Full Disclosure mailing list archives
Shiver me timbers.
From: full-disclosure () lists netsys com (Ka)
Date: Mon, 19 Aug 2002 22:23:14 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Aliver, you misunderstood my intention. I was simply expressing my point of view, I'm not intending to tell anybody, what to do or what not to do. I'm appreciating this list very much, in fact after recognizing that for example bugtraq is withholding critical information often for weeks, I was looking forward to such a list (as is formulated in its goal and yet to be realized). And I was answering to one of your posts, because I saw from your statements, that you are not buying a ready-made philosophy but expressing your own point of view in clear words. Having said that (sorry for the flattery .o) I just want to explain my point: what about the colleagues (like me), who are neither experienced in exploit-writing nor unexperienced in programming and willing to learn? And of course learning on an actual problem, trying to verify and fix the imminent software flaw before exploits are im wide use. That's more to my taste, than just waiting for the rpm from the distributor and then simply installing it (and having to install it immediatedly, because so many weeks have allready passed after the first detection). At Montag, 19. August 2002 19:57 aliver () xexil com wrote:
[...] What I'm addressing is the flawed idea that everybody has to share this work if it applies to some vendor's product, no matter what.
Sure.
[...] doing free research for a greedy company still sucks,
Certainly. One of the reasons I quit my last job.
[...] and categorically applying some "ethical" standard is a sure sign of lack of the ability to think for yourself.
Absolutely.
Again we are talking about security vulnerabilities, not just general "information" as you put it.
Not agreeing on that one. Security concerns have become general. The whole net depends more and more on it (negatively or positively).
Again, you are over-generalizing and being way too ambiguous. What kind of bug? A security vulnerability is a specific type of bug with specific types of implications often greater than a simple "program X won't function in condition Y."
I don't play this black-n-white game, sounds too much of 007-movies to me. A bug in a compiler or OS can be far more costly than a defaced website. The only difference I see in the security sector is that there is the _intention_ of the intruder, an intention which is far too easily named "malicious" for my taste. "Malicious" has nothing to do with hacking or not hacking, it's a different dimension -- one can be malicious within the letters of the law (and without). Yet - a good tester will allways have the "malicious" intend to bring the developed system down. The IBM black-team was feared for that (long ago .o)
I for one am not suggesting that the "exchange" of know-how among hackers be hindered.
Fine.
I'm suggesting that a person in a researcher role has the right to exercise his own judgment before he decides what to do with his research.
I agree. But a lot of people might not. This is against the basis of our so called "modern" society, which is in fact anti-individual in large areas.
I'm also saying that there are many conditions where that individual might be morally justified by withholding a bug with security implications from the original vendor. Lastly, I'm suggesting that one-size-fits-all "ethics" from whitehats publishing silly "RFC" documents on what I should do are a vile idea.
Sure, I never understood you otherwise. Ethics stink, may they come from society or anti-society. But at least this RFC was a try to make the decision processes public and transparent. After all it's a "request for comments". That we don't need more RFCs but more individuals is not the fault of the authors of the RFC. That _some_ of the "disturbing" postings to this list showed the resp. hacker's individuality was also not allways recognized. Greetings Ka P.S. This email has become quite personal (and OT to this list). Nevertheless I post it to the list in the hope, that my standpoint might help communication between black-n-white. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9YVPA72vu22ltWBERAlYCAJ9XbftP54GxzqiIVDR+S+TdtSrfwgCfY/eX TW3r+gRcm/sDoptGoBRVvQU= =H2m8 -----END PGP SIGNATURE-----
Current thread:
- (no subject), (continued)
- (no subject) 5uddenly g0n3 in73l (Aug 19)
- (no subject) sockz loves you (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. Peter van den Heuvel (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 20)