[Dshield] Re: [Larholm/PivX] Proxy attackers/hijackers
bkfsec at sdf.lonestar.org
Mon Oct 20 20:46:56 GMT 2003
Kenneth Porter wrote:
> --On Saturday, October 18, 2003 12:39 PM -0700 Thor Larholm
> <thor at pivx.com> wrote:
>> That is why I made the page, to apply public scrutiny and
>> pressure on Microsoft for them to fix the vulnerabilities and change
> I don't really care about MS and whether they fix things, except
> insofar as machines of vulnerable home users attack mine. Your page
> was valuable to me as ammunition to upper management in explaining why
> I needed to deploy a different browser. With the pulling of the page,
> they will now think that all problems are solved and security can be
> de-funded. (Remember that we're dealing with PHB's who can't
> communicate without PowerPoint slides.) I'm just glad I grabbed a copy
> off the Google cache, and sad that it will no longer be maintained.
Well, now this has been an interesting conversation.
Let me say first and foremost that I feel that everyone here has valid
points. First, vendors need some flexibility with disclosure. I'm only
advocating some flexibility, however... the vendors out there who are
threatening legal action to suppress disclosure or who are claiming that
full disclosure hurts society are just flat out wrong, in my not so
Having said that vendors need some flexibility, I will never trust a
vendor to protect my interests. That is not why vendors are there.
Vendors are there to sell products and to protect their capitalist
interests. I'm not saying that that's the way it should be, but that's
reality. That's the way that most vendors see it: protect the bottom
line and the shareholder. The customer's concerns only matter in so far
as the bottom line might be affected. This is not directly aimed at
Microsoft, though it certainly applies to them. This applies to ANY
vendor, whether they sell proprietary or Free Software, or services
around those pieces of software.
As such, Microsoft may be changing its tune now, but one day people will
become complacent about security again and security will no longer be a
"profit-generating" attribute. This is a cycle. It *WILL* happen. It
is a historical inevitability.
So, we can't sacrifice disclosure for anything. Disclosure is not just
a great marketing tool for the security admin to actually secure their
site, it's also our best weapon against the darker corners of the
internet. Without disclosure, we are inherently vulnerable and can
never make good decisions.
But, we can't trust corporations to be our venues for disclosure.
Thor's opinion carries much weight, but he also has to put food on the
table. Capitalism supercedes the corporation as a pillar of society.
The very idea of that notion of capitalism has been wiped out by the
necessity of existance and it's dynamic with corporate interest.
Disclosure is the job of the community... in so far as we can't tell
members of security companies what to do, they should not have the right
to tell us what to do. If either side pushes the other on this, it is a
slippery slope of monumental proportions...
Just my $0.02... :)
More information about the list