I agree -- Ascension is also complicit in this, and merely paying lip-service to HIPAA. The Senator's letter, on the other hand, paints a one-sided picture of the matter.
Where the argument is rooted is helpful in determining if there is any sort of compromise or "seeing other's viewpoint" can be had.
- Beliefs: Lowest level, simply held to be true. Arguments at this level cannot change anyone's mind and are pointless waste of time
- Values: Higher up, what you value more. Still deep, but some middle ground possible with lot of effort
- Morals: Right or wrong, middle ground and compromise or change of mind possible
- Ethics: Top level, just morals into action. Easiest to argue/change mind.
I genuinely liked your opening statement (disagreeing...)
I am sorry to hear you had such a raw experience. Maybe you were dealing with pretty clueless engineers, since most do realize a buffer overflow should be treated exploitable unless proven otherwise. I've had better experience trying to argue the cost of fix -- it being pretty low was incentive enough for engineering to fix it.
That said, I am worried evilsocket may not be taken seriously next time he finds a vulnerability with CVSS 9.9. To some extent I am surprised by his argument on not knowing CVSS scoring rubrik. There may have been language barrier at play as well, leading to some of his sentences coming across as more abrasive than they should have been.
We must first precisely define "level of security" that is expected from OpenSSH and a commerical version. Only then the discussion about who can guarantee what would make sense.
reply