On Tue, Jul 08, 2003 at 02:50:51PM -0600, Alfred Huger wrote: > > > > I'm a bit boggled that you can look at both general and specific > > instances in the software industry, but not specifically the security > > industry, and somehow believe that "That can't happen here". > > > I'm a bit boggled as to why you've not answered the question. I'll forgoe > everyone here the suspense. It's never happened for a product review in > this industry - ever. And I am really quite sure it never will. Being a > vendor mouth piece I have the inside track don't forget. > Careful, Al. That's an awfully big brush you're using to delineate black and white. From SF's own website: http://216.239.33.104/search?q=cache:ExzrKawYOn4J:www.securityfocus.com/news/323+sued+product+review&hl=en&ie=UTF-8 http://216.239.33.104/search?q=cache:DB85N0bAOo0J:www.silicon.com/news/500022/1/1031188.html+sued+product+review&hl=en&ie=UTF-8 NAI sued over their review ban. While true that NAI did not itself sue a reviewer, it came close. It should also serve to illustrate how the courts, and a few prominent members of this industry, feel about such censorship or otherwise chilling effects. Then, there's the lawsuit Blackboard brought earlier this year: http://216.239.57.104/search?q=cache:IbybyVSofhYJ:www.geek.com/news/geeknews/2003Apr/gee20030415019605.htm+sued+security+review&hl=en&ie=UTF-8 Though it contained vulnerabilities, one could term the disclosure a comprehensive review of the product. It's just the nature of the beast that, when dealing with security products, a major part of the review's going to address how secure the product is. Where it falls short, well, those are vulnerabilities. So, we now find ourselves playing semantic games revolving around what constitutes a "product review" versus what constitutes a "vulnerability disclosure". That, to me, appears to be a slippery slope best avoided. Then, of course, outside our own industry, there are the lawsuits brought against Consumer Reports by the auto industry over CR's product reviews. -- Mark C. Langston Sr. Unix SysAdmin markat_private markat_private Systems & Network Admin SETI Institute http://bitshift.org http://www.seti.org --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 15:59:37 PDT