[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <426D48BF.7030407@sdf.lonestar.org>
Date: Mon Apr 25 20:45:34 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: [VulnDiscuss] Re: -==phpBB 2.0.14 Multiple
Vulnerabilities==-[Scanned]
Steve Friedl wrote:
>On Sun, Apr 24, 2005 at 01:23:09PM -0400, Dave Aitel wrote:
>
>
>>Nothing happened to that - it was never true. Those of us who find bugs
>>would really appreciate it if every Microsoft MVP would stop
>>astroturfing these lists about it too.
>>
>>
>
>You don't care what we think: why would we care what you think?
>
>
>
I don't think he said that at all.
There's a big difference between discussing disclosure etiquette and
demanding that one's terms of disclosure etiquette be followed. Those
on the "full disclosure sucks" end tend to do the latter.
Frankly, Dave's right - it was never required to inform the vendor. Is
it a nice thing to do? Sure. (informing the vendor, that is...) Is it
the responsible thing to do? I tend to think so...
But, should one be compelled to do so? I don't think so. Frankly, I'd
hate to see what the world would be like if we had to pass our actions
through Acme XYZ company whenever we do anything... I mean, I suppose if
you like servitude, then having to get permission for everything would
make sense...
It comes down to this: when real people find out something or other
regarding a product, they should be allowed to share that information
without restriction. That's the organic nature of information: live
with it because it's not going to change. The alternative is a freeze
on information that would amount to the destruction of all information
freedom and, ultimately, the death of democracy (if it ever actually
existed)...
Now, responsible disclosure is one thing, but there is no requirement to
be responsible. And that isn't to say that just disclosing a bug is
inherently irresponsible. If the vendor is not responsive or has not
been responsive in the past, then I say disclose away. At that point,
disclosure is the responsible thing to do.
Neither side bares a rosy picture: full disclosure can result in users
being harmed... but those who've spent any remote amount of time amongst
real hackers/crackers know that that is no different than the status
quo. (Most of them never end up as MS MVPs, btw) The "full disclosure
sucks" side of the table results in a concept which forwards the idea
that a freeze on information ultimately is a good thing and we should
all eat from the corporate trough.
I'd take my chances with the status quo, keep the flow of information
moving, and use that information to protect myself.
No offense meant, but can't we all just get along on this little playground?
-Barry
Powered by blists - more mailing lists