[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dmca-discuss
Subject:    [DMCA_Discuss] Security expert proposes hackers' union
From:       Vladimir Katalov <vkatalov () elcomsoft ! com>
Date:       2003-11-20 9:07:53
[Download RAW message or body]

Security expert proposes hackers' union
Last modified: November 19, 2003, 5:09 PM PST
By Robert Lemos 
Staff Writer, CNET News.com

http://news.com.com/2100-7355-5109642.html
           
A proposal to create an association to represent the interests of
hackers and vulnerability researchers is gaining support, a security
expert said Wednesday.

The group, which would be geared toward researchers and not software
vendors, would provide guidelines on vulnerability disclosures and
would lobby against legislation that could stifle security
researchers' ability to tinker with software. Nearly three-dozen
people have pledged financial support to help get the yet-unnamed
group started, said Thor Larholm, senior security researcher for PivX
Solutions.

"Initially, what has disturbed me was all the special-interest
organizations created by vendors for vendors," he said. "We want to do
something for security researchers, and it's not just about disclosure
policy, but about helping and supporting researchers."

The move, first publicly proposed on Tuesday to a security mailing
list, is the latest by hackers and security researchers to fight off
corporate public relations and government policies that aim to
suppress information about vulnerabilities from the public.

Security researchers and hackers have long worried that companies may
succeed in using the controversial Digital Millennium Copyright Act
(DMCA) to quell their reports of vulnerabilities in software products.
Several companies--including Adobe Systems, Diebold Election Systems,
GameSpy, Hewlett-Packard and SunComm Technologies--have used the DMCA
to go after amateur and professional researchers who have found flaws
in their products.

A criminal case, which resulted in the conviction of a system
administrator on a single charge of computer crime, was recently
overturned, but only after the researcher involved served out his
16-month sentence.

Any group that represents the interests of vulnerability researchers
could counter the Organization for Internet Safety--a group founded by
Microsoft and several security firms that perform work for the
software giant--which has proposed guidelines for the responsible
disclosure of flaws.

The new group would help security experts contact software makers,
make sure they are credited for their work, lobby against legislation
that blocks research, and in some cases, act as a proxy between
researchers and companies.

"The vast majority of researchers are reporting vulnerabilities on a
completely voluntary, noncontractual, noncommissioned basis, freely
helping the vendor to secure their products," Larholm said in an
e-mail to the security mailing list. "A lot of people have proposed
organizations that deal with one or another of these aspects, though
not all."

The public disclosure of software vulnerabilities originally gained
momentum in the early 1990s, because operating system and application
makers did not always respond to people who found security holes in
their products. By telling the public about the security problems, the
researchers ensured that software makers couldn't ignore the issue.

Many companies, such as Microsoft, hope to set guidelines for the
responsible disclosure of vulnerabilities. Larholm said any group
would make sure that the vulnerability researchers' interests also are
considered.

"Establishing an organization that represents security researchers is
not just for the good of the researchers themselves, it is for the
good of the community and industry as a whole," he wrote in the
e-mail.

_______________________________________________


------------------------
http://www.anti-dmca.org
------------------------

DMCA_Discuss mailing list
DMCA_Discuss@lists.microshaft.org
http://lists.microshaft.org/mailman/listinfo/dmca_discuss
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic