Full Disclosure mailing list archives
RE: requires full discussion of political and legal aspects of security
From: Mads Tansø <azmodan () linux online no>
Date: Sun, 20 Apr 2003 01:15:16 +0200
If anyone on this list doesn't "like" or "approve" of some of the more or less useless discussions, arent they free to either block, autodelete or just don't read the mail they consider to be garbage? By replying to it with useless comments on why these topics shouldn't be on the list, they end up amplifying topics, creating even more junkmail for us others to read, autodelete or even block mailaddys for...
From my point of view; if you arent capable of adding a block-rule for
the mails you dont want to receive you've got nothing to do on such a list. Now, go cry... Ooh.. Did I hear $500 for the openssh 0-sec? Oh, wait, ya'll probably more interested in spamdeleters for this list than security, so ill go release it on p4ck3tst0rm instead... be0tches... Mads Tansoe a.k.a Azmodan Dark Magic Network Crew /* Wouldnt ya all love to be able to put yer name on yer mails? Woohoo ;p Freedom of speech, freedom to friggin copy and distribute yer dvds, dl metallica and write some nifty exploits... All with the law behind YOU? Say YES to .NO.. What we exploit today, others will exploit tomorrow.. Dark Magic Network Crew */ -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Matthew Murphy Sent: 19. april 2003 21:41 To: Full Disclosure Cc: jasonc () science org Subject: Re: [Full-disclosure] requires full discussion of political and legal aspects of security ----- Original Message ----- From: "Jason Coombs" <jasonc () science org> To: "Matthew Murphy" <mattmurphy () kc rr com>; "Full Disclosure" <full-disclosure () lists netsys com> Cc: "Len Rose" <len () netsys com> Sent: Saturday, April 19, 2003 1:25 PM Subject: RE: [Full-disclosure] requires full discussion of political and legal aspects of security
Matthew Murphy wrote:These kind of discussions, while interesting to some list members,
are not
why I subscribe to this list. The list's purpose is for discussion
of
security issues -- Theo de Raadt's poor cry baby routine is not a
security
issue. Please keep off-topic discussions like this to a minimum, as
they
will destroy this list. List subscribers, many of whom are looking
for
actual vulnerability details (and not discussion of world ideals),
will
begin to leave in droves if posters do not learn to show basic
restraint.
If it isn't a security issue, don't post it. Period. I will adopt
this
policy from this post forward, and I encourage others to do the
same.
As somebody who has conspicuously and intentionally pushed for more
political
discussion on this list, I must say first that I disagree completely
and
second that I have no intention of withholding political discussions
from this
list so you'll either have to tolerate (or filter) me, or lobby Len to
block
my postings if they really offend you.
I don't find your posts offensive, I find them to be useless junk mail that clutters my inbox. If I wanted to hear your political views, I would have joined a list of politicians. I joined a list of security researchers -- specifically hoping that the lack of oversight would keep political things (e.g, selective moderation) out of the list. Obviously, posters like yourself will make sure that goal is never reached. While it is not possible to have a discussion without some *sense* of politics, it is possible not to have *political discussion*. I could understand a story about something relevant to me that you legitamitely think I need to know -- some threat to my well-being, occupation, etc. I don't see how some U.S. government agency cutting off money to Theo De Raadt impacts me, or many of the list's other subscribers to the point where people's extremist political ramblings need to be flooding my inbox every 5 minutes.
Geek crypto tech cipherpunk penetration and vulnerability discussions
without
political and legal context encourage and foster gross
misunderstanding of
reality and place those who engage in security and cryptography
research at
risk of unreasonable prosecution and persecution beyond socially
acceptable
and beneficial self-regulation.
I didn't say we needed to have another BugTraq, I just said the discussion needs to be *relevant*. And, btw, if you think this list is self-regulation, you're sadly mistaken. Self-regulation (essentially anarchy -- by the proper meaning anyway) cannot happen in security. The minute there is a need for security, self-regulation has failed.
You've already made a political statement by joining this list: you
reject the
politics of partial-disclosure or no disclosure on the grounds that
you and
those who rely on you for expertise are best served when everyone
receives
full and timely disclosure of vulnerability details. You are
implicitly
insisting that forces of oppression that curtail disclosure and
discussion do
far more harm than good.
By joining this list, I hoped to keep political garbage like Symantec's hiding of information, selective moderation, etc. from coming here. I did not join this list for an open-ended political discussion, but for an open-ended discussion of *security issues* as is in the charter.
I reject your implication, and the implication of others on this list
who have
communicated as much to me in the past, that political and legal
discussions
pertaining to security are harmful to the list's well-being and focus.
Pertaining to security how? Other than the fact that Theo De Raadt is an OS project manager with a security interest, and he lost money he admitted he never needed... that's just too much of a stretch, especially when the list charter says politics should be avoided "at all costs".
You've probably noticed that with a couple exceptions we all know
better than
to engage in flame wars, especially over a non-technical political or
legal
matter.
That assertion is ridiculous, because this *is* a non-technical political matter we are dealing with here. :-)
This self-regulation is working, and the tone and scope of discussion on this list coupled with the lack of restrictive moderation makes it
superior
to bugtraq and others.
I would wonder about that assertion. In its current state, this list drowns my e-mail box in so much ridiculous junk that it becomes nearly impossible to search through a week's worth of postings (a hundred or so), and find the few things which actually deserved a place here.
The most compelling reason to support thoughtful and well-informed
political
and legal discussions rather than cast hate upon them as having
nothing to do
with the topic of security is that we who support full disclosure are
wise,
patriotic, law-abiding realists whose understanding of the technical
subject
matter combined with our experience in the real world convince us
beyond any
doubt that only the self-interested minority of power and money elite
benefit
from suppressing full disclosure -- and we recognize, being realists,
that
every disclosure made without the full support of the self-interested
minority
places those responsible at risk. You cannot seriously sit on the sidelines of this list, exposing
yourself to
(nearly) zero risk (*), and benefit from the hard work being done and
hard
risks being taken by others, while simultaneously proclaiming that
discussion
of the political and legal risks being taken by those who do the work
that
benefits you is somehow off-topic.
As a poster to the list, and a reader of the list, I get very little benefit from political discussions such as these. Had this discussion involved something such as a grant specifically for the purpose of *security* (and not just concerning the personal reputation of Theo De Raadt), I would have had some knowledge to gain from it. The way it is now -- mindless political ramblings about "free speech" from all corners of the world -- teaches me nothing about security or any related matter. Had this been a discussion of threats to/reasons for support of free speech, I would have had a good context. The way this discussion has been presented has no context, only the rantings of a Canadian cry baby about U.S. law. Further, I'd be interested in what makes you believe you have taken substantially more risk than I have, as a fairly regular contributor to the list. Were I not a regular contributor, I would have long ago un-subscribed so that I didn't have to put up with thoughtless political rants and useless junk e-mail such as your post here.
In the good 'ol days there used to be an explicit requirement for contributions from every member who benefits from the risks being
taken by
others. Either you contributed, and thus took some risk yourself, or
you were
not entitled to benefit from the risk-taking of others. We've moved
beyond
that point now, and realize that it would be wrong to withhold the
benefits
from anyone: this is the essence of full disclosure. But don't tell me this list is not political. If it's just bugtraq
without
Dave Ahmad then I need to unsubscribe.
What about the provision in the charter that says "politics should be avoided at all costs"? That seems to say that the list's goal is ***NOT*** politics.
(*) During World War II, the Nazis apparently used telephone company
records
to find out who called who. Whenever they hauled a family off to a gas chamber, they were sure to check that family's telephone records to
determine
who else they needed to haul off to the gas chamber also. Therefore,
simply
subscribing to this list with an e-mail address that is traceable to
your real
identity places you at risk whether you choose to believe it or not.
Anyone
who fails to understand the full scope of information security risk,
inclusive
of its sometimes-subtle and sometimes-dangerous political and legal
aspects,
fails to understand both history and human nature.
I have to wonder what relevance this has to the list, other than to state that the goal of the list, with *or without* the political discussion, is the ultimate freedom of information. I fail to see how such off-topic, fringe political discussion contributes to that goal. By saturating the list with details that most subscribers do not find useful, you are drowning out useful information with ultimately useless political baggage. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: RE: [ISN] DARPA pulls OpenBSD funding, (continued)
- Re: RE: [ISN] DARPA pulls OpenBSD funding Niels Bakker (Apr 20)
- Re: RE: [ISN] DARPA pulls OpenBSD funding Paul Schmehl (Apr 20)
- RE: RE: [ISN] DARPA pulls OpenBSD funding Ron DuFresne (Apr 21)
- Re: RE: [ISN] DARPA pulls OpenBSD funding Georgi Guninski (Apr 19)
- Re: RE: [ISN] DARPA pulls OpenBSD funding Matthew Murphy (Apr 19)
- Re: RE: [ISN] DARPA pulls OpenBSD funding Timmah (Apr 19)
- Re: RE: [ISN] DARPA pulls OpenBSD funding Paul Schmehl (Apr 19)
- RE: requires full discussion of political and legal aspects of security Jason Coombs (Apr 19)
- Re: requires full discussion of political and legal aspects of security Matthew Murphy (Apr 19)
- RE: requires full discussion of political and legal aspects of security Eric Lauzon (Apr 19)
- RE: requires full discussion of political and legal aspects of security Mads Tansø (Apr 19)
- RE: requires full discussion of political and legal aspects of security cnupt42 (Apr 19)
- Re: RE: [ISN] DARPA pulls OpenBSD funding Matthew Murphy (Apr 19)
- RE: RE: [ISN] DARPA pulls OpenBSD funding Ed Carp (Apr 19)
- RE: RE: [ISN] DARPA pulls OpenBSD funding Ron DuFresne (Apr 21)
- Message not available
- Re: RE: [ISN] DARPA pulls OpenBSD funding Blue Boar (Apr 19)