Full Disclosure mailing list archives
RE: Security Industry Under Scrutiny: Part One
From: "João Miguel Neves" <joao () silvaneves org>
Date: Thu, 7 Nov 2002 16:30:03 -0000 (WET)
my clients' computers. They also help betterThis isn't a shot at the author of this reply but his comment about the existance of tools help him help his clients helps illustrate something that lately has been making me sick enough to start rethinking things.
[...] No offense taken. I agree with your point. I think the habit that existed on bugtraq of posting exploits with errors that would be obvious if you understood the issue was a nice filter, even if, in practice, ineffective.
And what to do when they ignore you ? The mechanics of "full disclosure" (or "posting to public foruns" as you put it) is that vendors will not correct software problems just because they exist, but they'll do it to protect theur image and reputation. Before "full disclosure" it wasn't strange to have a software company like Sun to take years to produce a fix for a security bug. I don't want to go back to that dark age.I think this issue is black and white. Vendor ignores you release information on vulnerability. That does not however mean you release a point and click script.
I was thinking of information. The scripts are useful because it wouldn't be the first time the first report of a vulnerability was wrong, but people were able to 1) discover there was a real problem because the script worked and 2) zero in on the problem because people had a test case.
I am asking myself what is worse, the clueless using lists like this to get rich or companies at least paying those who can find vulnerabilities a fat salary to then resell the vulns to their clients. I don't think either improves security.
I started as a system administrator almost a decade ago. I saw how most people went from keeping their secrets to full-disclosure. Right know my belief is that security is dynamic: the only want to secure something is by implanting detection, correction and containment measures. Reducing the amount of information available will make my ability to detect and react slower, effectively reducing my security. But this is just one opinion (even if I know I'm not alone on this one).
Why doesn't someone sue a vendor?
Law. Software is protected under copyright, not contract law. That means that there is no basis for a liability claim against the vendor. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Grant Bayley (Nov 07)
- <Possible follow-ups>
- RE: Security Industry Under Scrutiny: Part One John . Airey (Nov 07)
- RE: Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Len Rose (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Ron DuFresne (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One hellNbak (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One ATD (Nov 14)
- Re: Security Industry Under Scrutiny: Part One White Vampire (Nov 10)
- Re: Security Industry Under Scrutiny: Part One noconflic (Nov 10)
- Re: Security Industry Under Scrutiny: Part One nonme (Nov 10)
- Re: Security Industry Under Scrutiny: Part One HggdH (Nov 10)
- Re: Security Industry Under Scrutiny: Part One Kevin Spett (Nov 11)