Full Disclosure mailing list archives
RE: Security Industry Under Scrutiny: Part One
From: "João Miguel Neves" <joao () silvaneves org>
Date: Thu, 7 Nov 2002 14:21:02 -0000 (WET)
* security advisories are rarely based on original concepts
Agreed.
* most of them are filled with lots of crap used to build up the reputation of the whitehat.
And sometimes enough information for me to repeat the test and check if I'm also vulnerable.
* whitehats should contact vendors and not public forums as only the vendors can release an update.
Most do that. If you regularly read mailing-lists like bugtraq or full-disclosure you'll find almost (if not all in the last year) have a vendor status that describes how and when the vendor was contacted and what was its reaction.
* "proof of concept" toolz are used to fuel script kiddies so as to justify the employment of security professionals. kinda like the CIA bombing a sky scraper to get more funding.
This is a blatant lie. There are a lot of companies that won't correct a problem in their software if there is not a "proof of concept". Personally I like proof of concept tools - they speed up my testing of my computers, my company computers and my clients' computers. They also help better undestanding the vulnerability and identify if it's a real one or simply a repetition of some old one.
things we can do to make the security industry better: * dont post to public forums. contact the vendor directly. make vendors more responsible for their products.
And what to do when they ignore you ? The mechanics of "full disclosure" (or "posting to public foruns" as you put it) is that vendors will not correct software problems just because they exist, but they'll do it to protect theur image and reputation. Before "full disclosure" it wasn't strange to have a software company like Sun to take years to produce a fix for a security bug. I don't want to go back to that dark age.
* stop producing "proof of concept" code/tools, as these are more often used to harm, rather than to heal. * care more about security and less about money.
That's what I'm doing, unfortunately positions like yours make my job and all of those in the security industry more difficult and more expensive, making sure that we'll have less, not more security. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Grant Bayley (Nov 07)
- <Possible follow-ups>
- RE: Security Industry Under Scrutiny: Part One John . Airey (Nov 07)
- RE: Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Len Rose (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Ron DuFresne (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One hellNbak (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One ATD (Nov 14)
- Re: Security Industry Under Scrutiny: Part One White Vampire (Nov 10)
- Re: Security Industry Under Scrutiny: Part One noconflic (Nov 10)
- Re: Security Industry Under Scrutiny: Part One nonme (Nov 10)
- Re: Security Industry Under Scrutiny: Part One HggdH (Nov 10)
- Re: Security Industry Under Scrutiny: Part One Kevin Spett (Nov 11)