lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPGeVWNCogq5t4rM4QzYFCUHE5OfNVL6vr99kMpTdc3tOy-OfA@mail.gmail.com>
Date: Sat, 14 Jan 2012 08:33:13 -0700
From: Sanguinarious Rose <SanguineRose@...ultusTerra.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Rate Stratfor's Incident Response

I've been watching this chat for a while and I have to say a lot of
views here does not impress me and in fact why I will never report a
vulnerability if I found one. Why would I want to even risk getting
arrested and/or FBI trouble from observing a security flaw? My policy
on finding them is to quietly just move a long. I'm sure I am not the
only one that does this or come to such a conclusion of is it even
worth the trouble.

I like how the assumptions are always this person is horrible and bad
for have founding a security flaw, he must not be trusted and treated
like a criminal. Why would he even be reporting it to begin with if
his goal is abusing the security flaw? After all the audacity of this
dangerous cyber criminal took the time to tell you about the flaw in
an email and should be punished for their indiscretion of reporting
it.

The analogies of a house is a very very bad one. Do you expect
thousands of people to be walking around your house akin to viewing
the website? A more appropriate one would be a public store with doors
happen to be unlocked to completely open.

"If it's not broken don't fix it" is the classical saying of many
individuals and sadly even more apply it to security. Even reporting
the flaw in some cases results not in fixing it but legal troubles for
the person reporting it. You would think they might want to fix it
after being informed about it right? After all if it works why fix it?
Why not silence that bad apple that found the flaw and no one else
will know kinda like daddy's little secret.

In conclusion I don't care to report anything and why is perfectly
illustrated by some of the replies to this discussion and the above is
why.

Flaming Welcome :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ