Re: How much time is appropriate for fixing

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

My point about Maslow had to do with self actualization as a
motivating factor.  Freud also called used the super ego.  It was
meant to be demonstrative rather than illustrative, however.  I
believe there are people out there motivated by more than power or
sexual fulfillment (things like duty, honor, or morality).

The problem here is that we are both arguing from anecdotal evidence.
 I observe what I observe and you observe what you observe.  The
reason we differ is because there is no common metric, therefore
there's no way for us to convince one another of the correctness of
our analysis.  You can call me naive and I can call you jaded, and the
issue remains unsettled.  I think the salient point isn't who is
right, but how we could go about collecting evidence to support our
assertions.

Cheers,

Justin C. Klein Keane
http://www.MadIrish.net


On 7/10/12 3:58 PM, Thor (Hammer of God) wrote:
> "Moral obligation" to disclosing bugs?  Really?  The statement
> wasn't about what happens when there is disclosure or the effect it
> has - the statement was in regard to the purpose one does the
> research and subsequent disclosure in the first place.  It is,
> quite simply, to be recognized.  I didn't say anything was "wrong"
> with that, I was just stating that it "is."  People do not disclose
> their research to make the world a better place.  They do it for
> recognition or for money.  One may argue they are related.
>
> Are you telling me that these people intentionally begin
> researching some random product because they have some duty to
> ensure a fix is produced? If you think that, you are quite naïve.
> People certainly report bugs anonymously, but those are bugs they
> happen upon, not those they set out to find.  Just look at how many
> bugs are released anonymously. Statistically none.  You paint the
> picture as if people volunteer hours upon hours of research into
> any random product to find a bug so that they can "insure" a fix is
> produced as it they have some duty to do so.  Nuts, man.
>
> Oh, and your reference to Maslow actually makes my point.  The most
> basic need is "sex" (getting laid). The next most basic need is
> "employment" (getting paid).  The next tier is "sexual intimacy"
> (getting laid), the neigh is "achievement" (getting paid) and
> finally the "acceptance of facts" that everything you do is to get
> paid or get laid.
>
> But as Val said, this thread has about run its course, and there's
> not been much new material on the subject (even though Григорий
> Братислава has provided needed entertainment).
>
>
> On 7/10/12 9:15 AM, "Justin Klein Keane" <justin () madirish net>
> wrote:
>
> Hello,
>
> I feel compelled to point out that disclosing a bug *is* 
> contributing.  It requires a lot of time and effort to find a bug, 
> which is a contribution to the target software, even if only seen
> as free quality assurance work.  Disclosure is undeniably
> inconvenient for vendors, but it is demonstrably one of the surest
> ways to ensure a fix is developed.  Security researchers arguably
> have as much responsibility to end users as to vendors.  If a
> researcher finds a bug, unless they believe they are the best
> person in the world at what they do, they must conclude black hats
> have access to the bug. Disclosing the bug is the lowest resistance
> way for a researcher to concurrently inform the user base and
> provide impetus for the vendor to fix the issue.  The proposition
> that disclosure is purely selfish ego stroking ignores the
> viewpoint that disclosure is a moral obligation, which is just as
> valid.  Maslow's hierarchy of needs clearly illustrates that not
> everyone is motivated by getting paid or getting laid.
>
> Justin C. Klein Keane http://www.MadIrish.net
>
>
> On 7/10/12 11:42 AM, Mikhail A. Utin wrote:
> > > > Hello, I completely agree with Thor. We have to do something
> > > > for free. We have to contribute, not just use. Whoever and
> > > > whatever. Examples: - This list is ran for free (hardware,
> > > > software, time, energy are used for) and giving us a chance
> > > > to communicate - The most of us use Linux, whichever flavor
> > > > you prefer. The most of it is free time contribution.
> > > > Somebody pays for that, but we use. It is nice to be paid for
> > > > something, but consider the alternative. Otherwise our
> > > > communications will die and we do not have an OS for a fun or
> > > > profit.
> > > >
> > > > Mikhail Utin
> > > >
> > > > -----Original Message----- From: 
> > > > full-disclosure-bounces () lists grok org uk 
> > > > [mailto:full-disclosure-bounces () lists grok org uk] On Behalf
> > > > Of full-disclosure-request () lists grok org uk Sent: Tuesday,
> > > > July 10, 2012 7:00 AM To: full-disclosure () lists grok org uk
> > > > Subject: Full-Disclosure Digest, Vol 89, Issue 11
> > > >
> > > >
> > > > ------------------------------ Message: 7 Date: Mon, 9 Jul
> > > > 2012 17:24:51 +0000 From: "Thor (Hammer of God)"
> > > > <thor () hammerofgod com> Subject: Re: [Full-disclosure] How
> > > > much time is appropriate for fixing a bug? To: Georgi
> > > > Guninski <guninski () guninski com>, Stefan Kanthak
> > > > <stefan.kanthak () nexgo de> Cc: 
> > > > "full-disclosure () lists grok org uk" 
> > > > <full-disclosure () lists grok org uk> Message-ID: 
> > > > <CC205E3D.3561%thor () hammerofgod com> Content-Type:
> > > > text/plain; charset="Windows-1252"
> > > >
> > > > I'm not contradicting myself at all - in fact, *you* are the
> > > > exact type of person I'm talking about.  You couldn't give a
> > > > rat's ass about the industry or anyone but yourself.  Nothing
> > > > you have ever done has been "valuable" to anyone other than
> > > > you; it has been completely self-serving egotistical
> > > > bullshit.
> > > >
> > > > CONFIDENTIALITY NOTICE: This email communication and any 
> > > > attachments may contain confidential and privileged
> > > > information for the use of the designated recipients named
> > > > above. If you are not the intended recipient, you are hereby
> > > > notified that you have received this communication in error
> > > > and that any review, disclosure, dissemination, distribution
> > > > or copying of it or its contents is prohibited. If you have
> > > > received this communication in error, please reply to the
> > > > sender immediately or by telephone at (617) 426-0600 and
> > > > destroy all copies of this communication and any attachments.
> > > > For further information regarding Commonwealth Care 
> > > > Alliance's privacy policy, please visit our Internet web site
> > > > at http://www.commonwealthcare.org.
> > > >
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it. Charter: 
> > > > http://lists.grok.org.uk/full-disclosure-charter.html Hosted
> > > > and sponsored by Secunia - http://secunia.com/
>
> > _______________________________________________ Full-Disclosure -
> > We believe in it. Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> > sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iPwEAQECAAYFAk/8rgUACgkQkSlsbLsN1gA2lAb/fkzZP92lZhKp8S1dKCFWqgdA
zZaoybIA0pEd2bS8dlnn2HwkZitnhLXJSy+Vs+oNT2W5RRTWgC8STnRToVA58K0o
meSIlh4A8txq6qORuBr6x5ce1roTJ08bxPiOW3D6SW+6b7ogFmDCl+9Hq8IcECoH
CLDGkbIXlvkJqzg1ZyCosVWn6QmgDz3SRcD9xbfXILRYWeWdBZQSULSpQlnMsd0N
7qG1SCUn44ujtd6b83QJxjsThwXcO+WXMX9uTPyfYUACa+iIRdRMJBGO6Ywi5Wnl
f5B1p5Xpi8mwNkHs1F8=
=j5DW
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/