Full Disclosure mailing list archives

Shiver me timbers.

From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Mon, 19 Aug 2002 10:57:21 -0700

On Mon, 19 Aug 2002, Ka wrote:

We would not have computers and software as evolved as they are, if we
hadn't exchanged help and information from the very beginning.


Nobody is saying that "we" shouldn't exchange help and information in a
general sense. We are talking about the specific case of a person in a
researcher role doing work to find a bug or write a piece of software
which has security implications (ie.. exploit, virus, network scanner,
etc). What I'm addressing is the flawed idea that everybody has to share
this work if it applies to some vendor's product, no matter what.

In the early times, before 'hacker' was being used in it's modern
interpretation, holding back information was a sure sign of
unprofessionality or even incompetence.


To who? You? Sorry, but it doesn't matter how far back you want to go,
doing free research for a greedy company still sucks, and categorically
applying some "ethical" standard is a sure sign of lack of the ability to
think for yourself. Again we are talking about security vulnerabilities,
not just general "information" as you put it.

Everybody _knew_ that the next bug could very well be discoverd in one's
own system.


Again, you are over-generalizing and being way too ambiguous. What kind of
bug? A security vulnerability is a specific type of bug with specific types
of implications often greater than a simple "program X won't function in
condition Y."

Of course it's everybody's right to publish or not to publish anything.


You're damn right it is.

But hindering the exchange of know-how among fellow hackers is just as
egocentric as M$ is with it's marketing strategy.


I for one am not suggesting that the "exchange" of know-how among hackers
be hindered. I'm suggesting that a person in a researcher role has the
right to exercise his own judgment before he decides what to do with his
research. I'm also saying that there are many conditions where that
individual might be morally justified by withholding a bug with security
implications from the original vendor. Lastly, I'm suggesting that
one-size-fits-all "ethics" from whitehats publishing silly "RFC" documents
on what I should do are a vile idea.

aliver

Current thread:

(no subject), (continued)
- - (no subject) Fred (Aug 19)
- (no subject) 5uddenly g0n3 in73l (Aug 19)
- (no subject) sockz loves you (Aug 19)
  - Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
    - Shiver me timbers. Timothy J.Miller (Aug 19)
    - Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
    - Shiver me timbers. Timothy J.Miller (Aug 19)
    - Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
    - Shiver me timbers. Timothy J.Miller (Aug 19)
    - Shiver me timbers. Ka (Aug 19)
    - Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
    - Shiver me timbers. Ka (Aug 19)
    - Shiver me timbers. Peter van den Heuvel (Aug 19)
    - Shiver me timbers. full-disclosure () lists netsys com (Aug 20)
- (no subject) Steven M. Christey (Aug 19)