Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

[Adam Shostack <adam@homeport.org>]

On Tue, Feb 19, 2002 at 08:05:19AM -0600, Stu Green wrote:
| Steve,
| Given an environment that will be affected by Digital Rights Management
| and inherant potential DMCA
| 'violations' the definition of vague might take on alternate meaning.
|  If a suspected vulnerability can not
| be detailed for fear of infringing on the publisher's copyright, a vague
| presentation might be required until
| the aforementioned publisher deems it reasonable to allow the
| vulnerability to be thoroughly documented.
| Whatever the ramifications are, the case of Adobe and Dmitry Sklyarov
| sets an uncomfortable precedent.

I'd like to suggest that this case is quanlitatively different:
CD-VAGUE suggests that the vendor confirms a vulnerability
CD-DMCA suggests that a researcher has stated a vulnerability exists.

In the latter case, the vulnerability may be disputed, its effects may 
be disputed, and there may be no fix available.  Indeed, CD-DMCA may
interact with other CDs regarding precision, codebases, etc.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume