Shiver me timbers.

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

--DrWhICOqskFTAXiy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 20, 2002 at 12:38:04AM +0200, peter () bank-connect com said:
> I am wondering....
> =20
> Besides the "I am bad and you cannot stop me" threads, the main issue
> (of course) seems to be whether to publish exploits/vulnerabilities
> found. Although one might want to hold one's own moral judgement against
> others, such appears mostly futile. Thus the personal moral evaluation
> gets all the more relevant. One aspect I've found missing so far is the
> distinction between commercial and open/contributed software.

A critical distinction indeed. More attention needs to be paid to the fact
that all situations are not the same, and hacking targets (for the
blackhats), as well as vulnerability releases, need to be tailored to the
situation. I feel no compunction to send word to Microsoft, for example, of
any bugs I find in MSIE or any of their other products. For one thing, any
such bug would likely be almost exactly the same as a dozen other similar
bugs already disclosed and patched, individually. Also, MS has billions of
dollars to spend on hiring good coders, and enforcing good programming
practices. They obviously do not consider this to be a priority.

Now, if I found a bug in, say, Apache or OpenSSH, I'd notify the developers
immediately, both because I use these products heavily, and because they're
open source projects that I wish to support. While more high-profile projec=
ts
(like Linux or Apache) may have some level of corporate funding, they are
still mostly volunteer efforts. There is no multi-billion dollar R&D budget
as exists at MSFT, Sun, etc. Thus, entirely different situations, calling f=
or
entirely different responses on my part (IMO).

> I also fail to see the distinct link between (not)publish and morals.
> Would every must-publish-hat (:>) willingly help that notorious spammer?
> Or would every must-not-publish-hat deny assistance to the makers of his
> favorite OS or web-stat tool? I would like to be surprised by any
> consistent moral motivation by either faction. I'm afraid that moral
> judgement cannot be made by rules of thumb. Then, I'm also afraid
> there's always going to be a bit of sacrifice in order to achieve
> "morals". But hack, none of that's any good for sake of argument.

I agree with you here - while my personal ethical code remains fairly
constant, each situation must, IMO, be evaluated on its own merits.

> So, indeed, argument is a decent thing. And as far as moral obligations
> go, there's just the arguments that can be spelled out. So that they can
> be a mirror to anyone that is compelled to reflect. An RFC to simply
> formalize the required procedures for any vulnerability found seems to
> me like a grave over simplification.

Indeed - I think the original rfpolicy was a good idea, but any such policy
or RFC can be, at best, only a starting point. From that starting point, one
can then begin to decide what actions are warranted in each specific
situation.

--=20
-=3D Scott Francis || darkuncle (at) darkuncle (dot) net =3D-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

--DrWhICOqskFTAXiy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9YmIZWaB7jFU39ScRApg1AJ4oYBlPyFU+nG4lvQLEXw2bR9RqHACgoSvr
6WQdAJlrJoN5i079UWATjeo=
=i7uW
-----END PGP SIGNATURE-----

--DrWhICOqskFTAXiy--