Re: [Openpacket-devel] New Beta Site Live
Brought to you by:
crazy_j,
taosecurity
Menu
▾
▴
Re: [Openpacket-devel] New Beta Site Live
|
From: Richard B. <tao...@gm...> - 2007-10-16 20:21:09
|
On 10/16/07, Aaron Turner <syn...@gm...> wrote: > > A properly worded terms of service/notice when uploading files should > help here, but let's be honest here... Sooner or later the lawyers > will come. If you haven't yet talked to a lawyer about CYA yet, you > should. That being said, it's not your fault someone is stupid and > uploads a pcap with their username/password in clear text and half the > internet reads all their email. It should be the responsibility of > the uploader to make sure the information they are providing isn't > damaging. > > Asking you and your team of moderators to make that decision is quite > onerous and can't possible take into account different security > requirements of each uploader. Example: the security requirements of > a bank or gov't contractor would be quite different from something > that came from a throwaway test lab at a security company doing > exploit research. Basically, you'd have to be quite conservative > which means rejecting anything with the slightest security risk. > Hi Aaron, You make good points (as expected). If we can find a lawyer to donate some time to the project, then I will accept that help. Otherwise we'll have to err on the side of being conservative. My goal with this project is to get *something* started, but not to solve the world's anonymized traffic repository problem. That has been a research topic for many years. The result usually means stripping everything about layer 4 and altering the addresses at layer 3. I think at least declaring that we accept and publish full packet captures, allowing for rejection of sensitive data, is an improvement over the overly sanitized option or the incorrectly sanitized option. Sincerely, Richard |
