lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050727155718.GC10546@sivokote.iziade.m$>
Date: Wed Jul 27 16:56:22 2005
From: guninski at guninski.com (Georgi Guninski)
Subject: Our Industry Is Seriously Ethics Impaired

On Tue, Jul 26, 2005 at 09:56:45PM -0500, J.A. Terranson wrote:
> 
> The so called .Zero Day Initiative. is aimed at ensuring the 'responsible'
> disclosure of security flaws in order to make technology more secure for

this is how i interpret "responsible" - you give them the 0day and give up
your consitutional right of "free speech". they give you a few bucks.
very close to the american dream.
then they get richer and "you grow older and they grow colder and nothing 
is very much fun anymore" [1].
the movie "corporation" expliains it to some extent.

> all users. The goal is to proactively protect businesses against newly
> discovered vulnerabilities.
> 

the goal is money, this is the PR version for the users naiive enough to vote
for idiots.

> 3Com will notify affected vendors of security flaws so they can
> immediately begin working on a solution, most often in the form of a

secondary market of bought 0days?

> The company stressed it would share vulnerability details freely with
> other security vendors prior to public disclosure.
> 

hope they don't forget to carbon copy me with the 0days different from CSS.

> Zero day disclosure occurs when the discoverer of the vulnerability
> discloses the flaw to the public without notifying the vendor, putting
> businesses at risk from the time of disclosure until the affected vendor
> issues a patch. It can take vendors weeks or months to supply a patch.
> 

it is legal where i live.

> division, said: "This program will extend our research organization even
> further, and enable us to tap some of the most brilliant minds in the
> global security research community..
>

i believe they will not "tap some of the most brilliant minds".
when one reaches a certain level of expertise and/or experience, the chances
that he is a money whore are low imho.


[1] paraphrased Pink Floyd, "One of my turns"

-- 
where do you want bill gates to go today?
 

Powered by blists - more mailing lists