Of course you guys support full-disclosure

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

On Sun, 25 Aug 2002, hellNbak wrote:
> Give me a better solution that A.) protects the hapless admins who have
> no time or budget to change anything and have to live with an
> environment,

I personally have a hard time feeling sorry for "admins". They are usually
people who are "into" computers but were too lazy to actually learn the
intrinsics. The latter being fairly helpful in securing your systems.
There is something to be said for the bad ol' days when being a "computer
person" meant having a double-E. I also find the excuse of "not having
budget" pretty weak since that kind of thing is usually due to the tired
old practice of spending more money on marketing and bonuses for sales
people and executives than on their core business, or protecting their
assets. The real point is that full-disclosure doesn't really protect
hapless admins as much as it benefits greedy megacorps. It benefits both
the ones who are in the "security industry" since they get free tools and
PR, and it benefits the rest by making their boxes more secure in the long
run. Notice here that I agree that full-disclosure does foster an
environment where software becomes more secure in the long run.

> B.) forces vendors to own up to their mistakes and fix them albiet
> eventually and it really should have been done right in the first place,
> and finally

You mean like HP has been doing? Increasing the trend seems to sue the
researcher, insinuate that they are terrorists, and then ignore or
mishandle the actual problem. Again, in the long run there are bugs being
fixed, but personally I find the cost to people like myself too high. I'm
not going to risk getting sued or branded as a terrorist on some CNN tech
story for providing free help to some company like Hewlett Packard.

> C.) allows everyone to do as they please on and off the Internet without
> worrying about some assclown owning all their computers.

I don't think full-disclosure is the panacea you imply here. There is
always the possibility of "some assclown" finding a vulnerability,
creating an exploit, and using it on you. You can't force full-disclosure
down everyone's throat.

> I know the proper solution has "sue the vendors" somewhere in it,

I agree that the should be sued. Anything that weakens them is in my
cool-book.

> The whole, oh you should be doing this for free argument is bullshit.

We also agree on this point.

> Does a doctor who practices medicine because he truly wants to help
> people do it for free?  No, of course not.  So why should I?

Well, I'm a programmer who really _doesn't_ want to help "people". Since,
in this case "people" either means corrupt, greedy corporations. or
ignorant and/or lazy folks who usually deserve what they get.

> I personally try to do as much as I can for the security community in
> general FOR FREE.

Yet the "community" always seems to ask for more, for example with the
responsible disclosure RFC. I don't like working for ingrates, and
certainly not for free.

> But that doesn't mean that I should feel dirty because I have apparently
> "sold out" by doing some consulting work.

In my opinion "selling out" means turning 180 degrees from what you really
believe in so you can make some cash. If you were never a hacker, then you
certainly aren't a sellout if you are engaged in some whitehat-type work.
It doesn't sound like you have ever espoused "the blackhat position", so
even if I think you are wrong, I don't think you are a sellout.

> My consulting work gives me the money to do the free stuff that I do
> work on.  Without it, the free wouldn't exist because there would be no
> one to pay for it.

I was looking at your web page. I was wondering what free work you have
done in the past. I'm not saying you've done nothing, but I'm just curious
about you as a whitehat test-case. Have you written any exploits or tools
to speak of?

> What I find amusing is many members of PHC and el8 are also "security
> professionals".

I also think this is very amusing.

> So what is their true motive?

Hopefully, they want to pay the bills while at the same time using the
consulting firms they work for as a way to finance their OJT in exploit
writing. This would make things even more ironic and amusing.

> One of the FREE things I am working on is going to help keep all of this
> information free and organized for everyone and anyone.

I thought Technotronic was pretty organized, and it was free. I never
really heard what happened to them. Seems like anyone who sets up an
exploit & vulnerability database goes belly up sooner or later, but good
luck to you just the same.

> If everyone stopped hacking -- security companies would go out of
> business and software vendors would make more money because they woudl
> stop worrying about security.

They don't worry too much about security now. Witness HP and friends.

> But, we all know that will never happen.

Of course not.

aliver