RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey
> From: 'aleph1@SECURITYFOCUS.COM' [mailto:aleph1@SECURITYFOCUS.COM]
> I think we all agree on that. Some people just have no regard
> for whether or
> not there is a fix for whatever vulnerability they are
> reporting. But the
> only options presented so far by anyone to curb such behavior
> would throw
> out the baby with the bath water. They would chill the disclosure of
> vulnerability information in general, and most people I know find that
> to be a step in the wrong direction.
We agree here. The thing that I fear is that unless this behavior is curbed
in some manner, then the government will curb it for us and that would be a
real mess. The cure would be worse than the disease.
> Indeed no system is perfect, none is. Yet academia is also a
> success regardless
> of it faults. So I hardly see how it undermines my point.
The point is that if academia were less concerned about who gets credit,
they would get more work done. People accomplish more in collaboration than
they do alone. Similarly, this concern with credit in our arena interferes
with getting work done.
> Maybe my grasp on the language is off. The Cambridge
> dictionary defines ego as
> "your idea or opinion of yourself, or a great feeling of your
> own importance
> and ability". So how you could feel good about what you do
> and not have
> an inflated ego escapes me.
It isn't a grasp of the language, simply different connotations. To me, ego
is something which refers to an individual self, and seperates one from the
world. This seperation leads to seeing things not as they are, but through
some measure of illusion. Illusion is something to be overcome. Ego is
also sometimes considered an inflated opinion of oneself, and as such
represents a sort of pride, which is generally thought to be
counter-productive in many ways of thinking. So knowing that you are taking
correct actions with correct motivations is one thing, but excessive pride
in oneself is another. Again, I'm going off on philosophy and perhaps we
should take it up next time we share some good beers.
> Huh? Marcus said that vulnerability information has no tangible value.
No he didn't. He said that NFR had tangible value, not that the vuln info
> I was not chastising Marcus for not paying for the information. I was
> pointing out that it has value as his own product, for which
> people pay tangible, money depends on it. Without the vulnerability
> information his product would not be worth as much. Ergo the
> information has value.
OK - we're talking past one another here. I'd have agreed if I had