lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <27503.1217969873@turing-police.cc.vt.edu>
Date: Tue, 05 Aug 2008 16:57:53 -0400
From: Valdis.Kletnieks@...edu
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Media backlash begins against HD Moore and
	I)ruid

On Tue, 05 Aug 2008 20:36:12 BST, n3td3v said:

> Is what you're describing not against the law Valdis, it sure sounds
> like it to me. Some kind of gross negligence...

Note that it's "gross negligence" only if there is a *high* risk of *actual*
damages that a reasonable person should have forseen.  Also, in the vast
majority of cases, the concept only applies to events you actually have control
over - so in this instance, HD Moore could *conceivably* be negligent towards
*his* company, but if *other* customers of ATT suffer because ATT doesn't fix
their stuff, that's ATT's problem, not HD's.  However much you may *want* it to
be HD's fault for not contacting ATT and warning them, the law usually doesn't
work that way - nor do you *want* it to.  If HD was required to warn ATT, then
the readers of FD would *also* be required to contact the police in your area
and warn them that there was a clueless and mentally unstable person wandering
around with significant chance of serious injury to themselves...

For bonus points - identify the actual *LOSS* to HD Moore from the DNS
getting hacked.  Looks to *me* like he came out *ahead* - he got more headlines
talking about it than you can ever hope to get.

> I wonder if the the intelligence services thought like you before 9/11
> and 7/7 eh...I get the feeling they did.

Yes, and since then, we've *failed* to do proper risk analysis.  We've spent
some five hundred billion dollars and gotten some 6,000 soldiers killed to
prevent another attack that kills 3,000 and does 10 billion dollars in damage.
So far, we're about 3,000 people and $490,000,000,000 in the hole.

And here's news for you:  Many government agencies *still* do calculations that
way.  They calculate a "value of a life", and use it to evaluate things like
environmental and safety regulations:  If a life is worth $5M, and the
regulation is projected to save 500 lives (via lower risk of cancer, fewer car
crashes, whatever), the regulation has to cost less than $2.5B to implement to
be worth it.  If it costs $2B, but only saves 50 lives, that's $40M per life
and not worth it.



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ