--- madsaxon <madsaxon@direcway.com> wrote:
At 10:45 AM 5/25/2004 -0700, Harlan Carvey wrote:
Valdis,
I sincerely hope that you do not presume to speak
for
everyone...
He's not offering an opinion, merely stating a fact:
if whitehats are security researchers who don't
break the law, then they don't audit code the
possession of which is illegal. The only
debatable point here is the definition of
"whitehat,"
but that's really just a matter of semantics.
This code is the proprietary property of Cisco.
Anyone who knowingly examines it or even possesses
it without Cisco's permission is in violation of
the law in most countries, and therefore not,
by definition, acting as a "whitehat."
m5x
_______________________________________________
Full-Disclosure - We're afriad to back it up
Which law? Does this mean whitehats will start
recognizing EULAs pertaining to proprietary property?
True it may not be source, but its still property!
Are whitehats going to limit themselves to just
sourceforge projects (hell iDefense already does)?
White hats are starting to sound as holy as the
Knights Templar, and they also seem to picking up the
Templar's ethics of attacking in the "grey areas" of
the law.
I agree that whitehats should only audit and/or "find"
security holes in software in which they are invited
or allowed to do so. But isnt the whole point of the
word full in full-disclosure to expose flaws that the
owners of the property dont want known. Sounds like a
greyhat/blackhat mailing list to me.
Challenging the corporations and not the law doesnt
make you a whitehat, it just makes you weak.
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
