[Fwd: Copyright abuse on online.securityfocus.com]

[silvio () big net au (silvio () big net au)]

On Thu, Sep 19, 2002 at 07:27:04PM -0400, Michal Zalewski wrote:
> On Wed, 18 Sep 2002, Georgi Guninski wrote:
>
> > FYI
 
nice :)
I'll add some extra commentry.

> Of course, technically, they have - most likely unintentionally - violated
> your request / license... but this and so many other posts (Solar Eclipse,
> TESO, etc) are pretty surprising.
 
yes.  correct.  A question i posed a while ago, 
in regards to scut's exploit/code being pushed onto bugtraq etc, is
stated as the following.

if the argument that the reasoning for pushing it to the list were that of
general global security.. then would the same sitation occured, if instead
of "scut/TESO" it had said "Agent foobar/the us government/NSA".

would securityfocus then publish a government exploit knowing that the author
Agent foobar and the us government/NSA had explicitly stated that the code
was not for distribution?

If this occured, what kind of legal action would people expect?

Many political systems have the belief that the laws apply to the government
just as much as they to do the people.  also they often state, that the people
should be protected, and this is one of governments main obligations, as
opposed to a political system being used to protect the government with
near impunity.

> It's a bit funny when people who owe their reputation to the idea of full
> disclosure - or to all the side effects of this phenomenon, such as the
> increased security awareness that eventually turned hobbyist research into
> something that can generate paychecks for many folks who enjoy this kind
> of work - the same people who can maintain this reputation only by
> publishing security research on a regular basis and reaching an audience
> as broad as possible... well, it's funny when they start to fight over
> completely bogus and irrelevant issues because they can't get along with
> the fact other security folks also want a paycheck, and they decided to do
> it by sharing a systematized and digested information about the disclosed
> problems.
 
> It's not only security research that counts. It's not like you are doing
> _all_ the real work, and companies like SF are just nasty parasites. They
> are doing a valuable work many others are willing to pay for. Most
> companies don't have the expertise and resources needed to understand and
> classify the stream of hundreds and hundreds often vague or bogus messages
> from many sources every day, 24/7. They want the essential information,
> sorted, formatted and served in a timely manner, so they can deal with
> important problems as they appear. They want to outsource the process, and
> are willing to pay for it. Their alternative - hiring an extremely
> expensive professional to do the job. What's wrong or immoral about their
> choice?  Why do you want to stop those people from getting important
> information? Just because they paid SF, as opposed to hiring a new
> employee they probably couldn't afford and would be firing by now?
 
agree that the SF and other such sources offer useful and valuable
services and information.

re the alterniative. i do believe the best thing a company can do in terms of
security, _is_ hiring this expensive professional to do the job.  This is
almost the best thing a middle sized company can do in terms of IT
security.  small companies.. well, i hope the people working there already
have this.. and for the large companies, if they dont have this already,
something is wrong.

> Disclosure is getting hairy, many folks are not really playing by the
> rules. Oh-so-many organizations, including some most reputable ones, have
> "tru$ted" partners for advance notification services without author's
> consent; many buy and sell unpublished vulnerability information without
> permission; some vendors use threats and lawyers to fix vulnerabilities in
> their products; and quite a few sources don't bother to credit authors,
> hoping to mislead the customer. I am a believer in ridiculing those
> practices in public, and expressing general discontent in such business
> models. I do believe they are in most cases immoral morons and should be
> taken down. But SF happens to have rather good record in the matter of
> ethics and plays nice with the community, compared to the industry
> average.
 
totally agree, and unfortunately very much true of the industry itself.

> -- 
> mz

--
Silvio