Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Public Review of OIS Security VulnerabilityReporting and ResponseGuidelines
From: "Gregh" <chows () ozemail com au>
Date: Thu, 8 Jul 2004 22:44:33 +1000

----- Original Message ----- 
From: "ET LoWNOISE" <et () cyberspace org>
To: "Fred Mobach" <fred () mobach nl>
Cc: <bugtraq () securityfocus com>; "OIS" <announcements () oisafety org>;
<NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>; <full-disclosure () lists netsys com>
Sent: Thursday, July 08, 2004 12:56 PM
Subject: [Full-disclosure] Re: Public Review of OIS Security
VulnerabilityReporting and ResponseGuidelines

Instead of publishing personal opinions over the OIS, its better to
focus on the Guideline again. The Process is based entirely on the vendor
but not on the customers, going against the "efforts to safeguard
customers". Even the participants group doesnt include them as
active part of the process.

My response to the OIS is rather a simple one:

1) Someone decide upon a "source" to where all reports can go no matter what
is in them. This source should be at an unable to be easily identified email

2) Source picks them all up and without fear or favour redistributes them in
the same manner. Eg, if you are worried about being identified and hit by
the authorities then don't include anything that can identify you as only
the text of the letter is to be reproduced. People email "an address" in
order to get on or off the list depending on how it is run by "the source".

I can do the above and I admit I am nowhere near the ability of most in the
security field so I am sure there is someone who can do it. If the list
maintainer is careful, I find it hard to believe anyone not wishing
identification (which is basically self gratification) would be found.

Thus, any rules people do not wish to adhere to (eg, governments thinking
that anything to do with security is basically hacking etc) don't have to be
adhered to.

If anyone gets enough guts to think this is a good idea and do it, do me a
favour and call it either "Anarchy" or "Friar Tuck's revelations" (for those
who don't understand, look up Spoonerisms and apply it to "Friar Tuck" which
is what those that are telling the security industry that they cant do their
jobs without being hit can do).

Oh and BTW, if you DO decide to do this, let me know! I want to be on it.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]