[Dshield] Re: [Larholm/PivX] Proxy attackers/hijackers

Barry Fitzgerald bkfsec at sdf.lonestar.org
Mon Oct 20 20:46:56 GMT 2003

Kenneth Porter wrote:

> --On Saturday, October 18, 2003 12:39 PM -0700 Thor Larholm 
> <thor at pivx.com> wrote:
>> That is why I made the page, to apply public scrutiny and
>> pressure on Microsoft for them to fix the vulnerabilities and change 
>> their
>> approach.
> I don't really care about MS and whether they fix things, except 
> insofar as machines of vulnerable home users attack mine. Your page 
> was valuable to me as ammunition to upper management in explaining why 
> I needed to deploy a different browser. With the pulling of the page, 
> they will now think that all problems are solved and security can be 
> de-funded. (Remember that we're dealing with PHB's who can't 
> communicate without PowerPoint slides.) I'm just glad I grabbed a copy 
> off the Google cache, and sad that it will no longer be maintained.
Well, now this has been an interesting conversation.

Let me say first and foremost that I feel that everyone here has valid 
points.  First, vendors need some flexibility with disclosure.  I'm only 
advocating some flexibility, however... the vendors out there who are 
threatening legal action to suppress disclosure or who are claiming that 
full disclosure hurts society are just flat out wrong, in my not so 
humble opinion.

Having said that vendors need some flexibility, I will never trust a 
vendor to protect my interests.  That is not why vendors are there.  
Vendors are there to sell products and to protect their capitalist 
interests.  I'm not saying that that's the way it should be, but that's 
reality.  That's the way that most vendors see it: protect the bottom 
line and the shareholder.  The customer's concerns only matter in so far 
as the bottom line might be affected.  This is not directly aimed at 
Microsoft, though it certainly applies to them.  This applies to ANY 
vendor, whether they sell proprietary or Free Software, or services 
around those pieces of software. 

As such, Microsoft may be changing its tune now, but one day people will 
become complacent about security again and security will no longer be a 
"profit-generating" attribute.  This is a cycle.  It *WILL* happen.  It 
is a historical inevitability. 

So, we can't sacrifice disclosure for anything.  Disclosure is not just 
a great marketing tool for the security admin to actually secure their 
site, it's also our best weapon against the darker corners of the 
internet.  Without disclosure, we are inherently vulnerable and can 
never make good decisions.

But, we can't trust corporations to be our venues for disclosure.  
Thor's opinion carries much weight, but he also has to put food on the 
table.  Capitalism supercedes the corporation as a pillar of society.  
The very idea of that notion of capitalism has been wiped out by the 
necessity of existance and it's dynamic with corporate interest. 

Disclosure is the job of the community... in so far as we can't tell 
members of security companies what to do, they should not have the right 
to tell us what to do.  If either side pushes the other on this, it is a 
slippery slope of monumental proportions...

Just my $0.02... :)


More information about the list mailing list