ranting.. was Re: [Full-Disclosure] (no subject) PS

From: Boris Lorenz (bolo@lupa.de)
Date: 11/26/02

From: bolo@lupa.de (Boris Lorenz)
Date: Tue, 26 Nov 2002 15:42:45 +0100


Silvio Cesare wrote:
> The public is perhaps one of the largest contributers to the "security" of the
> internet. It is through disclosure that many, many vulnerabilities are
> fixed - even those which vendors would often like us to ignore.

...likewise, many systems have been rooted by readily available
plug-and-go sploits, which brings us to the "script kiddie"

> If _you_, if _we_ had not found a vulnerability in various software and
> disclosed it - are you sure that your vendor would have done this
> instead? Am I, are we not all, entitled to see how safe our software is, if
> only by reading the number of vulnerabilities disclosed against certain
> software? [software as I understand it, isn't exactly the most well
> defined of scientific pursuits - though automated bug checkers currently
> seem to be heading us towards better quality software, though likely
> a long time from now before we see this]

See, I don't give a flying fart what some vendor could do for me. If you
want a job to be done, do it yourself. I simply refuse to be a Microsoft
Certified Patch Installer or somethin. Most vendors only react to
certain vuln reports if they see their rep/profits going down the drain,
and I won't support that. That's why I'm subscribed to various
non-profit mailing lists, not to closed-user-group fora of software

We're sitting in our ebony tower, chatting away about
black/white/yellow/pink/wtf hats, while around us, myriads of faceless
admins don't care for anything security-related. We all talk lots and
lots about small aspects of computer security, while just around the
corner, a new buggy program emerges from the computers of yet another
ambitious dev team, about to propose the next serious risks to hosts of
all flavours.

For me, all these risks, wether they'd be abstract or not, are part of
the internet's climate, and you know how it goes: There's no bad
weather, there's only bad clothing.

Now, full disclosure can help to decrease the risk for a certain group
of ppl who are willing and able to learn a thing or two about security,
but mostly, it boils down to fueling money-grubbin' idiots with know-how
they wouldn't be able to build up otherwise, or attracts the meat flies
of the 'net, the script kiddies. The silent majority just sits there,
with their heads in their asses, and waits for the dark clouds to go

So, we shouldn't really talk about all this as if the majority of ppl
would give a damn. We're just a comparatively small group of ppl who
happen to be interested/trained in coding, security, etc., we won't be
able to change the focus of the general public. Bill Gates knows that
bloody well, hence his sudden interest in security; this is called
blowing sugar up ppl's asses, but what can you do...

> --
> Silvio