"Marcus J. Ranum" wrote: > > Darren Reed writes: > >So are you suggesting that perhaps it is time software such as ISS, etc, > >to not only be made available with strict controls over which targets > >they can be used against (article about this went to bugtraq some time > >ago) but also be required for those buying the product/license keys > >in order to undertake such work ? I think this is almost a inevitable. > > So do I. Indeed, I think that it may boil down to some kind of > professional certification being necessary. There are analogs > to this - locksmithing certification, federal firearms license, etc. > That's part of what I meant about how that grey area is going to > get real thin, soon. > I don't understand. So I need to be "certified" to write a tool like ISS. And if i write a single exploit? It's hard to make a difference when talking about laws. So only some "professionals" could publish exploits, while hacker would continue to write them. This means that "full disclosure" would die, but exploits would survive. As you know, many companies denied the existence of vulnerabilities, even when published, until an exploit was published too. Do you think that those few "certified" companies and professionals would work against Microsoft's interest just to add or publish vulnerabilities that nobody cares about becouse Microsoft says they don't exist? IMHO this is straight Security Through Obscurity. Easy-to-use hacker tools is the price we must pay for better overall security. Nobody said "we need a certification" when somebody was hacked because of an old senmail; just said "update your server". So let's find a solution to DDOS, and a lot of other problems, that it's really a solution (or part of it). Like removing ISP's from BGP if they don't use ingress filtering, without asking them about performance problems. We are trying to deal with spam without law enforcement: black lists and Acceptable Use Policies. IMHO DDOS are not whorse. ciao - Claudio -- Claudio Telmon claudioat_private http://www.telmon.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:03 PDT