lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <426D48BF.7030407@sdf.lonestar.org>
Date: Mon Apr 25 20:45:34 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: [VulnDiscuss] Re: -==phpBB 2.0.14 Multiple
	Vulnerabilities==-[Scanned]

Steve Friedl wrote:

>On Sun, Apr 24, 2005 at 01:23:09PM -0400, Dave Aitel wrote:
>  
>
>>Nothing happened to that - it was never true. Those of us who find bugs 
>>would really appreciate it if every Microsoft MVP would stop 
>>astroturfing these lists about it too.
>>    
>>
>
>You don't care what we think: why would we care what you think?
>
>  
>
I don't think he said that at all.

There's a big difference between discussing disclosure etiquette and 
demanding that one's terms of disclosure etiquette be followed.  Those 
on the "full disclosure sucks" end tend to do the latter.

Frankly, Dave's right - it was never required to inform the vendor.  Is 
it a nice thing to do?  Sure. (informing the vendor, that is...)  Is it 
the responsible thing to do?  I tend to think so...

But, should one be compelled to do so?  I don't think so.  Frankly, I'd 
hate to see what the world would be like if we had to pass our actions 
through Acme XYZ company whenever we do anything... I mean, I suppose if 
you like servitude, then having to get permission for everything would 
make sense...

It comes down to this: when real people find out something or other 
regarding a product, they should be allowed to share that information 
without restriction.  That's the organic nature of information: live 
with it because it's not going to change.  The alternative is a freeze 
on information that would amount to the destruction of all information 
freedom and, ultimately, the death of democracy (if it ever actually 
existed)...

Now, responsible disclosure is one thing, but there is no requirement to 
be responsible.  And that isn't to say that just disclosing a bug is 
inherently irresponsible.  If the vendor is not responsive or has not 
been responsive in the past, then I say disclose away.  At that point, 
disclosure is the responsible thing to do.

Neither side bares a rosy picture:  full disclosure can result in users 
being harmed... but those who've spent any remote amount of time amongst 
real hackers/crackers know that that is no different than the status 
quo.  (Most of them never end up as MS MVPs, btw)  The "full disclosure 
sucks" side of the table results in a concept which forwards the idea 
that a freeze on information ultimately is a good thing and we should 
all eat from the corporate trough. 

I'd take my chances with the status quo, keep the flow of information 
moving, and use that information to protect myself. 

No offense meant, but can't we all just get along on this little playground?

             -Barry


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ