Re: Product review postings (was Administrivia)

From: Mark C. Langston (mark@bitshift.org)
Date: Tue Jul 08 2003 - 17:35:21 EDT

On Tue, Jul 08, 2003 at 02:50:51PM -0600, Alfred Huger wrote:
>
>
> > I'm a bit boggled that you can look at both general and specific
> > instances in the software industry, but not specifically the security
> > industry, and somehow believe that "That can't happen here".
>
>
> I'm a bit boggled as to why you've not answered the question. I'll forgoe
> everyone here the suspense. It's never happened for a product review in
> this industry - ever. And I am really quite sure it never will. Being a
> vendor mouth piece I have the inside track don't forget.
>

Careful, Al. That's an awfully big brush you're using to delineate
black and white.

>From SF's own website:

http://216.239.33.104/search?q=cache:ExzrKawYOn4J:www.securityfocus.com/news/323+sued+product+review&hl=en&ie=UTF-8

http://216.239.33.104/search?q=cache:DB85N0bAOo0J:www.silicon.com/news/500022/1/1031188.html+sued+product+review&hl=en&ie=UTF-8

NAI sued over their review ban. While true that NAI did not itself sue
a reviewer, it came close.

It should also serve to illustrate how the courts, and a few prominent
members of this industry, feel about such censorship or otherwise
chilling effects.

Then, there's the lawsuit Blackboard brought earlier this year:

http://216.239.57.104/search?q=cache:IbybyVSofhYJ:www.geek.com/news/geeknews/2003Apr/gee20030415019605.htm+sued+security+review&hl=en&ie=UTF-8

Though it contained vulnerabilities, one could term the disclosure a
comprehensive review of the product. It's just the nature of the beast
that, when dealing with security products, a major part of the review's
going to address how secure the product is. Where it falls short,
well, those are vulnerabilities.

So, we now find ourselves playing semantic games revolving around what
constitutes a "product review" versus what constitutes a "vulnerability
disclosure".

That, to me, appears to be a slippery slope best avoided.

Then, of course, outside our own industry, there are the lawsuits
brought against Consumer Reports by the auto industry over CR's
product reviews. 

-- 
Mark C. Langston                                    Sr. Unix SysAdmin
mark@bitshift.org                                       mark@seti.org
Systems & Network Admin                                SETI Institute
http://bitshift.org                               http://www.seti.org
---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with 
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.
Visit Tenable Network Security at http://www.tenablesecurity.com to learn 
more.
----------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:36 EDT