On Wed, 18 Sep 2002, Georgi Guninski wrote:

> FYI

Of course, technically, they have - most likely unintentionally - violated
your request / license... but this and so many other posts (Solar Eclipse,
TESO, etc) are pretty surprising.

It's a bit funny when people who owe their reputation to the idea of full
disclosure - or to all the side effects of this phenomenon, such as the
increased security awareness that eventually turned hobbyist research into
something that can generate paychecks for many folks who enjoy this kind
of work - the same people who can maintain this reputation only by
publishing security research on a regular basis and reaching an audience
as broad as possible... well, it's funny when they start to fight over
completely bogus and irrelevant issues because they can't get along with
the fact other security folks also want a paycheck, and they decided to do
it by sharing a systematized and digested information about the disclosed
problems.

It's not only security research that counts. It's not like you are doing
_all_ the real work, and companies like SF are just nasty parasites. They
are doing a valuable work many others are willing to pay for. Most
companies don't have the expertise and resources needed to understand and
classify the stream of hundreds and hundreds often vague or bogus messages
from many sources every day, 24/7. They want the essential information,
sorted, formatted and served in a timely manner, so they can deal with
important problems as they appear. They want to outsource the process, and
are willing to pay for it. Their alternative - hiring an extremely
expensive professional to do the job. What's wrong or immoral about their
choice? Why do you want to stop those people from getting important
information? Just because they paid SF, as opposed to hiring a new
employee they probably couldn't afford and would be firing by now?

Disclosure is getting hairy, many folks are not really playing by the
rules. Oh-so-many organizations, including some most reputable ones, have
"tru$ted" partners for advance notification services without author's
consent; many buy and sell unpublished vulnerability information without
permission; some vendors use threats and lawyers to fix vulnerabilities in
their products; and quite a few sources don't bother to credit authors,
hoping to mislead the customer. I am a believer in ridiculing those
practices in public, and expressing general discontent in such business
models. I do believe they are in most cases immoral morons and should be
taken down. But SF happens to have rather good record in the matter of
ethics and plays nice with the community, compared to the industry
average.

-- 
mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]