Full Disclosure mailing list archives
Shiver me timbers.
From: full-disclosure () lists netsys com (Peter van den Heuvel)
Date: Tue, 20 Aug 2002 00:38:04 +0200
I am wondering.... Besides the "I am bad and you cannot stop me" threads, the main issue (of course) seems to be whether to publish exploits/vulnerabilities found. Although one might want to hold one's own moral judgement against others, such appears mostly futile. Thus the personal moral evaluation gets all the more relevant. One aspect I've found missing so far is the distinction between commercial and open/contributed software. The "how dare you charge anyone money for this" factor might make one reluctant to cooperate in any fashion with "the company that tends to ignore such issues anyway". A point made very clear, just like the "if you think you're such a clever security expert" factor might demotivate to "donate the fruits of personal skill and perseverance". Yet, there's software that was gifted to all and that many depend on (like linux, apache, perl, egcs, mysql, cipe, qmail, bind, vim, bash, etc, and as it seems, even outlook express ;^). Would such facts not tip the balance of personal bias? Of course one will assist small and big commercial (and non-commercial) operations by publishing an exploit. But so did the makers of many of the tools being used. Such was their makers choise. And so that might pose obligations to anyone using that software. If it were not soo futile, the obligation to report bugs might have made it into the GPL. Of course one might consider any such software inadequate, but that does not change a thing. Usage obliges the user, payment obliges the supplier. Now what if you just did not pay? I also fail to see the distinct link between (not)publish and morals. Would every must-publish-hat (:>) willingly help that notorious spammer? Or would every must-not-publish-hat deny assistance to the makers of his favorite OS or web-stat tool? I would like to be surprised by any consistent moral motivation by either faction. I'm afraid that moral judgement cannot be made by rules of thumb. Then, I'm also afraid there's always going to be a bit of sacrifice in order to achieve "morals". But hack, none of that's any good for sake of argument. So, indeed, argument is a decent thing. And as far as moral obligations go, there's just the arguments that can be spelled out. So that they can be a mirror to anyone that is compelled to reflect. An RFC to simply formalize the required procedures for any vulnerability found seems to me like a grave over simplification. Peter
Current thread:
- (no subject), (continued)
- (no subject) sockz loves you (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. Peter van den Heuvel (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 20)
- (no subject) sockz loves you (Aug 19)