[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] How to deal with reporters who don't want their bugs fixed?
From: Stiepan <stie () itk ! swiss>
Date: 2018-01-27 15:02:03
Message-ID: 9-jL1EFZob81hdKZAE8646fR5VeNxFQIxfAtnfzyRYZpvcVvb52EgIzPiJrAZ9gnM88j8xNjQK5eirL1bslyzdywhfGdEHDJcLmdR6Zx3DE= () itk ! swiss
[Download RAW message or body]
[Attachment #2 (text/plain)]
I will try responding to both here: well, however flawed it might be and oftentimes is in \
practice, there is the universal Hyppocrate's oath in the case of medicine and it sort of \
works. That is what I meant, using possibly inadequate words.
If boilerplate agreement sounds better than an universal code of ethics for our profession (and \
I think this is attainable, not "universal ethics" taken out of context, making it an \
oxymoron), as long as the effects are with it, I don't think that wording should be the main \
issue at hand.
As for the register's article, it gives this image -
https://www.theregister.co.uk/Design/graphics/icons/404_img.jpg - in guise of a 404 error, so I \
cannot make a proper opinion for the moment. Without reading it though, I cannot but see the \
parallel between Intel deactivating some CPU feature to make it secure and surgical ablation! \
There are (less mediatized) precedents of the like: see for instance how Apple had to remove \
Apple Pay history in a rush because it exposed an otherwise (provably?) secure enclave. What I \
do see in common here is that the end user's interests were sacrificed and some sold feature \
removed, to remedy a design flaw affecting the security of their information. If you remove the \
ICT Security professional glasses and take the more generic context of planned obsolescence \
into account, this becomes very interesting, and there are quite a few other examples of the \
like. Hence, a need probably arises to have an oath for ICT in general and not security in \
particular, sec. being what surgery is to general medicine, when not done preventively / by \
design, as we (CEuniX.world) and hopefully others are making every effort to do, instead of the \
"accept defeat" approach we hear so often from many vendors and even certification bodies, \
which is itself a reason to begin worrying about the status quo.
-------- Mensaje original --------
On 26 ene. 2018 18:48, Mikhail Utin escribió:
> I 100% agree with Solar's response. We should not limit our freedom to choose how we will \
> handle our intellectual property. That is how I read the original statements below.
> Not to cause more discussion, but here is the example of how "universal ethics" work:
>
> https://www.theregister.co.uk/2018/01/25/intel_spectre_disclosed_flaws_november/
>
> Mikhail Utin, CISSP
>
> ________________________________
> From: Solar Designer
> Sent: Friday, January 26, 2018 12:16
> To: oss-security@lists.openwall.com
> Subject: Re: [oss-security] How to deal with reporters who don't want their bugs fixed?
>
> On Fri, Jan 26, 2018 at 10:23:49AM -0500, Stiepan wrote:
> > I think that clear rules might be welcome:
>
> I agree (specifically, I had suggested explicit maximum embargo times),
> but such rules must not be one and only industry standard. Anyone or
> any project may propose rules, and other projects are welcome to reuse
> those rules, but they must not have to - they could as well use
> different rules, or none. At best, a relatively non-controversial
> and brief boilerplate could end up being reused by many projects.
>
> > We as a profession should have a clear code of ethics
>
> No. Let's not use the word ethics. That word, except when explicitly
> referring to a particular person's or group's ethics, implies that when
> we (dis)agree or are judging others, we claim to be necessarily right -
> but in reality we're necessarily subjective.
>
> This would be just as flawed a concept/term as "responsible disclosure".
> (I refrain from using that term as well, except when pointing out just
> how unnecessarily judgemental it is - implying that other kinds of
> disclosure would have been "irresponsible" - but we're subjective.)
>
> > universal ethics' code
>
> That's an oxymoron. No such thing can possibly exist.
>
> Alexander @openwall.com>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic