----BEGIN PGP SIGNATURE-----
Version: MailVault 2.2 from Laissez Faire City http://www.mailvault.com
iQA/AwUAPiHxP+YNtyh3zif9EQKhrACfUQGz3IJDJjghUuOcmRWIypss62IAn3DH
sVQ57Eo546N3p5FqoJCcfW+8
=7zfT
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists