[11562] in cryptography@c2.net mail archive
Re: the underground software vulnerability marketplace and its hazards
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Aug 22 16:08:37 2002
Date: Thu, 22 Aug 2002 19:41:50 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Adam Back <adam@cypherspace.org>
Cc: Steve Schear <schear@lvcm.com>, cypherpunks@lne.com,
Cryptography <cryptography@wasabisystems.com>
Adam Back wrote:
> I think HP were wrong, and find their actions in trying to use legal
> scare tactics reprehensible: they should either negotiate a price, or
> wait for the information to become generally available.
Amen.
Incidentally I was put under a lot of pressure when releasing the
OpenSSL advisory a few weeks ago to allow CERT to notify "vendors"
before going on general release. I have a big problem with this - who
decides who are "vendors", and how? And why should I abide by their
decision? Why should I pick CERT and not some other route to release the
information?
Also, if the "vendors" were playing the free software game properly,
they wouldn't _need_ advance notification - their customers would have
source, and could apply the patches, just like real humans.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
Available for contract work.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
