Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
On Tue, Feb 19, 2002 at 08:05:19AM -0600, Stu Green wrote:
| Given an environment that will be affected by Digital Rights Management
| and inherant potential DMCA
| 'violations' the definition of vague might take on alternate meaning.
| If a suspected vulnerability can not
| be detailed for fear of infringing on the publisher's copyright, a vague
| presentation might be required until
| the aforementioned publisher deems it reasonable to allow the
| vulnerability to be thoroughly documented.
| Whatever the ramifications are, the case of Adobe and Dmitry Sklyarov
| sets an uncomfortable precedent.
I'd like to suggest that this case is quanlitatively different:
CD-VAGUE suggests that the vendor confirms a vulnerability
CD-DMCA suggests that a researcher has stated a vulnerability exists.
In the latter case, the vulnerability may be disputed, its effects may
be disputed, and there may be no fix available. Indeed, CD-DMCA may
interact with other CDs regarding precision, codebases, etc.
"It is seldom that liberty of any kind is lost all at once."