Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Security Industry Under Scrutiny: Part One

From: ATD <simon () snosoft com>
Date: 14 Nov 2002 15:10:49 -0500
Sockz, 
        In response to this post....




You said: * security advisories are rarely based on original concepts

Response: Maybe not but they are based on original bugs that could be    
threatening to the infrastructure of many companies. 

You Said: * most of them are filled with lots of crap used to build up the reputation of
            the whitehat.
Response: I'd like to see the evidence that you have to support this     
claim.
You said: * whitehats should contact vendors and not public forums as only the vendors can
           release an update.
Response: When vendors are contacted they are not always inclined to do
          what is right, but would rather save face.  If we did this,             and
did not post to the public we would be A: denying the      public
knowledge of a threat and B: allowing vendors to lie to           clients. 
Also, look at what happened to us when we tried to        contact HP about
Tru64.

You said: * "proof of concept" toolz are used to fuel script kiddies so as to justify the
          employment of security professionals.  kinda like the CIA bombing a sky
         scraper to get more funding.
Response: Proof of concept code is just that, used to prove a            
theory/concept. Without the code vendors would probably not 
          respond to issues. Plus, who said the code had to have a        malicious
pay load? I know how to write non-malicious proof of 
          concept code, don't you? 

things we can do to make the security industry better:
 
You said: * dont post to public forums.  contact the vendor directly.  make vendors more
        >   responsible for their products.
Response: The aforementioned HP incident with SNOsoft (us).
You said: * stop producing "proof of concept" code/tools, as these are more often used to
         harm, rather than to heal.
Response: See above I don't choose to be redundant.
You said: * care more about security and less about money.
Response: Knowledge is power and thus education will make the community
          more powerful.  Sharing information in public lists is one way          to
educate people.    

For all of those who are anti full disclosure, why are you signed up for
this list?  I think that I speak for the majority here (correct me if I
am wrong). I think full disclosure is a powerful asset to the security
community and I have yet to see any convincing arguments to counter
that.  The majority of the arguments that I see against full disclosure
are opinion based and emotional.(some almost childish) The arguments
that I see for full disclosure are supported by facts and history.




-- 

-ATD-

http://www.snosoft.com
-------------------------------------------------------------
Secure Network Operations |     Strategic Reconnaissance Team
Cerebrum Project          |     cerebrum () snosoft com
-------------------------------------------------------------

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: