lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001601c464e9$5241fb70$6500a8c0@p41700>
From: chows at ozemail.com.au (Gregh)
Subject: Re: Public Review of OIS Security VulnerabilityReporting and  ResponseGuidelines

----- Original Message ----- 
From: "ET LoWNOISE" <et@...erspace.org>
To: "Fred Mobach" <fred@...ach.nl>
Cc: <bugtraq@...urityfocus.com>; "OIS" <announcements@...afety.org>;
<NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>; <full-disclosure@...ts.netsys.com>
Sent: Thursday, July 08, 2004 12:56 PM
Subject: [Full-Disclosure] Re: Public Review of OIS Security
VulnerabilityReporting and ResponseGuidelines


> Instead of publishing personal opinions over the OIS, its better to
> focus on the Guideline again. The Process is based entirely on the vendor
> but not on the customers, going against the "efforts to safeguard
> customers". Even the participants group doesnt include them as
> active part of the process.
>

My response to the OIS is rather a simple one:

1) Someone decide upon a "source" to where all reports can go no matter what
is in them. This source should be at an unable to be easily identified email
account.

2) Source picks them all up and without fear or favour redistributes them in
the same manner. Eg, if you are worried about being identified and hit by
the authorities then don't include anything that can identify you as only
the text of the letter is to be reproduced. People email "an address" in
order to get on or off the list depending on how it is run by "the source".

I can do the above and I admit I am nowhere near the ability of most in the
security field so I am sure there is someone who can do it. If the list
maintainer is careful, I find it hard to believe anyone not wishing
identification (which is basically self gratification) would be found.

Thus, any rules people do not wish to adhere to (eg, governments thinking
that anything to do with security is basically hacking etc) don't have to be
adhered to.

If anyone gets enough guts to think this is a good idea and do it, do me a
favour and call it either "Anarchy" or "Friar Tuck's revelations" (for those
who don't understand, look up Spoonerisms and apply it to "Friar Tuck" which
is what those that are telling the security industry that they cant do their
jobs without being hit can do).

Oh and BTW, if you DO decide to do this, let me know! I want to be on it.

Greg.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ