Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > pen-test > 03 > 070935.html (Request Expert securityfocus.com Support)

Re: Product review postings (was Administrivia)

From: Alfred Huger <ah(at)securityfocus.com>
Date: Tue Jul 08 2003 - 15:54:55 EDT

On Tue, 8 Jul 2003, Mark C. Langston wrote:

> On Tue, Jul 08, 2003 at 12:52:16PM -0600, Alfred Huger wrote:

The body of your mail spoke to the chilling effect of policy limiting vuln disclosure, the DMCA etc. I agree, your points do still stand but for another argument.

> Product reviews are going to contain negative information, if such

If the vulns are previously undisclosed then this is not the Forum for them. No one is stopping people from posting them but do so in the right Forum. If the vulns are known and included in a review which touches on a series of issues not just security vulns then I've no problems with the posting. Provided we can address the issue of accountability.

> You continue to want "accountability" for posting this sort of

I've actually spoken at length to why I think this is critical.

Do you need help?X

>
> If the purpose is ensuring obvious slurs don't make it to the list,

It does and obvious slurs would or should be dropped out of hand. This is not the issue here.

> If the purpose is to ensure full and accurate posting of information,

Actually accuracy is not at stake here. It's tough for me to be an expert on every posting which goes to the list.

> all misinformation and mistakes will be eliminated? I think

Mistakes will never be purged from this list or any other nor likely will misinformation be purged. The goal is here is to enforce an atmosphere where both vendor and poster have equal standing. The vendor is already being called to the carpet in full regalia - why not the poster?

> And, barring moving to something akin to an in-person key-signing, how

I'm struggling with this one. Although PGP keys signed from trusted third parties or known third parties is a really good idea. You could even maintain anonymity with this. Mind you it has it's own attendant issues of 'who is trusted and why'.

Do you need more help?X

>
> I think you've forgotten that this is the Internet, and many of us are,

Oh no. I have never lost sight of that.

-al


The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.

Visit Tenable Network Security at http://www.tenablesecurity.com to learn more.

Received on Tue Jul 8 17:29:06 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:39 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library