Full Disclosure mailing list archives
RE: Security Industry Under Scrutiny: Part One
From: ATD <simon () snosoft com>
Date: 14 Nov 2002 15:10:49 -0500
Sockz, In response to this post.... You said: * security advisories are rarely based on original concepts Response: Maybe not but they are based on original bugs that could be threatening to the infrastructure of many companies. You Said: * most of them are filled with lots of crap used to build up the reputation of the whitehat. Response: I'd like to see the evidence that you have to support this claim. You said: * whitehats should contact vendors and not public forums as only the vendors can release an update. Response: When vendors are contacted they are not always inclined to do what is right, but would rather save face. If we did this, and did not post to the public we would be A: denying the public knowledge of a threat and B: allowing vendors to lie to clients. Also, look at what happened to us when we tried to contact HP about Tru64. You said: * "proof of concept" toolz are used to fuel script kiddies so as to justify the employment of security professionals. kinda like the CIA bombing a sky scraper to get more funding. Response: Proof of concept code is just that, used to prove a theory/concept. Without the code vendors would probably not respond to issues. Plus, who said the code had to have a malicious pay load? I know how to write non-malicious proof of concept code, don't you? things we can do to make the security industry better: You said: * dont post to public forums. contact the vendor directly. make vendors more > responsible for their products. Response: The aforementioned HP incident with SNOsoft (us). You said: * stop producing "proof of concept" code/tools, as these are more often used to harm, rather than to heal. Response: See above I don't choose to be redundant. You said: * care more about security and less about money. Response: Knowledge is power and thus education will make the community more powerful. Sharing information in public lists is one way to educate people. For all of those who are anti full disclosure, why are you signed up for this list? I think that I speak for the majority here (correct me if I am wrong). I think full disclosure is a powerful asset to the security community and I have yet to see any convincing arguments to counter that. The majority of the arguments that I see against full disclosure are opinion based and emotional.(some almost childish) The arguments that I see for full disclosure are supported by facts and history. -- -ATD- http://www.snosoft.com ------------------------------------------------------------- Secure Network Operations | Strategic Reconnaissance Team Cerebrum Project | cerebrum () snosoft com -------------------------------------------------------------
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Grant Bayley (Nov 07)
- <Possible follow-ups>
- RE: Security Industry Under Scrutiny: Part One John . Airey (Nov 07)
- RE: Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Len Rose (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Ron DuFresne (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One hellNbak (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One ATD (Nov 14)
- Re: Security Industry Under Scrutiny: Part One White Vampire (Nov 10)
- Re: Security Industry Under Scrutiny: Part One noconflic (Nov 10)
- Re: Security Industry Under Scrutiny: Part One nonme (Nov 10)
- Re: Security Industry Under Scrutiny: Part One HggdH (Nov 10)
- Re: Security Industry Under Scrutiny: Part One Kevin Spett (Nov 11)