[Full-Disclosure] Security Industry Under Scrutiny: Part One

From: John.Airey@rnib.org.uk
Date: 11/07/02


From: John.Airey@rnib.org.uk (John.Airey@rnib.org.uk)
Date: Thu, 7 Nov 2002 11:01:48 -0000


> -----Original Message-----
> From: sockz loves you [mailto:sockz@email.com]
> Sent: 07 November 2002 10:13
> To: full-disclosure@lists.netsys.com
> Cc: vuln-dev@securityfocus.com; vulnwatch@vulnwatch.org;
> bugtraq@securityfocus.com
> Subject: [Full-Disclosure] Security Industry Under Scrutiny: Part One
>
>
> Hello Full-Disclosure.
*snip the rest - it goes downhill from here*

Well Sockz, you've made some interesting points, although I would have to
admit that there is at least as much noise in your posts as anyone elses, if
not more.

This would be a good time to give a far more reasoned argument for Full
Disclosure than the one you have given, even if you are a troll or
flame-baiter.

I shall make two important points, the historical basis for Full Disclosure
and comparisons with other parts of life (there is more to life than
computers, so my wife tells me...)

First of all, is there any historical basis for Full Disclosure? Yes, and
I'll give the example of the translation of the Bible into English. At the
time it was opposed by the church of Rome because they would lose their
power over the people. They could read for themselves that salvation didn't
come through the church or even its traditions (A modern day equivalent
would be what Microsoft and others are attempting with Palladium, ie you
trust us to supply you with "good" code, everyone elses is "bad"! That is a
swipe at Microsoft in case anyone thinks otherwise).

Now we have thousands of weird cults with all kinds of odd beliefs (eg the
Wacko from Waco) based on various misinterpretations of scripture. Should we
revert to the old system, where there was only one church and people were
told what to believe? Clearly there are disadvantages and advantages to
allowing people to find things out for themselves.

The situation with information about computer systems is much the same
today. Do we trust one mega-corporation to tell us what it wants us to
believe, or do we trust each other to share information to benefit each
other with the risk that someone might abuse it?

Second, can you compare this to other parts of life. Would you oppose
someone making public the problems with Ford Explorer tyres, as this would
"inconvenience" Ford into making safer tyres? Would you prevent the sale of
Swiss Army knifes on the grounds that someone could injure another person?
Would you censor the media so that only state approved information would get
published? Some countries still do that, but we don't consider them free.

Of course, here in the UK we're into banning everything. We banned handguns
nationally (thus losing ourselves Olympic medals) because one mad person
slaughtered an infant school class (I have a young boy in infant school, so
don't think I'm completely heartless, nor would I wish a gun culture like
the US which is depopulating that country at an alarming rate). We banned
any sharp instruments on planes even though you can probably do much more
harm with a tray table (not that I've tried).

I spend most of my working day on security issues, that is very inconvenient
to me, but what would be more inconvenient would be a system that was
attacked and I was completely ignorant as to how it was done.

There is nothing wrong with the security community that is any different to
the rest of mankind. (personkind for the PC). If anything, more transparency
like the Full Disclosure list is needed as those intent on damage are
already trading their information through other means. Unfortunately vested
interests have taken over some of the security lists so that only
information that makes the owners look good gets out (you know who you are).

I once heard it said that real freedom is the freedom to do what is right,
which of course requires knowledge in the first place.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk



Relevant Pages

  • [Full-Disclosure] Full Disclosure made law
    ... Apologies to those that get the Netcraft newsletter already, ... As part of my degree course we covered the secrecy in disclosing security ... The information contained in this email and any attachments is ... RNIB endeavours to ensure that emails and any attachments generated by ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] OT but related.
    ... This wasn't what I meant by cross-posting. ... any message that is cc'ed to Bugtraq and Full Disclosure ... The information contained in this email and any attachments is ... RNIB has made strenuous efforts to ensure that emails and any ...
    (Full-Disclosure)
  • [Full-Disclosure] GUNINSKI THE SELF-PROMOTER
    ... Schneier has a little more credibility that Smith methinks. ... software companies feud over disclosure of weaknesses ... software maker about a devastating security flaw in one of its most popular ... Microsoft acknowledged that 200 ...
    (Full-Disclosure)
  • [Full-Disclosure] FW: Response to David Litchfield on Responsible Disclosure and Infosec Research
    ... Infosec Research ... security reponse focused on precisely those boxes that most urgently needed ... that might be leveraged by an aggressive prosecutor to turn this disclosure ... into a violation of law is itself an urgent systemic vulnerability in need ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities
    ... you wrote that I do not really believe in "full disclosure" ... Vulnerability is discovered and the vendor is notified. ... I am not talking about the absolute security. ... you say that vendors must work much harder at reducing patch ...
    (Full-Disclosure)