lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <48F284A0.8050503@gce.com>
Date: Sun, 12 Oct 2008 19:13:36 -0400
From: Mary and Glenn Everhart <Everhart@....com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: licensing discussion

Gents -
Consider an old quote from LBJ, approximately "the design of a law when 
well administered is rarely the problem. Designing measures that work 
when badly administered is what is difficult."

A licensing system might conceivably be administered to enhance security 
for the world's software and systems. However it is also likely one 
might be administered to simply shut down all the inconvenient 
discussions of vulnerabilities and any open research into them, which at 
least could allow vendors less adverse publicity.

I consider this far more likely than a system that would genuinely 
distinguish good from evil intentions. If recent history - look at how 
DMCA gets abused in the US and how surveillance "against terrorism" has 
become surveillance for all manner of other stuff - cannot convince, 
then just ask where those running a licensing activity might get their 
people. Care to give odds how many basically unattested experts will be 
there, and how many corporate testers, regardless of the relative level 
of understanding of these people?

Throwing out notions that government might save us from this or that 
evil tends to forget that in the past government has in many cases 
royally "screwed the pooch", and has in others managed not to do its job 
well enough to avoid other crack-ups (like the current financial 
disaster, where apparently they sat by and allowed $60+ trillion in fake 
insurance policies to be written without any capital to back them up. 
(The figure is gleaned from news reports.)

I suspect that looking for technical solutions to some of the infosec 
problems is much more likely to work than tossing the problem over the 
wall to the government.

Glenn Everhart

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ