Re: [VulnWatch] Details of Sybase ASE bugs withheld

[sean <infamous41md () hotpop com>]

On Mon, 21 Mar 2005 21:50:22 -0000
"David Litchfield" <davidl () ngssoftware com> wrote:

> Hey Halvar,
> > am I understanding this correctly ? Sybase is threatening "something"
> > so that the technical details of the vulnerability are kept secret
> > indefinitely ?
>
> Yes - you understand correctly. Needless to say I hope all of this can be 
> resolved amicably; and the details will be published.
>
> > This is a rather curious development. Are the pre/post patch versions
> > freely downloadable ?
>
> To be honest, I don't know, but if the patch is freely downloadable, let's 
> face it, the "details" are there to anyone with a disassembler, anyway. This 
> kind of legal threat achieves nothing other than to make legit researchers 
> fearful about being sued if they find and publish security issues - even if 
> they do so in a responsible manner. In such a climate security research will 
> be driven underground - which is where the "good guys" really don't want it 
> to be.
>
>
> Cheers,
> David Litchfield
> Research Scientist
> NGSSoftware Ltd
> http://www.ngssoftware.com/

Pardon my ignorance, but on what legal grounds can they do anything if you tell
them f' off and release anyway?  This is absolute insanity.  Who do they think
they are?  They don't own your intellectual property.  I'd call their bluff if I
were you, but then again I'm not ;)

-- 
[ sean ]