| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ratel at mailvault.com (ratel) Subject: Fwd: fuck symantec & boycott bugtraq -----BEGIN PGP SIGNED MESSAGE----- [Full-Disclosure] Fwd: fuck symantec & boycott bugtraq O.C.Rochford O.C.Rochford" <orochford@...t-sec.org >hello >that is quite frankly a lot of bollocks. >fact is that you can't research everything yourself, the amount of >information is just too great, all this does is remove a place where >peoples own research can be speeded up without having to reinvent the >wheel, as well as sharing the findings of research. The community of people genuinely interested in finding exploits and sharing them with each other will adapt. The community of leeches who need everything handed to them on a silver platter--being too dimwitted/undermotivated to spend five minutes on Google--will suffer. Which is as it should be. Besides, isn't there something inherently problematic with the kind of mentality that deliberately chooses to rely on a narrow range of sites as "the definitive source" for information about a given subject? Especially something as complex and important as computer security? You should. I can assure you that anyone interested in spreading disinformation couldn't be more delighted to find a sizable chunk of people in a field so uncritically dependent on one source of information. Getting rid of single points of failure in any information dissemination system is a good thing. If this inspires more people to wake up and do more independent critical thinking on their own, where's the downside? I have a problem with the idea of lulling people into thinking their few sanitized sources will provide all the answers for them. It's a sucker's game. >If you are saying you can audit the code of a whole OS yourself, than >you must be a code god, and all of these people who bitch about >"sciptkiddies" and the like just stealing other people's research >should only say so if they have never made use of these sources >themselves. Putting the question of my credentials and abilities aside for a minute, ask yourself: when was the last time you saw exploit code coming out of Ft. Meade(or an NSA-affiliated FFRDC)? You think they haven't written any? No amount of handwaving will ever change the fact that many talented people (for whatever reason)are motivated to keep exploits to themselves. Given that you'll always be vulnerable, where's the sense in tricking people into thinking that as long as they keep up with what's happening at SecurityFocus they'll be safe? Dropping the "full disclosure" posturing in favor of the infinitely more honest "exploits for customers" policy makes explicit what cynics have known all along. It's not about "responsible disclosure", it's about not giving away a marketable commodity for free. Fine. Now maybe it'll be a little harder to avoid owning up to who's actually been doing the work. >You have to start somewhere to learn, and you have to be able to pool >resources to share the load in auditing the amount of code and >programs available today. True, but none of this will change for people genuinely interested in finding community--nobody worth mentioning is going to stop learning and sharing. It's just going to move away from SecurityFocus and potentially raise the bar a little. Which is fine with me. Ratel. *** "Americans used to roar like lions for liberty. Now we bleat like sheep for security." - Norman Vincent Peale. -----BEGIN PGP SIGNATURE----- Version: MailVault 2.2 from Laissez Faire City http://www.mailvault.com iQA/AwUAPiHxP+YNtyh3zif9EQKhrACfUQGz3IJDJjghUuOcmRWIypss62IAn3DH sVQ57Eo546N3p5FqoJCcfW+8 =7zfT -----END PGP SIGNATURE-----
Powered by blists - more mailing lists