[Full-Disclosure] win2kup2date.exe ?

Mon Sep 13 19:19:34 BST 2004

VX Dude wrote:

>
>I have a sad feeling that I am alone about this.  If I
>am, then I really pity you guys.
>
>Stinny FranCisco, CISSP
>Internet Sniper
>eDefense Inc.
>
>
>  
>

I tend to agree with you.  However, there are a couple of things to 
consider:

        1) Disclosure tends to refer to information.  Now, malware is 
technically information -- but not in the sense that people think of 
"information" as.  People read
             the list expecting vulnerability releases and fixes.  
Adding malware distribution to the list of services the list provides 
could further muddy the already muddied
             waters that come with having an unmoderated security list.

       2) This increase in list traffic and bandwidth may be problematic 
for people without fully dedicated internet connections or those 
pay-per-time period internet
            connections.  FD may not be the most appropiate place for 
this traffic.  A new list may be more appropriate.

       3) Let's face it -- in many corners of the world, distributing 
malware isn't entirely legal.  FD might be put into legal jeopardy 
because of this.  I don't know where
           FD is based out of, but here in the states, the DMCA and 
other fascism-inspired laws have been used to shut down security 
research.  Ideally, the "list" would
           be setup within a non-treaty laiden country.

Now, I for one think that keeping malware off the list isn't going to 
stop a determined person with hostile intentions.  Having said that, it 
is a worthy discussion and I certainly respect everyone who has brought 
up those concerns.  But, I think that you're generally correct, VX Dude, 
in that keeping this stuff off the list is not entirely compatible with 
full disclosure philosophy.  These are all points to think about, 
though.  It's really up to the list owners and what they want.

             -Barry