From lyger at attrition.org Wed Jan 14 02:40:47 2009 From: lyger at attrition.org (lyger) Date: Wed, 14 Jan 2009 02:40:47 +0000 (UTC) Subject: [attrition] postal: bleeding like a mob hit Message-ID: http://attrition.org/postal/p0018.html trivial pursuit we don't care about apathy shall we make a trade? domo arigato major domo sprinkles but he digreses coke fiends is the bitch dead or not? my name is glen (how many fingers?) god meets logic [...] From jericho at attrition.org Tue Jan 20 04:48:40 2009 From: jericho at attrition.org (security curmudgeon) Date: Tue, 20 Jan 2009 04:48:40 +0000 (UTC) Subject: [attrition] errata: Legal Threats Against Security Researchers Message-ID: http://attrition.org/errata/legal_threats/ Legal Threats Against Security Researchers How vendors try to save face by stifling legitimate research It has been clear for years that businesses have dropped ethics in favor of profit. Protecting the bottom line is usually more important than doing the right thing, even if it means providing a better product to their customers. Companies fear negative publicity, especially if said publicity challenges the security of their products. It doesn't matter that just about every company and product ships with numerous vulnerabilities, and adding security is a band-aid solution rather than an integral part of the development life cycle. Rather than work with researchers who are frequently providing what would otherwise be high-dollar specialized consulting for free, some companies opt to go take the muddy road and pursue legal action against the researchers. This action is one of desperation, and attempt to silence and stifle legitimate research and free speech. Invariably, this ends up being a huge negative PR move, much worse than what would occur with the publication of said research without the legal murk. [Table with companies, researchers and incidents]