RE: requires full discussion of political and legal aspects of security

[Mads Tansø <azmodan () linux online no>]

If anyone on this list doesn't "like" or "approve" of some of the more
or less useless discussions, aren’t they free to either block,
autodelete or just don't read the mail they consider to be garbage?
By replying to it with useless comments on why these topics shouldn't be
on the list, they end up amplifying topics, creating even more junkmail
for us others to read, autodelete or even block mailaddys for...
> From my point of view; if you aren’t capable of adding a block-rule for
the mails you don’t want to receive you've got nothing to do on such a
list. 

Now, go cry...

Ooh.. Did I hear $500 for the openssh 0-sec? Oh, wait, ya'll probably
more interested in spamdeleters for this list than security, so ill go
release it on p4ck3tst0rm instead... be0tches...

Mads Tansoe
a.k.a Azmodan
Dark Magic Network Crew

/* 
Wouldn’t ya all love to be able to put yer name on yer mails? Woohoo ;p
Freedom of speech, freedom to friggin copy and distribute yer dvds, dl
metallica and write some nifty exploits... All with the law behind YOU?
Say YES to .NO.. What we exploit today, others will exploit tomorrow.. 
Dark Magic Network Crew
*/

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Matthew
Murphy
Sent: 19. april 2003 21:41
To: Full Disclosure
Cc: jasonc () science org
Subject: Re: [Full-disclosure] requires full discussion of political and
legal aspects of security


----- Original Message -----
From: "Jason Coombs" <jasonc () science org>
To: "Matthew Murphy" <mattmurphy () kc rr com>; "Full Disclosure"
<full-disclosure () lists netsys com>
Cc: "Len Rose" <len () netsys com>
Sent: Saturday, April 19, 2003 1:25 PM
Subject: RE: [Full-disclosure] requires full discussion of political and
legal aspects of security


> Matthew Murphy wrote:
> > These kind of discussions, while interesting to some list members,
are
not
> > why I subscribe to this list.  The list's purpose is for discussion
of
> > security issues -- Theo de Raadt's poor cry baby routine is not a
security
> > issue.  Please keep off-topic discussions like this to a minimum, as
they
> > will destroy this list.  List subscribers, many of whom are looking
for
> > actual vulnerability details (and not discussion of world ideals),
will
> > begin to leave in droves if posters do not learn to show basic
restraint.
> > If it isn't a security issue, don't post it.  Period.  I will adopt
this
> > policy from this post forward, and I encourage others to do the
same.
> As somebody who has conspicuously and intentionally pushed for more
political
> discussion on this list, I must say first that I disagree completely
and
> second that I have no intention of withholding political discussions
from
this
> list so you'll either have to tolerate (or filter) me, or lobby Len to
block
> my postings if they really offend you.

I don't find your posts offensive, I find them to be useless junk mail
that
clutters my inbox.  If I wanted to hear your political views, I would
have
joined a list of politicians.  I joined a list of security researchers
--
specifically hoping that the lack of oversight would keep political
things
(e.g, selective moderation) out of the list.  Obviously, posters like
yourself will make sure that goal is never reached.  While it is not
possible to have a discussion without some *sense* of politics, it is
possible not to have *political discussion*.  I could understand a story
about something relevant to me that you legitamitely think I need to
know --
some threat to my well-being, occupation, etc.

I don't see how some U.S. government agency cutting off money to Theo De
Raadt impacts me, or many of the list's other subscribers to the point
where
people's extremist political ramblings need to be flooding my inbox
every 5
minutes.

> Geek crypto tech cipherpunk penetration and vulnerability discussions
without
> political and legal context encourage and foster gross
misunderstanding of
> reality and place those who engage in security and cryptography
research
at
> risk of unreasonable prosecution and persecution beyond socially
acceptable
> and beneficial self-regulation.

I didn't say we needed to have another BugTraq, I just said the
discussion
needs to be *relevant*.  And, btw, if you think this list is
self-regulation, you're sadly mistaken.  Self-regulation (essentially
anarchy -- by the proper meaning anyway) cannot happen in security.  The
minute there is a need for security, self-regulation has failed.

> You've already made a political statement by joining this list: you
reject
the
> politics of partial-disclosure or no disclosure on the grounds that
you
and
> those who rely on you for expertise are best served when everyone
receives
> full and timely disclosure of vulnerability details. You are
implicitly
> insisting that forces of oppression that curtail disclosure and
discussion
do
> far more harm than good.

By joining this list, I hoped to keep political garbage like Symantec's
hiding of information, selective moderation, etc. from coming here.  I
did
not join this list for an open-ended political discussion, but for an
open-ended discussion of *security issues* as is in the charter.

> I reject your implication, and the implication of others on this list
who
have
> communicated as much to me in the past, that political and legal
discussions
> pertaining to security are harmful to the list's well-being and focus.

Pertaining to security how?  Other than the fact that Theo De Raadt is
an OS
project manager with a security interest, and he lost money he admitted
he
never needed... that's just too much of a stretch, especially when the
list
charter says politics should be avoided "at all costs".

> You've probably noticed that with a couple exceptions we all know
better
than
> to engage in flame wars, especially over a non-technical political or
legal
> matter.

That assertion is ridiculous, because this *is* a non-technical
political
matter we are dealing with here. :-)

> This self-regulation is working, and the tone and scope of discussion
> on this list coupled with the lack of restrictive moderation makes it
superior
> to bugtraq and others.

I would wonder about that assertion.  In its current state, this list
drowns
my e-mail box in so much ridiculous junk that it becomes nearly
impossible
to search through a week's worth of postings (a hundred or so), and find
the
few things which actually deserved a place here.

> The most compelling reason to support thoughtful and well-informed
political
> and legal discussions rather than cast hate upon them as having
nothing to
do
> with the topic of security is that we who support full disclosure are
wise,
> patriotic, law-abiding realists whose understanding of the technical
subject
> matter combined with our experience in the real world convince us
beyond
any
> doubt that only the self-interested minority of power and money elite
benefit
> from suppressing full disclosure -- and we recognize, being realists,
that
> every disclosure made without the full support of the self-interested
minority
> places those responsible at risk.
>
> You cannot seriously sit on the sidelines of this list, exposing
yourself
to
> (nearly) zero risk (*), and benefit from the hard work being done and
hard
> risks being taken by others, while simultaneously proclaiming that
discussion
> of the political and legal risks being taken by those who do the work
that
> benefits you is somehow off-topic.

As a poster to the list, and a reader of the list, I get very little
benefit
from political discussions such as these.  Had this discussion involved
something such as a grant specifically for the purpose of *security*
(and
not just concerning the personal reputation of Theo De Raadt), I would
have
had some knowledge to gain from it.  The way it is now -- mindless
political
ramblings about "free speech" from all corners of the world -- teaches
me
nothing about security or any related matter.  Had this been a
discussion of
threats to/reasons for support of free speech, I would have had a good
context.  The way this discussion has been presented has no context,
only
the rantings of a Canadian cry baby about U.S. law.

Further, I'd be interested in what makes you believe you have taken
substantially more risk than I have, as a fairly regular contributor to
the
list.  Were I not a regular contributor, I would have long ago
un-subscribed
so that I didn't have to put up with thoughtless political rants and
useless
junk e-mail such as your post here.

> In the good 'ol days there used to be an explicit requirement for
> contributions from every member who benefits from the risks being
taken by
> others. Either you contributed, and thus took some risk yourself, or
you
were
> not entitled to benefit from the risk-taking of others. We've moved
beyond
> that point now, and realize that it would be wrong to withhold the
benefits
> from anyone: this is the essence of full disclosure.
>
> But don't tell me this list is not political. If it's just bugtraq
without
> Dave Ahmad then I need to unsubscribe.

What about the provision in the charter that says "politics should be
avoided at all costs"?  That seems to say that the list's goal is
***NOT***
politics.

> (*) During World War II, the Nazis apparently used telephone company
records
> to find out who called who. Whenever they hauled a family off to a gas
> chamber, they were sure to check that family's telephone records to
determine
> who else they needed to haul off to the gas chamber also. Therefore,
simply
> subscribing to this list with an e-mail address that is traceable to
your
real
> identity places you at risk whether you choose to believe it or not.
Anyone
> who fails to understand the full scope of information security risk,
inclusive
> of its sometimes-subtle and sometimes-dangerous political and legal
aspects,
> fails to understand both history and human nature.

I have to wonder what relevance this has to the list, other than to
state
that the goal of the list, with *or without* the political discussion,
is
the ultimate freedom of information.  I fail to see how such off-topic,
fringe political discussion contributes to that goal.  By saturating the
list with details that most subscribers do not find useful, you are
drowning
out useful information with ultimately useless political baggage.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html