[Full-Disclosure] win2kup2date.exe ?
bkfsec at sdf.lonestar.org
Mon Sep 13 19:19:34 BST 2004
VX Dude wrote:
>I have a sad feeling that I am alone about this. If I
>am, then I really pity you guys.
>Stinny FranCisco, CISSP
I tend to agree with you. However, there are a couple of things to
1) Disclosure tends to refer to information. Now, malware is
technically information -- but not in the sense that people think of
"information" as. People read
the list expecting vulnerability releases and fixes.
Adding malware distribution to the list of services the list provides
could further muddy the already muddied
waters that come with having an unmoderated security list.
2) This increase in list traffic and bandwidth may be problematic
for people without fully dedicated internet connections or those
pay-per-time period internet
connections. FD may not be the most appropiate place for
this traffic. A new list may be more appropriate.
3) Let's face it -- in many corners of the world, distributing
malware isn't entirely legal. FD might be put into legal jeopardy
because of this. I don't know where
FD is based out of, but here in the states, the DMCA and
other fascism-inspired laws have been used to shut down security
research. Ideally, the "list" would
be setup within a non-treaty laiden country.
Now, I for one think that keeping malware off the list isn't going to
stop a determined person with hostile intentions. Having said that, it
is a worthy discussion and I certainly respect everyone who has brought
up those concerns. But, I think that you're generally correct, VX Dude,
in that keeping this stuff off the list is not entirely compatible with
full disclosure philosophy. These are all points to think about,
though. It's really up to the list owners and what they want.
Full-Disclosure is hosted and sponsored by Secunia.