From: Alfred Huger (ah@securityfocus.com)
Date: Tue Jul 08 2003 - 15:54:55 EDT
On Tue, 8 Jul 2003, Mark C. Langston wrote:
> On Tue, Jul 08, 2003 at 12:52:16PM -0600, Alfred Huger wrote:
> > On Tue, 8 Jul 2003, Mark C. Langston wrote:
> >
> > > So you will now require all vulnerabilities posted to be traceable back
> > > to the individual who discovered and/or publicized the vulnerability?
> >
> >
> > Of course not but that's not at stake here. This list is not for vuln
> > disclosure there are more appropriate venues for that. Vulnwatch, Bugtraq,
> > Vuln-dev to name a few.
>
> My mistake. s/vulnerabilit[y,ies]/critical information/g and my points
> stand (I do believe the term you used was "critical information" instead
> of "vulnerability").
>
The body of your mail spoke to the chilling effect of policy limiting vuln
disclosure, the DMCA etc. I agree, your points do still stand but for
another argument.
> Product reviews are going to contain negative information, if such
> exists. Some of that information may be, "$FOO is vulnerable in
> @LIST_OF_WAYS." Some will simply be related to performance,
> configuration, documentation, and other shortcomings.
>
If the vulns are previously undisclosed then this is not the Forum for
them. No one is stopping people from posting them but do so in the right
Forum. If the vulns are known and included in a review which touches on a
series of issues not just security vulns then I've no problems with the
posting. Provided we can address the issue of accountability.
> You continue to want "accountability" for posting this sort of
> information, yet you still haven't justified its need, beyond list
> ubsubscription. Unsubscription requires an unique email address, not a
> real name. Litigation requires a real name. Unless and until you
> explain the use to which you expect such accountability to be put,
> we willl continue to speculate. And speculation thus far has run
> to litigation.
I've actually spoken at length to why I think this is critical.
>
> If the purpose is ensuring obvious slurs don't make it to the list,
> one must wonder whether or not the moderator's role doesn't already
> cover that purpose, regardless of the name attached to a potential
> list post?
>
It does and obvious slurs would or should be dropped out of hand. This is
not the issue here.
> If the purpose is to ensure full and accurate posting of information,
> are you implying that by associating one's true identity with a
> post,
Actually accuracy is not at stake here. It's tough for me to be an expert
on every posting which goes to the list.
> all misinformation and mistakes will be eliminated? I think
> not.
Mistakes will never be purged from this list or any other nor likely will
misinformation be purged. The goal is here is to enforce an atmosphere
where both vendor and poster have equal standing. The vendor is already
being called to the carpet in full regalia - why not the poster?
> And, barring moving to something akin to an in-person key-signing, how
> do you intend to verify the names attached to a given post are
> real, and if real, are actually the identity of the poster?
I'm struggling with this one. Although PGP keys signed from trusted third
parties or known third parties is a really good idea. You could even
maintain anonymity with this. Mind you it has it's own attendant issues of
'who is trusted and why'.
>
> I think you've forgotten that this is the Internet, and many of us are,
> in fact, dogs.
>
Oh no. I have never lost sight of that.
-al
---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.
Visit Tenable Network Security at http://www.tenablesecurity.com to learn
more.
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT