On Tue, Jul 08, 2003 at 12:52:16PM -0600, Alfred Huger wrote: > On Tue, 8 Jul 2003, Mark C. Langston wrote: > > > So you will now require all vulnerabilities posted to be traceable back > > to the individual who discovered and/or publicized the vulnerability? > > > Of course not but that's not at stake here. This list is not for vuln > disclosure there are more appropriate venues for that. Vulnwatch, Bugtraq, > Vuln-dev to name a few. My mistake. s/vulnerabilit[y,ies]/critical information/g and my points stand (I do believe the term you used was "critical information" instead of "vulnerability"). Product reviews are going to contain negative information, if such exists. Some of that information may be, "$FOO is vulnerable in @LIST_OF_WAYS." Some will simply be related to performance, configuration, documentation, and other shortcomings. You continue to want "accountability" for posting this sort of information, yet you still haven't justified its need, beyond list ubsubscription. Unsubscription requires an unique email address, not a real name. Litigation requires a real name. Unless and until you explain the use to which you expect such accountability to be put, we willl continue to speculate. And speculation thus far has run to litigation. If the purpose is ensuring obvious slurs don't make it to the list, one must wonder whether or not the moderator's role doesn't already cover that purpose, regardless of the name attached to a potential list post? If the purpose is to ensure full and accurate posting of information, are you implying that by associating one's true identity with a post, all misinformation and mistakes will be eliminated? I think not. I'm just as likely to mis-state a capability out of haste, laziness, disinterest, or what-have-you with as without my real name attached to a post. The same holds true for everyone else. Those interested in posting accurate information will do so, regardless of the nym or name used. Those interested only in substance-free attacks on products will produce them irrespective of the content of the From: line. And, barring moving to something akin to an in-person key-signing, how do you intend to verify the names attached to a given post are real, and if real, are actually the identity of the poster? I think you've forgotten that this is the Internet, and many of us are, in fact, dogs. -- Mark C. Langston Sr. Unix SysAdmin markat_private markat_private Systems & Network Admin SETI Institute http://bitshift.org http://www.seti.org --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 12:43:38 PDT