Full Disclosure mailing list archives
ranting.. was Re: (no subject) PS
From: Silvio Cesare <silvio () big net au>
Date: Tue, 26 Nov 2002 22:47:28 +1100
On Tue, Nov 26, 2002 at 09:56:22AM +0100, Boris Lorenz wrote:
Yuppa, Euan Briggs wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 P.S - I forgot to mention, I did not make that post because I support blackhats and what they do. I made that post because I support the intellectual freedom the internet gives us, and I believe it is something very precious indeed. I don't want to see it locked down by governments and crippled due to a paranoid response to the security risks, made so evident by people such as PHC. You are only providing them with another excuse to limit our electronic freedom, which is much more valuable than the freedom to break into machines with 0-day exploits.spot on, Euan. I couldn't have said it better myself.EuanBoris ---
The problem with this idea, is that freedom is doubtfully freedom, if one cannot excercise freedom. (let me explain). In sociology, they will often say that power is not power unless it is excercised. It is like saying "well, I could do that _if i wanted_ too", knowing full well that that mr/mrs X would not be happy if you did that - so you never excercise your ability of power, even though you might be induced into beleiving you have power. when your mother gives you a stern look in the eye, and says, "well.. if you really want it, I'll *, but think wisely before you make a decision" ;-) That is a classic example, of being given a choice reflective of having power, but it's not really a choice at all - hence, you have no power unless you actually excercise it. its also why retaliation is an attempt to show power, because if you do not retaliate, then it may be indicative of being powerless. on the contrary however, if a retaliation is not made when everyone believes it will be made - is also indicative of power. Even if you believe you are able to excercise power (as in your mother's sterns word above), and try to exercise this power thinking that its not going to lead to retaliation by your mother, then you might be wrong.. The above can be examplified through that of civil rights; which is also perhaps why the US consistition etc goes through a frenzy on occasion. Think back to Hustler/Larry Flint, when it was seen that what he was doing through hustler and his humour was actually consitutionaly protected [hope I get my history right here]. Before he actually tested the consitution, he couldn't be sure that he indeed had the freedom or power defined by the consitution. And this uncertainity was valid, because his "freedom" as defined by the constituation, required a significant court/legal process to establish that indeed he was protected. Even though it was established that he was legally protected, he was still attacked through legalaslation because he tried to excercise something that was "not accepted" - even though he did in "theory" have the ability to excersise his freedom. Then the question is of course.. was he "always" able to do those things that the government at the time disputed? Did he "always" have the power and freedom defined by his countries own consitution (later to be found that he was constitutionally protected)? Or was it until he actually tried to excercise his rights, that he discovered that the constitutuion at the time was not able to defend his rights (even though in "theory" it always had). civil rights issues are always like this it seems ;-) now onto full-disclosure.. the question is then, should we all be "mature" and disclose "responsibly". If a vendor makes no attempt to fix problems, yet by nature of disclosing, we open possibility of mass exploitation (lets say apache or openssh), do we still have the freedom or power of disclosure if we choose not to disclose? If the government tells us that by disclosing such software, you are indeed helping the "blackhats", does that leave any "power" for the "whitehats" through disclosure? At the same time, if a "blackhat" discloses, does this mean the "whitehats" are powerless because they are the only ones supposedly allowed to disclosue? Full-Disclosure, as I see it, is a personal choice - However - If it is established that disclosure is either good or evil (black/white), and we are forced to live with that (primarily through legislation, check out the DMCA and even the RedHat advisories), it simply means that the disclosure is no longer excercising freedom (intent no longer applies now, since it is legislated), but simply a false freedom given to us by the powers that be, whenever they see fit. Disclosure is often seen about individual responsibility. This I fully agree with - and It is not up to the "powers that be", wether it be the Government or Bill Gates, to enforce _our_ freedom upon us, and take it away without remorse. Is disclosure about freedom then? I believe so. The public is perhaps one of the largest contributers to the "security" of the internet. It is through disclosure that many, many vulnerabilities are fixed - even those which vendors would often like us to ignore. If _you_, if _we_ had not found a vulnerability in various software and disclosed it - are you sure that your vendor would have done this instead? Am I, are we not all, entitled to see how safe our software is, if only by reading the number of vulnerabilities disclosed against certain software? [software as I understand it, isn't exactly the most well defined of scientific pursuits - though automated bug checkers currently seem to be heading us towards better quality software, though likely a long time from now before we see this] None of the above dictates that user freedom is defined by disclosure in and all by itself. It is again, always a personal choice (and often dictated by our employers - another story), but it is certainly defined that the freedom for the users of software are taken away, when they, when we, are required _not_ to disclose. </rant> -- Silvio _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: (no subject) PS Euan Briggs (Nov 23)
- Re: (no subject) PS Boris Lorenz (Nov 26)
- ranting.. was Re: (no subject) PS Silvio Cesare (Nov 26)
- Re: ranting.. was Re: (no subject) PS Ka (Nov 26)
- Re: ranting.. was Re: (no subject) PS Boris Lorenz (Nov 26)
- Re: (no subject) PS anakata (Nov 26)
- ranting.. was Re: (no subject) PS Silvio Cesare (Nov 26)
- <Possible follow-ups>
- RE: (no subject) PS Schmehl, Paul L (Nov 26)
- RE: (no subject) PS Gregory Kornblum (Nov 26)
- Re: (no subject) PS Boris Lorenz (Nov 26)