[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Final position RE: [CVEPRI] Handling new vulnerabilities disc overed by Steve Christey

* Marcus J. Ranum (mjr@NFR.NET) [000922 19:18]:
> The reality of the situation is that the Internet is the
> greatest opportunity for ego-gratification and wealth
> generation that has ever been available to technically
> inclined people. As such, it should not be difficult to
> seek ego-gratification and wealth by engaging in activities
> that are _positive_ and _responsible_. If you want people
> to respect your technical skills: create. If you want people
> to respect your wisdom: educate. If you want people to _LIKE_
> you: defend them, help them, and nurture them.

That is exactly what full disclosure did. It educated people
about security by showing them the gory details of security
vulnerabilities and defended them from unresponsive vendors.

> There _ARE_ viable alternatives and I have proffered them,
> as have other, cooler heads. I believe that, considering
> the membership of this list, you owe yourself the intellectual
> honesty to admit that. They may not be alternatives you _LIKE_
> but not liking them doesn't make them non-viable.

Feel free to point them out to me. I've not had the pleasure
of listening to your talks on the subject. What I've heard has
been second hand comments and news reports, and none of them
mentioned you proposing any alternatives. Your personal web site
seems to be down and I've not found anything on the NFR web site
related to the topic. You certainly haven't mentioned any on
this message thread.

Please, enlighten me.

> My position has consistently been that people must take
> responsibility for the consequences of their actions. I think
> most civilized people will agree that's a necessity for a
> functioning society.
>          - Individuals/companies who discover damaging things need to
>          manage the process of getting them fixed responsibly
>          - Individuals/companies who discover damaging flaws (or are
>          told about damaging flaws) in their products need to manage
>          the process of getting them fixed responsibly.

Sure. We are in agreement so far.

> Lots of offended hackers do not understand my position because
> they are emotionally reacting to the piece that applies to _them_,
> which is understandable but not particularly helpful. I have said
> many times that _VENDORS_ need to be held accountable for flaws
> in their stuff!!! I have said many times that UCITA is a terrible
> thing because it will perpetuate a dangerous status quo. I have
> said many times that _HACKERS_ need to be held accountable for
> the way in which they disseminate vulnerability information.

And how exactly are you proposing of holding them accountable?

> Aleph, You've taken ad hominem shots at me implying that because
> I love money and sell a product, I'm also "helping myself."  That's
> true, but I'm not helping myself at the expense of someone else.
> Back when I was building firewalls at TIS I discovered a flaw
> in a competitor's product. Did I publicize it? I called their
> product manager and made sure it got fixed in the next release.
> Did I make money from that? No. There are an infinity of fun,
> attractive, valuable ways to make money - there's no need to
> look at the negative side of things when the opportunity to be
> positive is so _HUGE_.

I've done no such thing. I've simply pointed out the fallacy in
what I believed was your statement claiming vulnerability information
has no tangible value by showing that it has value to your
company and product.

I in no way implied that you are helping yourself to anything.
So for anyone that misinterpreted my comment let me state here,
that was not its meaning.

I am sorry if you somehow feel offended. That was certainly
not my intension.

> I have. First listen, then talk.

Show them to me. Give me a URL or some reference to these
proposed solutions.

> I don't think things are particularly good right now. Only
> someone who was practicing deliberate self-deception would
> think the situation has improved. If you read, for example,
> CERT's statistics: the number of security break-ins can
> be charted on a graph that bears an amazing resemblance to
> Cisco's stock price: going up rapidly with no end in sight.
> If you read CSI's statistics, the amount of measured lossage
> due to security problems is increasing equally rapidly.

You must own a copy of "How to Lie With Statistics". While
you are indeed correct that the total number of incidents
has grown the Internet itself has grown at a faster rate.
Its my firm belief that the total *percentage* of
vulnerable hosts on the Internet has gone down.

If you haven't already, I suggest you read "An Analysis Of
Security Incidents On The Internet 1989-1995" by John D. Howard.
< http://www.cert.org/research/JHThesis/Start.html >
Check out the conclusions.

> The only thing I can see that's gotten better in the last
> few years is that it's a good time to be a "grey hat" hacker.
> They can do all the stuff that a "black hat" does but get
> paid a lot of money and be a media superstar. Indeed, they
> can wring their hands and say "there's no alternative."
> The reality is that there's an alternative;
> Or is that too obvious?

The basic flaw in your argument is that you equate destroying things
with "bad". I guess Consumer Reports should go out of business.
Whether you like it or not society needs people that try
to break things. Sometimes thats the only way to make them

> While I understand your defensive attitude, I don't think
> it strengthens your position or makes your viewpoint seem
> any more attractive. Consider that.

Hardly defensive. There is no need for me to defend what can't
be attacked. This conversation reminds me of a bunch of old men
shouting that a storm is coming yet not being able to do anything
to stop it.

> mjr.
> -----
> Marcus J. Ranum
> Chief Technology Officer, Network Flight Recorder, Inc.
> Work:                  http://www.nfr.net
> Personal:              http://www.ranum.com

Elias Levy
Si vis pacem, para bellum

Page Last Updated or Reviewed: May 22, 2007