lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <010303171928390.9486-100000@www.nmrc.org>
From: hellnbak at nmrc.org (hellNbak)
Subject: [OT] Re: Quick Question

> [sorry for the flame war, but this more of the faq]

I wasn't aware that this was a flame war.  Some are mature enough to
debate a subject without resorting to such silly things.


> I support my words that I don't do security work for the money.
> Of course I have to do something for living.
> Once again money is not sufficient incentive.

Care to actually back this argument up?  It is clear that you, like most
of us (there is nothing really wrong with it in my opinion) are a security
consultant.  You take what you enjoy and what you seem to be good at and
make a living from it.  There is nothing wrong with that as long as you
are honest about it.  Perhaps that is the problem.

> The IETF just said "NO" to this.

Yes, and they did so based on some valid reasons but that does not take
away from the need for a standard.

> RFP can do whatever he wants with his 0days and I don't care.
> But his writings do not apply to me.
> btw, have not seen interesting stuff from RFP recently (don't have anything
> against him).

So you are saying that by being responsible or even having a standard
somehow prohibits research?  Wow, if that is truly the case I can see why
you are so against a structured reporting policy.

>  From the above url:
> "There is no industry consensus on what constitutes best pratices for
> vulnerability disclosure"
> So what?

And your point is?  You are right, there isn't a standard.  But that
doesn't mean that there shouldn't be one.

> Have you read this:
> http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html
> Free Hacker Manifest
> People seem to support this, you know.

Yes, some do.  Again, highlighting the need for an accepted standard.

> Also, if you use your 3l33t s34rching skills, you can find that in 98-99
> microsoft publicly thanked me for the exactly the same behavior.

Judging by your opening lines, I think it is you Georgi who owns the 31337
s34rching skillz......


-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ