Re: Valid disclosure analogy

[full-disclosure () lists netsys com (Defender Defender)]

> On Sunday, Aug 25, 2002, at 12:05 US/Pacific, hellNbak wrote:
>
> > What ever happened to get your money out of Bank A and inform all of Bank 
> > A's other customers via a public forum (media) in order to protect the 
> > general public from being abused by Bank A and their lack of 
> > security/process/whatever.......???
> >
> > Sure, change banks, but I think there is a greater responsibility here as 
> > well.
>
> What Defender Defender (what a name) fails to mention is, that if a bank 
> misrepresents the security of its money and an accountant (affiliated or 
> not) stumbles across this misrepresentation he IS required to report it. In 
> the case of software vulnerabilities, we encounter a huge number of 
> situations in which the bank ("software vendor") knowingly misrepresents 
> ("unbreakable") the security of assets stored within.

That is a very true point. I did not mention it because it does not justify 
to disclosure of vulnerability information on public lists.

I am also an advocate of criminal charges against misrepresentation of 
security in any product (ex. oracle's unbreakable database). I would also 
support any movement that would force vendors to represent the security of 
their software correctly. However, I am not willing to put people at risk 
for that purpose, and I believe irresponsible any action that does.

We also both know that if vendors were forced to rectify their marketing 
methods, they would most likely choose to put end to their pretentions as 
opposed to investing tons of $$$ in fixing their software.

Corporations will always lie if they aren't forced not to do so. That is the 
problem that should be fixed.

> Defender Defender (still amused) tries to liken the freedom to talk about 
> mishandling of information or money in the bank with an actual break in, 
> theft and destruction. This is an easy way to argue, especially if the 
> intention is to criminalize the other party. Under quite similar 
> circumstances Godwin's Law would prevent him from doing so.

I dont talk of crimes. I talk of acts and consequences. Please dont 
speculate on my intentions.

> What Defender Defender fails to mention is the fact that disclosure does 
> not happen "because vendors have been soooo diligent in the past" but 
> because they have not.

No need to mention it. If a vendor does not pretend to offer a level of 
security it does not, it's up to him to act with diligence or not in regard 
to yet undisclosed vulnerabilities in its code.

- Defender Defender

> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com