Re: GREENAPPLE Release

["Byron L. Sonne" <blsonne () rogers com>]

> I thought Full Disclosure propagators actually endorsed waiting for a
> vendor to fix the vulnerability before announcing a security hole..
> On the other hand what do I know? My hat is black.

Some days I find myself leaning more towards 'responsibility' while most 
days I recognize that the only way vendors learn is through repeated 
hard lessons.

Consequently I keep my morals flexible as long as people's 
personal/physical safety is respected and money doesn't change hands 
when the law may be broken. There's always the golden rule if anyone 
finds themselves in need of a universal yardstick, though for a company 
like Microsoft, I do revel in seeing them take it dry. In any case, with 
all these idiotic laws, who isn't a criminal somewhere? Coming soon via 
treaty to a theatre near you!

But I digress... I wasn't rankled by what could be perceived as a 
'responsible' disclosure on Dave's part. I'm saying he and his crew sit 
on stuff and parcel it out when and where it will do the most good for 
their prestige. It might be good marketing, but I think it's cheesy how 
long some people sit on things, especially when pains are taken to point 
out that they've known about it for some time now. A little too 
Hollywood for my tastes.

Whitehat or blackhat, whatever discipline, it's all the same beef if you 
hoard knowledge.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html