Full Disclosure mailing list archives
Shiver me timbers.
From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Tue, 20 Aug 2002 08:36:57 -0700
--DrWhICOqskFTAXiy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 20, 2002 at 12:38:04AM +0200, peter () bank-connect com said:
I am wondering.... =20 Besides the "I am bad and you cannot stop me" threads, the main issue (of course) seems to be whether to publish exploits/vulnerabilities found. Although one might want to hold one's own moral judgement against others, such appears mostly futile. Thus the personal moral evaluation gets all the more relevant. One aspect I've found missing so far is the distinction between commercial and open/contributed software.
A critical distinction indeed. More attention needs to be paid to the fact that all situations are not the same, and hacking targets (for the blackhats), as well as vulnerability releases, need to be tailored to the situation. I feel no compunction to send word to Microsoft, for example, of any bugs I find in MSIE or any of their other products. For one thing, any such bug would likely be almost exactly the same as a dozen other similar bugs already disclosed and patched, individually. Also, MS has billions of dollars to spend on hiring good coders, and enforcing good programming practices. They obviously do not consider this to be a priority. Now, if I found a bug in, say, Apache or OpenSSH, I'd notify the developers immediately, both because I use these products heavily, and because they're open source projects that I wish to support. While more high-profile projec= ts (like Linux or Apache) may have some level of corporate funding, they are still mostly volunteer efforts. There is no multi-billion dollar R&D budget as exists at MSFT, Sun, etc. Thus, entirely different situations, calling f= or entirely different responses on my part (IMO).
I also fail to see the distinct link between (not)publish and morals. Would every must-publish-hat (:>) willingly help that notorious spammer? Or would every must-not-publish-hat deny assistance to the makers of his favorite OS or web-stat tool? I would like to be surprised by any consistent moral motivation by either faction. I'm afraid that moral judgement cannot be made by rules of thumb. Then, I'm also afraid there's always going to be a bit of sacrifice in order to achieve "morals". But hack, none of that's any good for sake of argument.
I agree with you here - while my personal ethical code remains fairly constant, each situation must, IMO, be evaluated on its own merits.
So, indeed, argument is a decent thing. And as far as moral obligations go, there's just the arguments that can be spelled out. So that they can be a mirror to anyone that is compelled to reflect. An RFC to simply formalize the required procedures for any vulnerability found seems to me like a grave over simplification.
Indeed - I think the original rfpolicy was a good idea, but any such policy or RFC can be, at best, only a starting point. From that starting point, one can then begin to decide what actions are warranted in each specific situation. --=20 -=3D Scott Francis || darkuncle (at) darkuncle (dot) net =3D- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui --DrWhICOqskFTAXiy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9YmIZWaB7jFU39ScRApg1AJ4oYBlPyFU+nG4lvQLEXw2bR9RqHACgoSvr 6WQdAJlrJoN5i079UWATjeo= =i7uW -----END PGP SIGNATURE----- --DrWhICOqskFTAXiy--
Current thread:
- Shiver me timbers., (continued)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. Peter van den Heuvel (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 20)