Re: Final position RE: [CVEPRI] Handling new vulnerabilities disc overed by Steve Christey
> First, no one has suggested that we maintain the status quo. As I've
>said a few times already, I think we can all agree things could and should
>be done better. What it boils down to is that no one, not you, not Marcus,
>not anyone has offered a viable alternative.
Obviously you're not listening, then.
I strongly suspect you either don't understand my position, or
you don't want to understand. There _are_ viable alternatives,
though perhaps they're not "viable" in your mind because in
order to pursue them they would require changing behaviors
that some people find ego-gratifying / financially lucrative.
Your apparent position is that in order to bring about such
change, one form of gratification must be replaced with another,
or better one.
The reality of the situation is that the Internet is the
greatest opportunity for ego-gratification and wealth
generation that has ever been available to technically
inclined people. As such, it should not be difficult to
seek ego-gratification and wealth by engaging in activities
that are _positive_ and _responsible_. If you want people
to respect your technical skills: create. If you want people
to respect your wisdom: educate. If you want people to _LIKE_
you: defend them, help them, and nurture them.
If you want people to think you're just in it for yourself,
then be blatantly egotistical, hurt other people to gain
marketing greetz, and arrogantly make unilateral decisions
without counting the consequences of your actions.
There _ARE_ viable alternatives and I have proffered them,
as have other, cooler heads. I believe that, considering
the membership of this list, you owe yourself the intellectual
honesty to admit that. They may not be alternatives you _LIKE_
but not liking them doesn't make them non-viable.
> The best we've heard from
>this particular camp is that people that publish vulnerability information
>without information the vendors should be sued. Yeah, thats going to work.
>That and a lot of moaning.
My position has consistently been that people must take
responsibility for the consequences of their actions. I think
most civilized people will agree that's a necessity for a
- Individuals/companies who discover damaging things need to
manage the process of getting them fixed responsibly
- Individuals/companies who discover damaging flaws (or are
told about damaging flaws) in their products need to manage
the process of getting them fixed responsibly.
Lots of offended hackers do not understand my position because
they are emotionally reacting to the piece that applies to _them_,
which is understandable but not particularly helpful. I have said
many times that _VENDORS_ need to be held accountable for flaws
in their stuff!!! I have said many times that UCITA is a terrible
thing because it will perpetuate a dangerous status quo. I have
said many times that _HACKERS_ need to be held accountable for
the way in which they disseminate vulnerability information.
There are innocent people getting hurt. They are not technical
people, they are people like my mom and dad and my 12-year-old
neice - people who just want to use the Internet to Email and
surf in peace. Individuals such as this "Brumleve" character
who immediately outed "brown orifice" - they are not helping the
vendor - they are not helping the user - they are not helping
anyone except themselves.
Aleph, You've taken ad hominem shots at me implying that because
I love money and sell a product, I'm also "helping myself." That's
true, but I'm not helping myself at the expense of someone else.
Back when I was building firewalls at TIS I discovered a flaw
in a competitor's product. Did I publicize it? I called their
product manager and made sure it got fixed in the next release.
Did I make money from that? No. There are an infinity of fun,
attractive, valuable ways to make money - there's no need to
look at the negative side of things when the opportunity to be
positive is so _HUGE_.
> Come up with some viable alternative, then will talk.
I have. First listen, then talk.
> Second, we already been in a position were we threw out the baby. Maybe
>you weren't on the Internet in those days, but I was. Let me tell you, it
>was not a pretty picture. As much as people bitch about security today
>it is no where near as bad as it was back then. That is why full disclosure
>came about. It would have never been as successful if things hadn't been
>as bad as they were.
I don't think things are particularly good right now. Only
someone who was practicing deliberate self-deception would
think the situation has improved. If you read, for example,
CERT's statistics: the number of security break-ins can
be charted on a graph that bears an amazing resemblance to
Cisco's stock price: going up rapidly with no end in sight.
If you read CSI's statistics, the amount of measured lossage
due to security problems is increasing equally rapidly.
The only thing I can see that's gotten better in the last
few years is that it's a good time to be a "grey hat" hacker.
They can do all the stuff that a "black hat" does but get
paid a lot of money and be a media superstar. Indeed, they
can wring their hands and say "there's no alternative."
The reality is that there's an alternative;
SPEND YOUR TIME BUILDING THINGS INSTEAD OF DESTROYING THEM
Or is that too obvious?
> Amputate that, Surgeon.
While I understand your defensive attitude, I don't think
it strengthens your position or makes your viewpoint seem
any more attractive. Consider that.
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.