Full Disclosure mailing list archives
Re: Valid disclosure analogy
From: full-disclosure () lists netsys com (Defender Defender)
Date: Sun, 25 Aug 2002 22:09:47 +0000
On Sunday, Aug 25, 2002, at 12:05 US/Pacific, hellNbak wrote:What ever happened to get your money out of Bank A and inform all of Bank A's other customers via a public forum (media) in order to protect the general public from being abused by Bank A and their lack of security/process/whatever.......??? Sure, change banks, but I think there is a greater responsibility here as well.What Defender Defender (what a name) fails to mention is, that if a bank misrepresents the security of its money and an accountant (affiliated or not) stumbles across this misrepresentation he IS required to report it. In the case of software vulnerabilities, we encounter a huge number of situations in which the bank ("software vendor") knowingly misrepresents ("unbreakable") the security of assets stored within.
That is a very true point. I did not mention it because it does not justify to disclosure of vulnerability information on public lists. I am also an advocate of criminal charges against misrepresentation of security in any product (ex. oracle's unbreakable database). I would also support any movement that would force vendors to represent the security of their software correctly. However, I am not willing to put people at risk for that purpose, and I believe irresponsible any action that does. We also both know that if vendors were forced to rectify their marketing methods, they would most likely choose to put end to their pretentions as opposed to investing tons of $$$ in fixing their software. Corporations will always lie if they aren't forced not to do so. That is the problem that should be fixed.
Defender Defender (still amused) tries to liken the freedom to talk about mishandling of information or money in the bank with an actual break in, theft and destruction. This is an easy way to argue, especially if the intention is to criminalize the other party. Under quite similar circumstances Godwin's Law would prevent him from doing so.
I dont talk of crimes. I talk of acts and consequences. Please dont speculate on my intentions.
What Defender Defender fails to mention is the fact that disclosure does not happen "because vendors have been soooo diligent in the past" but because they have not.
No need to mention it. If a vendor does not pretend to offer a level of security it does not, it's up to him to act with diligence or not in regard to yet undisclosed vulnerabilities in its code. - Defender Defender
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
Current thread:
- Valid disclosure analogy Defender Defender (Aug 24)
- <Possible follow-ups>
- Re: Valid disclosure analogy pooh pooh (Aug 25)
- Re: Valid disclosure analogy hellNbak (Aug 25)
- Re: Valid disclosure analogy Isaak Bloodlore (Aug 25)
- Re: Valid disclosure analogy hellNbak (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy pooh pooh (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy pooh pooh (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy pooh pooh (Aug 26)
- Re: Valid disclosure analogy Defender Defender (Aug 26)