From: Mark C. Langston (mark@bitshift.org)
Date: Tue Jul 08 2003 - 15:07:11 EDT
On Tue, Jul 08, 2003 at 12:52:16PM -0600, Alfred Huger wrote:
> On Tue, 8 Jul 2003, Mark C. Langston wrote:
>
> > So you will now require all vulnerabilities posted to be traceable back
> > to the individual who discovered and/or publicized the vulnerability?
>
>
> Of course not but that's not at stake here. This list is not for vuln
> disclosure there are more appropriate venues for that. Vulnwatch, Bugtraq,
> Vuln-dev to name a few.
My mistake. s/vulnerabilit[y,ies]/critical information/g and my points
stand (I do believe the term you used was "critical information" instead
of "vulnerability").
Product reviews are going to contain negative information, if such
exists. Some of that information may be, "$FOO is vulnerable in
@LIST_OF_WAYS." Some will simply be related to performance,
configuration, documentation, and other shortcomings.
You continue to want "accountability" for posting this sort of
information, yet you still haven't justified its need, beyond list
ubsubscription. Unsubscription requires an unique email address, not a
real name. Litigation requires a real name. Unless and until you
explain the use to which you expect such accountability to be put,
we willl continue to speculate. And speculation thus far has run
to litigation.
If the purpose is ensuring obvious slurs don't make it to the list,
one must wonder whether or not the moderator's role doesn't already
cover that purpose, regardless of the name attached to a potential
list post?
If the purpose is to ensure full and accurate posting of information,
are you implying that by associating one's true identity with a
post, all misinformation and mistakes will be eliminated? I think
not. I'm just as likely to mis-state a capability out of haste,
laziness, disinterest, or what-have-you with as without my real
name attached to a post. The same holds true for everyone else.
Those interested in posting accurate information will do so,
regardless of the nym or name used. Those interested only
in substance-free attacks on products will produce them irrespective of
the content of the From: line.
And, barring moving to something akin to an in-person key-signing, how
do you intend to verify the names attached to a given post are
real, and if real, are actually the identity of the poster?
I think you've forgotten that this is the Internet, and many of us are,
in fact, dogs.
-- Mark C. Langston Sr. Unix SysAdmin mark@bitshift.org mark@seti.org Systems & Network Admin SETI Institute http://bitshift.org http://www.seti.org --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT