<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_01_11_1640232</id>
	<title>Firm To Release Database, Web Server 0-Days</title>
	<author>CmdrTaco</author>
	<datestamp>1263196800000</datestamp>
	<htmltext>krebsonsecurity writes <i>"January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a <a href="http://www.krebsonsecurity.com/2010/01/firm-to-release-database-web-server-0days/">slew of previously undocumented vulnerabilities</a> in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."</i></htmltext>
<tokenext>krebsonsecurity writes " January promises to be a busy month for Web server and database administrators alike : A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products , including MySQL , Tivoli , IBM DB2 , Sun Directory , and a host of others , writes krebsonsecurity.com .
From the blog : 'After working with the vendors long enough , we 've come to conclusion that , to put it simply , it is a waste of time .
Now , we do not contact with vendors and do not support so-called " responsible disclosure " policy, ' Legerov said .
"</tokentext>
<sentencetext>krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com.
From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time.
Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729562</id>
	<title>Re:Is it just me?</title>
	<author>FlyingBishop</author>
	<datestamp>1263207540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I initially read it as "Film to drop database, Web Server 0-days"</p></htmltext>
<tokenext>I initially read it as " Film to drop database , Web Server 0-days "</tokentext>
<sentencetext>I initially read it as "Film to drop database, Web Server 0-days"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727818</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730950</id>
	<title>Re:Irresponsible</title>
	<author>arth1</author>
	<datestamp>1263213780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>IMO, "repsonsible disclosure" is "<i>We</i> will disclose in 30/60/90 days (depending on severity of bug and how much manpower is needed to fix it) -- <b>you</b> are now responsible for getting a fix to your customer before then".<br>Too many companies think that "responsible disclosure" means that they get to decide whether to disclose, and all responsibility is on the ones rude enough to find the problem.  I.e. shoot the messenger.</p><p>A few (luckily few) companies even send their lawyers after anyone who tells them about security flaws.  In which case I don't think it's in any way wrong to choose to not risk dealing with the company, but instead do an anonymous disclosure -- that way, the paying customers can at least be alerted and take precautions, even if the company doesn't fix it.</p><p>(As for "0-day", it's not zero-day anymore when a flaw has been disclosed.  Zero-day exploits are those that occur <i>before</i> a public disclosure.  I know I'm fighting a losing battle here, because most everyone uses the term wrong to mean first-day exploits.)</p></htmltext>
<tokenext>IMO , " repsonsible disclosure " is " We will disclose in 30/60/90 days ( depending on severity of bug and how much manpower is needed to fix it ) -- you are now responsible for getting a fix to your customer before then " .Too many companies think that " responsible disclosure " means that they get to decide whether to disclose , and all responsibility is on the ones rude enough to find the problem .
I.e. shoot the messenger.A few ( luckily few ) companies even send their lawyers after anyone who tells them about security flaws .
In which case I do n't think it 's in any way wrong to choose to not risk dealing with the company , but instead do an anonymous disclosure -- that way , the paying customers can at least be alerted and take precautions , even if the company does n't fix it .
( As for " 0-day " , it 's not zero-day anymore when a flaw has been disclosed .
Zero-day exploits are those that occur before a public disclosure .
I know I 'm fighting a losing battle here , because most everyone uses the term wrong to mean first-day exploits .
)</tokentext>
<sentencetext>IMO, "repsonsible disclosure" is "We will disclose in 30/60/90 days (depending on severity of bug and how much manpower is needed to fix it) -- you are now responsible for getting a fix to your customer before then".Too many companies think that "responsible disclosure" means that they get to decide whether to disclose, and all responsibility is on the ones rude enough to find the problem.
I.e. shoot the messenger.A few (luckily few) companies even send their lawyers after anyone who tells them about security flaws.
In which case I don't think it's in any way wrong to choose to not risk dealing with the company, but instead do an anonymous disclosure -- that way, the paying customers can at least be alerted and take precautions, even if the company doesn't fix it.
(As for "0-day", it's not zero-day anymore when a flaw has been disclosed.
Zero-day exploits are those that occur before a public disclosure.
I know I'm fighting a losing battle here, because most everyone uses the term wrong to mean first-day exploits.
)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727974</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730518</id>
	<title>Bounties</title>
	<author>Anonymous</author>
	<datestamp>1263211560000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>So, what's wrong with bug bounties? Why can't russian hackers expect to be paid for their hard work hacking american software and documenting vulnerabilities?</p><p>The fact is, there's already a bug market. If you're a hacker without morals, you can already make good money off security flaws, by selling them to criminals directly. But, if you should do the world a public service by pointing out these security breaches to the software vendor, not only will they threaten you to sue if you publish, but no reward will be coming.</p><p>Of course, by offering rewards, you're creating perverse incentives for people to find bugs. Also, you're creating a bidding war between the criminals who want to know bugs to exploit them, and the legitimate software vendors...</p></htmltext>
<tokenext>So , what 's wrong with bug bounties ?
Why ca n't russian hackers expect to be paid for their hard work hacking american software and documenting vulnerabilities ? The fact is , there 's already a bug market .
If you 're a hacker without morals , you can already make good money off security flaws , by selling them to criminals directly .
But , if you should do the world a public service by pointing out these security breaches to the software vendor , not only will they threaten you to sue if you publish , but no reward will be coming.Of course , by offering rewards , you 're creating perverse incentives for people to find bugs .
Also , you 're creating a bidding war between the criminals who want to know bugs to exploit them , and the legitimate software vendors.. .</tokentext>
<sentencetext>So, what's wrong with bug bounties?
Why can't russian hackers expect to be paid for their hard work hacking american software and documenting vulnerabilities?The fact is, there's already a bug market.
If you're a hacker without morals, you can already make good money off security flaws, by selling them to criminals directly.
But, if you should do the world a public service by pointing out these security breaches to the software vendor, not only will they threaten you to sue if you publish, but no reward will be coming.Of course, by offering rewards, you're creating perverse incentives for people to find bugs.
Also, you're creating a bidding war between the criminals who want to know bugs to exploit them, and the legitimate software vendors...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30735128</id>
	<title>Re:Responsible Disclosure</title>
	<author>ThePhilips</author>
	<datestamp>1263297660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p> It is statistically highly improbable (impossible) to release any relatively complex application without bugs.</p> </div><p> QA is not a feature. QA is a process. Any software except helloworld.c has bugs. The question is how company deals with the problems after deployment.

</p><p> Modus operandi of many business is to go into "Sold!" state after deal is sealed: customer paid money already, so we don't care anymore.</p><p><div class="quote"><p> Once you release the software the use cases and use environments multiply like rabbits with Viagra.</p> </div><p> Not really.

</p><p> I have seen statistics about testing which was showing that software without any testing (or only developer unit test only) had magnitudes more bugs compared to software which had undergone a test with very low coverage (10-25\%).

</p><p> What it says, is whether company pays attention to quality or not. Many do not. Then bugs do the "multiply" thing.

</p><p> P.S. Also I have seen pathological cases where companies <i>intentionally</i> test cases which are rare/nonexistent in real world - because they refused to support as official features what customers usually do with the product. On a book it looks cool: software is tested/etc. But in the end customers are still treated like alpha testers.</p></div>
	</htmltext>
<tokenext>It is statistically highly improbable ( impossible ) to release any relatively complex application without bugs .
QA is not a feature .
QA is a process .
Any software except helloworld.c has bugs .
The question is how company deals with the problems after deployment .
Modus operandi of many business is to go into " Sold !
" state after deal is sealed : customer paid money already , so we do n't care anymore .
Once you release the software the use cases and use environments multiply like rabbits with Viagra .
Not really .
I have seen statistics about testing which was showing that software without any testing ( or only developer unit test only ) had magnitudes more bugs compared to software which had undergone a test with very low coverage ( 10-25 \ % ) .
What it says , is whether company pays attention to quality or not .
Many do not .
Then bugs do the " multiply " thing .
P.S. Also I have seen pathological cases where companies intentionally test cases which are rare/nonexistent in real world - because they refused to support as official features what customers usually do with the product .
On a book it looks cool : software is tested/etc .
But in the end customers are still treated like alpha testers .</tokentext>
<sentencetext> It is statistically highly improbable (impossible) to release any relatively complex application without bugs.
QA is not a feature.
QA is a process.
Any software except helloworld.c has bugs.
The question is how company deals with the problems after deployment.
Modus operandi of many business is to go into "Sold!
" state after deal is sealed: customer paid money already, so we don't care anymore.
Once you release the software the use cases and use environments multiply like rabbits with Viagra.
Not really.
I have seen statistics about testing which was showing that software without any testing (or only developer unit test only) had magnitudes more bugs compared to software which had undergone a test with very low coverage (10-25\%).
What it says, is whether company pays attention to quality or not.
Many do not.
Then bugs do the "multiply" thing.
P.S. Also I have seen pathological cases where companies intentionally test cases which are rare/nonexistent in real world - because they refused to support as official features what customers usually do with the product.
On a book it looks cool: software is tested/etc.
But in the end customers are still treated like alpha testers.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729752</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731330</id>
	<title>Re:Why not?</title>
	<author>Anonymous</author>
	<datestamp>1263216060000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>is it better to keep quiet?</p><p>that depends if there is infinite number of vulnerabilities or not. if it is infinite, maybe it would be better to just fix those that bad guys find.</p></htmltext>
<tokenext>is it better to keep quiet ? that depends if there is infinite number of vulnerabilities or not .
if it is infinite , maybe it would be better to just fix those that bad guys find .</tokentext>
<sentencetext>is it better to keep quiet?that depends if there is infinite number of vulnerabilities or not.
if it is infinite, maybe it would be better to just fix those that bad guys find.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729752</id>
	<title>Re:Responsible Disclosure</title>
	<author>Low Ranked Craig</author>
	<datestamp>1263208260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It is statistically highly improbable (impossible) to release any relatively complex application without bugs.  Testing in a controlled environment, even highly rigorous testing, is still testing in a controlled env.  Once you release the software the use cases and use environments multiply like rabbits with Viagra.</p><p>Or is my sarcasm meter buggy?</p></htmltext>
<tokenext>It is statistically highly improbable ( impossible ) to release any relatively complex application without bugs .
Testing in a controlled environment , even highly rigorous testing , is still testing in a controlled env .
Once you release the software the use cases and use environments multiply like rabbits with Viagra.Or is my sarcasm meter buggy ?</tokentext>
<sentencetext>It is statistically highly improbable (impossible) to release any relatively complex application without bugs.
Testing in a controlled environment, even highly rigorous testing, is still testing in a controlled env.
Once you release the software the use cases and use environments multiply like rabbits with Viagra.Or is my sarcasm meter buggy?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727964</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728250</id>
	<title>Re:What's up with the confusing article title?</title>
	<author>Stavr0</author>
	<datestamp>1263202800000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p><div class="quote"><p>Firm To Drop Database, Web Server 0-Days</p></div><p>The verb <em>to drop</em> has specific meaning w.r.t. databases. A few more words in the title would have been acceptable.</p> </div><p>Perhaps "Firm to GRANT SELECT ON database, web server 0-days TO PUBLIC"</p></div>
	</htmltext>
<tokenext>Firm To Drop Database , Web Server 0-DaysThe verb to drop has specific meaning w.r.t .
databases. A few more words in the title would have been acceptable .
Perhaps " Firm to GRANT SELECT ON database , web server 0-days TO PUBLIC "</tokentext>
<sentencetext>Firm To Drop Database, Web Server 0-DaysThe verb to drop has specific meaning w.r.t.
databases. A few more words in the title would have been acceptable.
Perhaps "Firm to GRANT SELECT ON database, web server 0-days TO PUBLIC"
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729266</id>
	<title>Re:Responsible Disclosure</title>
	<author>Anonymous</author>
	<datestamp>1263206400000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext>This doesn't sound like either responsible or irresponsible disclosure.  It sounds like plain old extortion.  Notice he does not say he provided the vendor with the vulnerability info, just that he contacted the vendor.  Calling a vendor and saying 'you have a vulnerability, pay me x and I will tell you what it is, don't pay and I'll tell everyone else' is not 'being responsible', it is extortion.   Given that he must now resort to a blanket 'from now on I'll just release it' threat he must be getting pretty desperate.  Frankly, I have no trouble believing that IBM/Tivoli and Sun/Mysql would not bat an eye at an extortion attempt, but I find it hard to believe they would not fix an actual vulnerability if it was reported as such.</htmltext>
<tokenext>This does n't sound like either responsible or irresponsible disclosure .
It sounds like plain old extortion .
Notice he does not say he provided the vendor with the vulnerability info , just that he contacted the vendor .
Calling a vendor and saying 'you have a vulnerability , pay me x and I will tell you what it is , do n't pay and I 'll tell everyone else ' is not 'being responsible ' , it is extortion .
Given that he must now resort to a blanket 'from now on I 'll just release it ' threat he must be getting pretty desperate .
Frankly , I have no trouble believing that IBM/Tivoli and Sun/Mysql would not bat an eye at an extortion attempt , but I find it hard to believe they would not fix an actual vulnerability if it was reported as such .</tokentext>
<sentencetext>This doesn't sound like either responsible or irresponsible disclosure.
It sounds like plain old extortion.
Notice he does not say he provided the vendor with the vulnerability info, just that he contacted the vendor.
Calling a vendor and saying 'you have a vulnerability, pay me x and I will tell you what it is, don't pay and I'll tell everyone else' is not 'being responsible', it is extortion.
Given that he must now resort to a blanket 'from now on I'll just release it' threat he must be getting pretty desperate.
Frankly, I have no trouble believing that IBM/Tivoli and Sun/Mysql would not bat an eye at an extortion attempt, but I find it hard to believe they would not fix an actual vulnerability if it was reported as such.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727668</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727790</id>
	<title>Nice short term marketing gimic</title>
	<author>Megaweapon</author>
	<datestamp>1263201240000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>"Pay attention to us, we'll disclose everything up front before everyone else!  BTW, here's our products and services."</p></htmltext>
<tokenext>" Pay attention to us , we 'll disclose everything up front before everyone else !
BTW , here 's our products and services .
"</tokentext>
<sentencetext>"Pay attention to us, we'll disclose everything up front before everyone else!
BTW, here's our products and services.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729234</id>
	<title>Re:Responsible Disclosure</title>
	<author>EvanED</author>
	<datestamp>1263206280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>Responsible Disclosure is like "pro choice" or "pro life". It is a deliberately positive term for purely demagogic reasons. You can't be for irresponsible disclosure, just like you can't be against choice or against life.</i></p><p>I sometimes wonder if anything would have been different if, before the Iraq invasion, the sides were commonly known as the "pro-peace" and "anti-peace" positions.</p></htmltext>
<tokenext>Responsible Disclosure is like " pro choice " or " pro life " .
It is a deliberately positive term for purely demagogic reasons .
You ca n't be for irresponsible disclosure , just like you ca n't be against choice or against life.I sometimes wonder if anything would have been different if , before the Iraq invasion , the sides were commonly known as the " pro-peace " and " anti-peace " positions .</tokentext>
<sentencetext>Responsible Disclosure is like "pro choice" or "pro life".
It is a deliberately positive term for purely demagogic reasons.
You can't be for irresponsible disclosure, just like you can't be against choice or against life.I sometimes wonder if anything would have been different if, before the Iraq invasion, the sides were commonly known as the "pro-peace" and "anti-peace" positions.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727728</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654</id>
	<title>Why not?</title>
	<author>Monkeedude1212</author>
	<datestamp>1263200760000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>FTFA:</p><p><div class="quote"><p>At issue is the pesky ethical and practical question of whether airing a software vendor&rsquo;s dirty laundry (the unpatched security flaws that they know about but haven&rsquo;t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret</p></div><p>Hasn't this been proven to be true - and legal?</p><p>In all honesty, if they've contacted the vendor and the vendor hasn't patched it in a month or two, I think its completely ethical and practical to release the vulnerabilities. After all, there could be a few other small firms who have discovered the vulnerability and are exploiting it. Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it. I prefer security over new features.</p></div>
	</htmltext>
<tokenext>FTFA : At issue is the pesky ethical and practical question of whether airing a software vendor    s dirty laundry ( the unpatched security flaws that they know about but haven    t fixed yet ) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secretHas n't this been proven to be true - and legal ? In all honesty , if they 've contacted the vendor and the vendor has n't patched it in a month or two , I think its completely ethical and practical to release the vulnerabilities .
After all , there could be a few other small firms who have discovered the vulnerability and are exploiting it .
Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it .
I prefer security over new features .</tokentext>
<sentencetext>FTFA:At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secretHasn't this been proven to be true - and legal?In all honesty, if they've contacted the vendor and the vendor hasn't patched it in a month or two, I think its completely ethical and practical to release the vulnerabilities.
After all, there could be a few other small firms who have discovered the vulnerability and are exploiting it.
Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it.
I prefer security over new features.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30738586</id>
	<title>Disclosure</title>
	<author>fulldecent</author>
	<datestamp>1263317340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I am currently in the midst of a "responsible disclosure" nightmare, involving NDAs, the FBI, SEC and an online investment bank. For as much work, no pay and no recognition this "responsible" behavior is getting me, I don't know what is worth it.</p><p>Also, any advice on responsible disclosure in online financial situations would be appreciated.</p><p>Thanks.</p></htmltext>
<tokenext>I am currently in the midst of a " responsible disclosure " nightmare , involving NDAs , the FBI , SEC and an online investment bank .
For as much work , no pay and no recognition this " responsible " behavior is getting me , I do n't know what is worth it.Also , any advice on responsible disclosure in online financial situations would be appreciated.Thanks .</tokentext>
<sentencetext>I am currently in the midst of a "responsible disclosure" nightmare, involving NDAs, the FBI, SEC and an online investment bank.
For as much work, no pay and no recognition this "responsible" behavior is getting me, I don't know what is worth it.Also, any advice on responsible disclosure in online financial situations would be appreciated.Thanks.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728534</id>
	<title>Re:Responsible Disclosure</title>
	<author>mcgrew</author>
	<datestamp>1263203880000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>What does not kill it makes it stronger.<br></i><br>Tell "what does not kill me makes me stronger" to a brain-damaged man in a wheelchair. If there were no attacks, vulns would be little problem. As it is, your AV takes up a good chunk of your computer's resources and the botnets still send tons of spam.</p></htmltext>
<tokenext>What does not kill it makes it stronger.Tell " what does not kill me makes me stronger " to a brain-damaged man in a wheelchair .
If there were no attacks , vulns would be little problem .
As it is , your AV takes up a good chunk of your computer 's resources and the botnets still send tons of spam .</tokentext>
<sentencetext>What does not kill it makes it stronger.Tell "what does not kill me makes me stronger" to a brain-damaged man in a wheelchair.
If there were no attacks, vulns would be little problem.
As it is, your AV takes up a good chunk of your computer's resources and the botnets still send tons of spam.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727702</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728160</id>
	<title>Re:What's up with the confusing article title?</title>
	<author>noidentity</author>
	<datestamp>1263202500000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext>Yes, I assumed this was an article about a firm dropping support for a database and webserver without any notice (perhaps a DRM-supplying company or something). Just below this headline is another misleading one, "CES Vendors Kicked Out of Hotels For Showcasing Wares in Room", which suggests they were showing pirated software.</htmltext>
<tokenext>Yes , I assumed this was an article about a firm dropping support for a database and webserver without any notice ( perhaps a DRM-supplying company or something ) .
Just below this headline is another misleading one , " CES Vendors Kicked Out of Hotels For Showcasing Wares in Room " , which suggests they were showing pirated software .</tokentext>
<sentencetext>Yes, I assumed this was an article about a firm dropping support for a database and webserver without any notice (perhaps a DRM-supplying company or something).
Just below this headline is another misleading one, "CES Vendors Kicked Out of Hotels For Showcasing Wares in Room", which suggests they were showing pirated software.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728984</id>
	<title>Economics</title>
	<author>MikeURL</author>
	<datestamp>1263205440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>My eyes started to glaze over but the ecosystem seems to go like this.  Researcher discovers vulnerability, sells it to companies that buy that kind of info, then reports it to the company that made the flawed software.
<br> <br>
One assumes that all the big anti-virus vendors buy the info from the vulnerability clearinghouse thus giving their users some measure of 0-day protection.  Eventually the flawed software should be patched and all is well.
<br> <br>
It isn't clear in this case why the researchers care if the flaw is eventually fixed.  They make their money selling the vulnerability to the clearinghouse that then resells the data to the anti-virus companies.  Or I could be all wrong.</htmltext>
<tokenext>My eyes started to glaze over but the ecosystem seems to go like this .
Researcher discovers vulnerability , sells it to companies that buy that kind of info , then reports it to the company that made the flawed software .
One assumes that all the big anti-virus vendors buy the info from the vulnerability clearinghouse thus giving their users some measure of 0-day protection .
Eventually the flawed software should be patched and all is well .
It is n't clear in this case why the researchers care if the flaw is eventually fixed .
They make their money selling the vulnerability to the clearinghouse that then resells the data to the anti-virus companies .
Or I could be all wrong .</tokentext>
<sentencetext>My eyes started to glaze over but the ecosystem seems to go like this.
Researcher discovers vulnerability, sells it to companies that buy that kind of info, then reports it to the company that made the flawed software.
One assumes that all the big anti-virus vendors buy the info from the vulnerability clearinghouse thus giving their users some measure of 0-day protection.
Eventually the flawed software should be patched and all is well.
It isn't clear in this case why the researchers care if the flaw is eventually fixed.
They make their money selling the vulnerability to the clearinghouse that then resells the data to the anti-virus companies.
Or I could be all wrong.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729036</id>
	<title>Re:Responsible Disclosure</title>
	<author>Stormcrow309</author>
	<datestamp>1263205680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I thought it was 'what doesn't kill me cripples me for life'...</p></htmltext>
<tokenext>I thought it was 'what does n't kill me cripples me for life'.. .</tokentext>
<sentencetext>I thought it was 'what doesn't kill me cripples me for life'...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727732</id>
	<title>Huh?</title>
	<author>EkriirkE</author>
	<datestamp>1263201000000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>-1</modscore>
	<htmltext>If they are dropping the database, then the problem "disappears".  How can they release the info if they DROP DATABASE?</htmltext>
<tokenext>If they are dropping the database , then the problem " disappears " .
How can they release the info if they DROP DATABASE ?</tokentext>
<sentencetext>If they are dropping the database, then the problem "disappears".
How can they release the info if they DROP DATABASE?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732874</id>
	<title>Re:Responsible Disclosure</title>
	<author>galego</author>
	<datestamp>1263227100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And to make waters muddier<nobr> <wbr></nobr>... how about throwing this in the mix<nobr> <wbr></nobr>... to whom is the 'responsible' part of responsible disclosure? If I paid for software (.e.g IBM DB2 and other commercial vendors are on the list), the company needs to be responsible and disclose the issue to me if it was disclosed to them (... IMO).  How many vendors do that when a security researcher/firm 'responsibly' discloses a vulnerability/exploit to them (with or without embargo date)?</p><p>There's more than one angle for responsibility in the debate.</p></htmltext>
<tokenext>And to make waters muddier ... how about throwing this in the mix ... to whom is the 'responsible ' part of responsible disclosure ?
If I paid for software ( .e.g IBM DB2 and other commercial vendors are on the list ) , the company needs to be responsible and disclose the issue to me if it was disclosed to them ( ... IMO ) . How many vendors do that when a security researcher/firm 'responsibly ' discloses a vulnerability/exploit to them ( with or without embargo date ) ? There 's more than one angle for responsibility in the debate .</tokentext>
<sentencetext>And to make waters muddier ... how about throwing this in the mix ... to whom is the 'responsible' part of responsible disclosure?
If I paid for software (.e.g IBM DB2 and other commercial vendors are on the list), the company needs to be responsible and disclose the issue to me if it was disclosed to them (... IMO).  How many vendors do that when a security researcher/firm 'responsibly' discloses a vulnerability/exploit to them (with or without embargo date)?There's more than one angle for responsibility in the debate.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727728</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</id>
	<title>Responsible Disclosure</title>
	<author>Anonymous</author>
	<datestamp>1263200520000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>The alternative to responsible disclosure is irresponsible disclosure. Is that really better?</htmltext>
<tokenext>The alternative to responsible disclosure is irresponsible disclosure .
Is that really better ?</tokentext>
<sentencetext>The alternative to responsible disclosure is irresponsible disclosure.
Is that really better?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730396</id>
	<title>Call it "Limited disclosure"</title>
	<author>jonaskoelker</author>
	<datestamp>1263211020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Responsible Disclosure [...] is a deliberately positive term for purely demagogic reasons.</p></div><p>Which is why I advocate calling it "Limited disclosure".  That's a value-neutral term that fairly accurately describes it---and about as precisely as you can be in only two words.</p><p>Or call that other thing "Effective disclosure" if you feel a need to play the game of rhetoric.</p></div>
	</htmltext>
<tokenext>Responsible Disclosure [ ... ] is a deliberately positive term for purely demagogic reasons.Which is why I advocate calling it " Limited disclosure " .
That 's a value-neutral term that fairly accurately describes it---and about as precisely as you can be in only two words.Or call that other thing " Effective disclosure " if you feel a need to play the game of rhetoric .</tokentext>
<sentencetext>Responsible Disclosure [...] is a deliberately positive term for purely demagogic reasons.Which is why I advocate calling it "Limited disclosure".
That's a value-neutral term that fairly accurately describes it---and about as precisely as you can be in only two words.Or call that other thing "Effective disclosure" if you feel a need to play the game of rhetoric.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727728</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728098</id>
	<title>Re:What's up with the confusing article title?</title>
	<author>Anonymous</author>
	<datestamp>1263202200000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p><div class="quote"><p>Firm To Drop Database, Web Server 0-Days</p></div><p>The verb <em>to drop</em> has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:</p><p> <em>Fed-up security firm to release Database &amp; Web Server vulnerabilities publicly</em> </p><p>Look at how much more information is conveyed in that second title. A work of beauty, it is.</p></div><p>In the submit story page, your proposed headline would look like:</p><p><div class="quote"><p>Fed-up security firm to release Database &amp; Web Ser</p></div><p>See how it truncates?</p></div>
	</htmltext>
<tokenext>Firm To Drop Database , Web Server 0-DaysThe verb to drop has specific meaning w.r.t .
databases. A few more words in the title would have been acceptable .
How about : Fed-up security firm to release Database &amp; Web Server vulnerabilities publicly Look at how much more information is conveyed in that second title .
A work of beauty , it is.In the submit story page , your proposed headline would look like : Fed-up security firm to release Database &amp; Web SerSee how it truncates ?</tokentext>
<sentencetext>Firm To Drop Database, Web Server 0-DaysThe verb to drop has specific meaning w.r.t.
databases. A few more words in the title would have been acceptable.
How about: Fed-up security firm to release Database &amp; Web Server vulnerabilities publicly Look at how much more information is conveyed in that second title.
A work of beauty, it is.In the submit story page, your proposed headline would look like:Fed-up security firm to release Database &amp; Web SerSee how it truncates?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732208</id>
	<title>Re:secutiry theater gate crashers</title>
	<author>Anonymous</author>
	<datestamp>1263221820000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Brittany Spears vid? Is this 2002?</p></htmltext>
<tokenext>Brittany Spears vid ?
Is this 2002 ?</tokentext>
<sentencetext>Brittany Spears vid?
Is this 2002?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727938</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727974</id>
	<title>Re:Irresponsible</title>
	<author>GameMaster</author>
	<datestamp>1263201900000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>What he seems to be saying, is that he's <b>already</b> told the companies and they've done <b>nothing</b>.  A better term for it might be "effective disclosure" in order to differentiate itself from the, proven ineffective, "responsible disclosure" advocated by the industry.</p></htmltext>
<tokenext>What he seems to be saying , is that he 's already told the companies and they 've done nothing .
A better term for it might be " effective disclosure " in order to differentiate itself from the , proven ineffective , " responsible disclosure " advocated by the industry .</tokentext>
<sentencetext>What he seems to be saying, is that he's already told the companies and they've done nothing.
A better term for it might be "effective disclosure" in order to differentiate itself from the, proven ineffective, "responsible disclosure" advocated by the industry.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727708</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652</id>
	<title>What's up with the confusing article title?</title>
	<author>Qubit</author>
	<datestamp>1263200760000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p><div class="quote"><p>Firm To Drop Database, Web Server 0-Days</p></div><p>The verb <em>to drop</em> has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:</p><p><em>Fed-up security firm to release Database &amp; Web Server vulnerabilities publicly</em></p><p>Look at how much more information is conveyed in that second title. A work of beauty, it is.</p></div>
	</htmltext>
<tokenext>Firm To Drop Database , Web Server 0-DaysThe verb to drop has specific meaning w.r.t .
databases. A few more words in the title would have been acceptable .
How about : Fed-up security firm to release Database &amp; Web Server vulnerabilities publiclyLook at how much more information is conveyed in that second title .
A work of beauty , it is .</tokentext>
<sentencetext>Firm To Drop Database, Web Server 0-DaysThe verb to drop has specific meaning w.r.t.
databases. A few more words in the title would have been acceptable.
How about:Fed-up security firm to release Database &amp; Web Server vulnerabilities publiclyLook at how much more information is conveyed in that second title.
A work of beauty, it is.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727964</id>
	<title>Re:Responsible Disclosure</title>
	<author>Lally Singh</author>
	<datestamp>1263201840000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>God forbid vendors actually start testing their software *before* it's in the field.</p></htmltext>
<tokenext>God forbid vendors actually start testing their software * before * it 's in the field .</tokentext>
<sentencetext>God forbid vendors actually start testing their software *before* it's in the field.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729254</id>
	<title>I'd feed better if</title>
	<author>Ungrounded Lightning</author>
	<datestamp>1263206340000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p><i>I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.</i></p><p>I'd feed better if, rather than lumping all the vendors together and 0-day disclosing vulnerabilities found in any of them, Intevydis tracked which vendors failed to respond and continued to give the others warning.</p><p>Maybe a 3-strikes policy.  Or (for vendors with large products and lots of opportunities for bugs) a percentage of slow/no vs. fast fixes.</p><p>And the newbies should be assumed responsive until proven otherwise.</p><p>Seems to me that would put even more pressure on companies to be responsive, by giving the responsive among their competitors two additional advantages:<br>
&nbsp; - time to fix the bug, and<br>
&nbsp; - customer perception that the unresponsive vendor might be subject to sudden attacks due to disclosed vulnerabilities when the responsive vendor would both get warnings and have a track record of fixing before disclosure.</p></htmltext>
<tokenext>I think that apparently the vendors are n't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner .
Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches .
Not the best business practices all the way around , but it 's the way it is.I 'd feed better if , rather than lumping all the vendors together and 0-day disclosing vulnerabilities found in any of them , Intevydis tracked which vendors failed to respond and continued to give the others warning.Maybe a 3-strikes policy .
Or ( for vendors with large products and lots of opportunities for bugs ) a percentage of slow/no vs. fast fixes.And the newbies should be assumed responsive until proven otherwise.Seems to me that would put even more pressure on companies to be responsive , by giving the responsive among their competitors two additional advantages :   - time to fix the bug , and   - customer perception that the unresponsive vendor might be subject to sudden attacks due to disclosed vulnerabilities when the responsive vendor would both get warnings and have a track record of fixing before disclosure .</tokentext>
<sentencetext>I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner.
Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches.
Not the best business practices all the way around, but it's the way it is.I'd feed better if, rather than lumping all the vendors together and 0-day disclosing vulnerabilities found in any of them, Intevydis tracked which vendors failed to respond and continued to give the others warning.Maybe a 3-strikes policy.
Or (for vendors with large products and lots of opportunities for bugs) a percentage of slow/no vs. fast fixes.And the newbies should be assumed responsive until proven otherwise.Seems to me that would put even more pressure on companies to be responsive, by giving the responsive among their competitors two additional advantages:
  - time to fix the bug, and
  - customer perception that the unresponsive vendor might be subject to sudden attacks due to disclosed vulnerabilities when the responsive vendor would both get warnings and have a track record of fixing before disclosure.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727668</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729034</id>
	<title>Re:Is it just me?</title>
	<author>bennomatic</author>
	<datestamp>1263205680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It's the hip-hop definition of 'drop', i.e., "Yo Dre! Drop me a funky-ass bass line!"</htmltext>
<tokenext>It 's the hip-hop definition of 'drop ' , i.e. , " Yo Dre !
Drop me a funky-ass bass line !
"</tokentext>
<sentencetext>It's the hip-hop definition of 'drop', i.e., "Yo Dre!
Drop me a funky-ass bass line!
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727818</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727768</id>
	<title>So, what are they selling?</title>
	<author>0racle</author>
	<datestamp>1263201120000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext>Some firm draws up a press release that they're going to drop the bomb on every piece of software they could get their hands on that is used everywhere in the world for one thing or another.<br> <br>Right, what are they selling again?</htmltext>
<tokenext>Some firm draws up a press release that they 're going to drop the bomb on every piece of software they could get their hands on that is used everywhere in the world for one thing or another .
Right , what are they selling again ?</tokentext>
<sentencetext>Some firm draws up a press release that they're going to drop the bomb on every piece of software they could get their hands on that is used everywhere in the world for one thing or another.
Right, what are they selling again?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728944</id>
	<title>Re:Is it just me?</title>
	<author>b4dc0d3r</author>
	<datestamp>1263205260000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>It's a high concentration of words and/or phrases having overloaded meanings.  As technology develops, normal words acquire additional connotations, if not denotations.  Since this is a tech-oriented news aggregator, you should select the tech connotation first, then re-parse with non-tech meanings if that fails.</p><p>'Drop' in this case can be parsed in the sense of 'vendor drop', meaning 'deliver' or 'drop a bombshell'.  Not typical usage, but not uncommon.  0-days obviously refers to vulnerabilities, and conflated would refer to details of the vulnerabilities.</p><p>So it's valid, but potentially confusing.</p></htmltext>
<tokenext>It 's a high concentration of words and/or phrases having overloaded meanings .
As technology develops , normal words acquire additional connotations , if not denotations .
Since this is a tech-oriented news aggregator , you should select the tech connotation first , then re-parse with non-tech meanings if that fails .
'Drop ' in this case can be parsed in the sense of 'vendor drop ' , meaning 'deliver ' or 'drop a bombshell' .
Not typical usage , but not uncommon .
0-days obviously refers to vulnerabilities , and conflated would refer to details of the vulnerabilities.So it 's valid , but potentially confusing .</tokentext>
<sentencetext>It's a high concentration of words and/or phrases having overloaded meanings.
As technology develops, normal words acquire additional connotations, if not denotations.
Since this is a tech-oriented news aggregator, you should select the tech connotation first, then re-parse with non-tech meanings if that fails.
'Drop' in this case can be parsed in the sense of 'vendor drop', meaning 'deliver' or 'drop a bombshell'.
Not typical usage, but not uncommon.
0-days obviously refers to vulnerabilities, and conflated would refer to details of the vulnerabilities.So it's valid, but potentially confusing.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727818</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727938</id>
	<title>secutiry theater gate crashers</title>
	<author>Theodore</author>
	<datestamp>1263201720000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>I welcome this.<br>In ancient ages past, we put up with "It's a theoretical attack, no one could actually execute it"...<br>to "group X has released a THEORETICAL working example of an attack to the public, so we fix it six months after revealing it to us"...<br>to "Here is how you fail... here is how to make you fail... FAIL!!!"</p><p>'responsible disclosure' is just wearing the nice guy badge...</p><p>You're the only one wearing the nice guy badge.</p><p>I'd rather see "Oh CRAP!  This thing in Word is broken!"  "Oh CRAP!  This thing in Excell is broken!"  "Oh CRAP!  I went to look at a brittany spears vid and now can't move my mouse!  Why is my DSL light blinking a lot?"<br>And then see it fixed in a day or two (at most), rather than a month or two (if we're lucky).</p></htmltext>
<tokenext>I welcome this.In ancient ages past , we put up with " It 's a theoretical attack , no one could actually execute it " ...to " group X has released a THEORETICAL working example of an attack to the public , so we fix it six months after revealing it to us " ...to " Here is how you fail... here is how to make you fail.. .
FAIL ! ! ! " 'responsible disclosure ' is just wearing the nice guy badge...You 're the only one wearing the nice guy badge.I 'd rather see " Oh CRAP !
This thing in Word is broken !
" " Oh CRAP !
This thing in Excell is broken !
" " Oh CRAP !
I went to look at a brittany spears vid and now ca n't move my mouse !
Why is my DSL light blinking a lot ?
" And then see it fixed in a day or two ( at most ) , rather than a month or two ( if we 're lucky ) .</tokentext>
<sentencetext>I welcome this.In ancient ages past, we put up with "It's a theoretical attack, no one could actually execute it"...to "group X has released a THEORETICAL working example of an attack to the public, so we fix it six months after revealing it to us"...to "Here is how you fail... here is how to make you fail...
FAIL!!!"'responsible disclosure' is just wearing the nice guy badge...You're the only one wearing the nice guy badge.I'd rather see "Oh CRAP!
This thing in Word is broken!
"  "Oh CRAP!
This thing in Excell is broken!
"  "Oh CRAP!
I went to look at a brittany spears vid and now can't move my mouse!
Why is my DSL light blinking a lot?
"And then see it fixed in a day or two (at most), rather than a month or two (if we're lucky).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727708</id>
	<title>Irresponsible</title>
	<author>Anonymous</author>
	<datestamp>1263200940000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext>To clarify the summary, this guy isn't saying that he's not going to wait for companies to fix exploits before he releases them; he's saying he's <i>not going to tell the companies at all.</i> That, in my opinion, is very irresponsible. If you contact them and say you're going to release the information in 90 days regardless of their progress on a patch, fine, but to not warn them because of a few vendors who don't do their job is harmful to everyone.</htmltext>
<tokenext>To clarify the summary , this guy is n't saying that he 's not going to wait for companies to fix exploits before he releases them ; he 's saying he 's not going to tell the companies at all .
That , in my opinion , is very irresponsible .
If you contact them and say you 're going to release the information in 90 days regardless of their progress on a patch , fine , but to not warn them because of a few vendors who do n't do their job is harmful to everyone .</tokentext>
<sentencetext>To clarify the summary, this guy isn't saying that he's not going to wait for companies to fix exploits before he releases them; he's saying he's not going to tell the companies at all.
That, in my opinion, is very irresponsible.
If you contact them and say you're going to release the information in 90 days regardless of their progress on a patch, fine, but to not warn them because of a few vendors who don't do their job is harmful to everyone.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727744</id>
	<title>Re:Responsible Disclosure</title>
	<author>Anonymous</author>
	<datestamp>1263201060000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>This is like punishment.</p><p>The irresponsible party in this case, is the software vendor. If the vendor can't clean up their act, and at least work on fixing 0-day exploits, then public disclosure/humiliation is probably a good way to get at least some vendor to sit up, take note and do the right thing the next time around.</p><p>This sounds like a good case for establishing a procedure.</p><p>1. Contact vendor about exploit, with an expiry date.<br>2. Release information about exploit once date has expired, irrespective of whether bug is fixed, and the fix deployed.</p><p>Is there perhaps a clearing house for such things?</p></htmltext>
<tokenext>This is like punishment.The irresponsible party in this case , is the software vendor .
If the vendor ca n't clean up their act , and at least work on fixing 0-day exploits , then public disclosure/humiliation is probably a good way to get at least some vendor to sit up , take note and do the right thing the next time around.This sounds like a good case for establishing a procedure.1 .
Contact vendor about exploit , with an expiry date.2 .
Release information about exploit once date has expired , irrespective of whether bug is fixed , and the fix deployed.Is there perhaps a clearing house for such things ?</tokentext>
<sentencetext>This is like punishment.The irresponsible party in this case, is the software vendor.
If the vendor can't clean up their act, and at least work on fixing 0-day exploits, then public disclosure/humiliation is probably a good way to get at least some vendor to sit up, take note and do the right thing the next time around.This sounds like a good case for establishing a procedure.1.
Contact vendor about exploit, with an expiry date.2.
Release information about exploit once date has expired, irrespective of whether bug is fixed, and the fix deployed.Is there perhaps a clearing house for such things?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728920</id>
	<title>Bug bounties</title>
	<author>Anonymous</author>
	<datestamp>1263205200000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext>If more firms paid bounties for bugs found (as long as responsible disclosure is followed), you'd probably see a whole lot more security researchers content to follow responsible disclosure guidelines.  There's no guarantee that they'll keep that all a secret in any case, but to get the cash, you've got to sign a legal form with your company's information or be registered as a valid security analysis firm.  One of the biggest issues with these security analysis firms is that there's no way to tell most of the time if it's just a bunch of criminals hiding out under a corporate umbrella, or if they're bonafide security professionals.  And no jokes about them being one and the same...there's a huge difference, I've known (and in the case of those pros, I've worked with them) guys from both sides.  If a security firm refuses to be registered or refuses bounties, you know there's something fishy about them and it's time to contact local authorities.
<br> <br>
Then again, there's the big problem with many of the bugs that outside security firms reporting being already known and in a work backlog.  The realities of the industry is that capital isn't unlimited, time isn't unlimited, and sometimes, important stuff doesn't get done because you just don't have enough qualified developers to throw at the problem.  Two years is fairly excessive for a security hole to sit around, but if a security firm is releasing exploits that it discovered and reported 6 months prior just because it "didn't see enough getting done", that's not being passionate about security, that's an attempt to commit extortion.</htmltext>
<tokenext>If more firms paid bounties for bugs found ( as long as responsible disclosure is followed ) , you 'd probably see a whole lot more security researchers content to follow responsible disclosure guidelines .
There 's no guarantee that they 'll keep that all a secret in any case , but to get the cash , you 've got to sign a legal form with your company 's information or be registered as a valid security analysis firm .
One of the biggest issues with these security analysis firms is that there 's no way to tell most of the time if it 's just a bunch of criminals hiding out under a corporate umbrella , or if they 're bonafide security professionals .
And no jokes about them being one and the same...there 's a huge difference , I 've known ( and in the case of those pros , I 've worked with them ) guys from both sides .
If a security firm refuses to be registered or refuses bounties , you know there 's something fishy about them and it 's time to contact local authorities .
Then again , there 's the big problem with many of the bugs that outside security firms reporting being already known and in a work backlog .
The realities of the industry is that capital is n't unlimited , time is n't unlimited , and sometimes , important stuff does n't get done because you just do n't have enough qualified developers to throw at the problem .
Two years is fairly excessive for a security hole to sit around , but if a security firm is releasing exploits that it discovered and reported 6 months prior just because it " did n't see enough getting done " , that 's not being passionate about security , that 's an attempt to commit extortion .</tokentext>
<sentencetext>If more firms paid bounties for bugs found (as long as responsible disclosure is followed), you'd probably see a whole lot more security researchers content to follow responsible disclosure guidelines.
There's no guarantee that they'll keep that all a secret in any case, but to get the cash, you've got to sign a legal form with your company's information or be registered as a valid security analysis firm.
One of the biggest issues with these security analysis firms is that there's no way to tell most of the time if it's just a bunch of criminals hiding out under a corporate umbrella, or if they're bonafide security professionals.
And no jokes about them being one and the same...there's a huge difference, I've known (and in the case of those pros, I've worked with them) guys from both sides.
If a security firm refuses to be registered or refuses bounties, you know there's something fishy about them and it's time to contact local authorities.
Then again, there's the big problem with many of the bugs that outside security firms reporting being already known and in a work backlog.
The realities of the industry is that capital isn't unlimited, time isn't unlimited, and sometimes, important stuff doesn't get done because you just don't have enough qualified developers to throw at the problem.
Two years is fairly excessive for a security hole to sit around, but if a security firm is releasing exploits that it discovered and reported 6 months prior just because it "didn't see enough getting done", that's not being passionate about security, that's an attempt to commit extortion.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729306</id>
	<title>Soviat RUSSIA!!!!!!</title>
	<author>Anonymous</author>
	<datestamp>1263206520000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>In Soviat Russia information is releasing YOU!</p></htmltext>
<tokenext>In Soviat Russia information is releasing YOU !</tokentext>
<sentencetext>In Soviat Russia information is releasing YOU!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728798</id>
	<title>Re:Responsible Disclosure</title>
	<author>flimflammer</author>
	<datestamp>1263204720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><i>I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.</i> <br> <br>

The problem I have with this is that they have grown annoyed with a few specific vendors not doing anything about the vulnerabilities, and have decided instead to widely expose many vulnerabilities from vendors they have not ever even talked to. If you're not even going to try to talk to any vendors at all, even vendors whom with you've never spoken to at any point in the past, I would consider that quite irresponsible.</htmltext>
<tokenext>I think that apparently the vendors are n't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner .
Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches .
Not the best business practices all the way around , but it 's the way it is .
The problem I have with this is that they have grown annoyed with a few specific vendors not doing anything about the vulnerabilities , and have decided instead to widely expose many vulnerabilities from vendors they have not ever even talked to .
If you 're not even going to try to talk to any vendors at all , even vendors whom with you 've never spoken to at any point in the past , I would consider that quite irresponsible .</tokentext>
<sentencetext>I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner.
Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches.
Not the best business practices all the way around, but it's the way it is.
The problem I have with this is that they have grown annoyed with a few specific vendors not doing anything about the vulnerabilities, and have decided instead to widely expose many vulnerabilities from vendors they have not ever even talked to.
If you're not even going to try to talk to any vendors at all, even vendors whom with you've never spoken to at any point in the past, I would consider that quite irresponsible.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727668</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728316</id>
	<title>Re:What's up with the confusing article title?</title>
	<author>tag</author>
	<datestamp>1263203040000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>The verb <em>to drop</em> has specific meaning w.r.t. databases.</p></div><p>There's an <a href="http://xkcd.com/327/" title="xkcd.com" rel="nofollow">xkcd</a> [xkcd.com] for that.</p></div>
	</htmltext>
<tokenext>The verb to drop has specific meaning w.r.t .
databases.There 's an xkcd [ xkcd.com ] for that .</tokentext>
<sentencetext>The verb to drop has specific meaning w.r.t.
databases.There's an xkcd [xkcd.com] for that.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30733178</id>
	<title>Damn right</title>
	<author>Sean</author>
	<datestamp>1263229620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>You tell 'em Legerov. You have absolutely no obligation to work with vendors or projects. If they don't help you fix bugs, they should expect to hear from you in the comment at the top of your PoC.</p></htmltext>
<tokenext>You tell 'em Legerov .
You have absolutely no obligation to work with vendors or projects .
If they do n't help you fix bugs , they should expect to hear from you in the comment at the top of your PoC .</tokentext>
<sentencetext>You tell 'em Legerov.
You have absolutely no obligation to work with vendors or projects.
If they don't help you fix bugs, they should expect to hear from you in the comment at the top of your PoC.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732604</id>
	<title>Re:Responsible Disclosure</title>
	<author>turbidostato</author>
	<datestamp>1263224880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"If there were no attacks, vulns would be little problem"</p><p>There are attacks *because* there are vulnerabilities.</p><p>"As it is, your AV takes up a good chunk of your computer's resources and the botnets still send tons of spam."</p><p>May it be because shoddy software vendors are still unwilling to do something *real* about it?</p></htmltext>
<tokenext>" If there were no attacks , vulns would be little problem " There are attacks * because * there are vulnerabilities .
" As it is , your AV takes up a good chunk of your computer 's resources and the botnets still send tons of spam .
" May it be because shoddy software vendors are still unwilling to do something * real * about it ?</tokentext>
<sentencetext>"If there were no attacks, vulns would be little problem"There are attacks *because* there are vulnerabilities.
"As it is, your AV takes up a good chunk of your computer's resources and the botnets still send tons of spam.
"May it be because shoddy software vendors are still unwilling to do something *real* about it?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729208</id>
	<title>The watering-down of "0-day"</title>
	<author>Captain Spam</author>
	<datestamp>1263206220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>But... if these were vulnerabilities that this firm has known about for <b>products which have been released for some time now</b>, plus they've been sitting on this information for a while, how exactly are they 0-day exploits?</p></htmltext>
<tokenext>But... if these were vulnerabilities that this firm has known about for products which have been released for some time now , plus they 've been sitting on this information for a while , how exactly are they 0-day exploits ?</tokentext>
<sentencetext>But... if these were vulnerabilities that this firm has known about for products which have been released for some time now, plus they've been sitting on this information for a while, how exactly are they 0-day exploits?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732404</id>
	<title>Re:Responsible Disclosure</title>
	<author>Anonymous</author>
	<datestamp>1263223440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Why should they?  That deprives them of revenue.  We can do the testing for them, and we'll pay them for doing it.</p><p>How this became acceptable, I do not know.</p></htmltext>
<tokenext>Why should they ?
That deprives them of revenue .
We can do the testing for them , and we 'll pay them for doing it.How this became acceptable , I do not know .</tokentext>
<sentencetext>Why should they?
That deprives them of revenue.
We can do the testing for them, and we'll pay them for doing it.How this became acceptable, I do not know.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727964</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728676</id>
	<title>Re:Why not?</title>
	<author>SwashbucklingCowboy</author>
	<datestamp>1263204300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"if they've contacted the vendor and the vendor hasn't patched it in a month or two"</p><p>A month or two is not enough time.</p></htmltext>
<tokenext>" if they 've contacted the vendor and the vendor has n't patched it in a month or two " A month or two is not enough time .</tokentext>
<sentencetext>"if they've contacted the vendor and the vendor hasn't patched it in a month or two"A month or two is not enough time.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728794</id>
	<title>Re:So, what are they selling?</title>
	<author>Blakey Rat</author>
	<datestamp>1263204720000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>From the blurb in the summary, it sounds like "jackassery."</p></htmltext>
<tokenext>From the blurb in the summary , it sounds like " jackassery .
"</tokentext>
<sentencetext>From the blurb in the summary, it sounds like "jackassery.
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727768</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728292</id>
	<title>Better handled through a service like Wikileaks?</title>
	<author>Anonymous</author>
	<datestamp>1263202980000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>It seems only slightly less irresponsible to publicly disclose exploits without making companies aware of them than it is for companies to disregard known security flaws in their own products.</p><p>RFPolicy struck me as the best compromise, but maybe there's room for a third-party service to hold exploit information in escrow for a defined period of time then release it.  If a company knew that they had a couple of months to fix a problem at the outset, and that nothing was going to stop publication, that could provide additional encouragement to address the problem.</p><p>At the expense, of course, of being a really crappy way to treat companies who ARE proactive about their security issues, especially as a security researcher doesn't always necessarily have the full picture of what's necessary to fix the problem in cases where it's intertwined with required software features.  That's probably the most significant aspect of RFPolicy -- the dialogue and collaboration between security researcher and software developer to determine the scope of the problem and the potential solutions.</p></htmltext>
<tokenext>It seems only slightly less irresponsible to publicly disclose exploits without making companies aware of them than it is for companies to disregard known security flaws in their own products.RFPolicy struck me as the best compromise , but maybe there 's room for a third-party service to hold exploit information in escrow for a defined period of time then release it .
If a company knew that they had a couple of months to fix a problem at the outset , and that nothing was going to stop publication , that could provide additional encouragement to address the problem.At the expense , of course , of being a really crappy way to treat companies who ARE proactive about their security issues , especially as a security researcher does n't always necessarily have the full picture of what 's necessary to fix the problem in cases where it 's intertwined with required software features .
That 's probably the most significant aspect of RFPolicy -- the dialogue and collaboration between security researcher and software developer to determine the scope of the problem and the potential solutions .</tokentext>
<sentencetext>It seems only slightly less irresponsible to publicly disclose exploits without making companies aware of them than it is for companies to disregard known security flaws in their own products.RFPolicy struck me as the best compromise, but maybe there's room for a third-party service to hold exploit information in escrow for a defined period of time then release it.
If a company knew that they had a couple of months to fix a problem at the outset, and that nothing was going to stop publication, that could provide additional encouragement to address the problem.At the expense, of course, of being a really crappy way to treat companies who ARE proactive about their security issues, especially as a security researcher doesn't always necessarily have the full picture of what's necessary to fix the problem in cases where it's intertwined with required software features.
That's probably the most significant aspect of RFPolicy -- the dialogue and collaboration between security researcher and software developer to determine the scope of the problem and the potential solutions.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732692</id>
	<title>Re:Why not?</title>
	<author>turbidostato</author>
	<datestamp>1263225780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"A month or two is not enough time."</p><p>Being that the case is that when a zero-day exploit is published big names are able to respond within hours I'll bet that yes, a month or two is quit enough.  Of course, if you ask the question to the vendors themselves they'll want to answer that even the whole eternity is not enough for them since actually they don't give a damn about security unless heavily pressed to do so (as it happens to be case after a zero-day exploit is in the wild).</p></htmltext>
<tokenext>" A month or two is not enough time .
" Being that the case is that when a zero-day exploit is published big names are able to respond within hours I 'll bet that yes , a month or two is quit enough .
Of course , if you ask the question to the vendors themselves they 'll want to answer that even the whole eternity is not enough for them since actually they do n't give a damn about security unless heavily pressed to do so ( as it happens to be case after a zero-day exploit is in the wild ) .</tokentext>
<sentencetext>"A month or two is not enough time.
"Being that the case is that when a zero-day exploit is published big names are able to respond within hours I'll bet that yes, a month or two is quit enough.
Of course, if you ask the question to the vendors themselves they'll want to answer that even the whole eternity is not enough for them since actually they don't give a damn about security unless heavily pressed to do so (as it happens to be case after a zero-day exploit is in the wild).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728676</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728896</id>
	<title>Re:What's up with the confusing article title?</title>
	<author>Qubit</author>
	<datestamp>1263205080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>In the submit story page, your proposed headline would look...</p></div><p>Yeah, but <em>one</em> person looks at the headline on the Submit Story page. Then an editor pokes it with a stick. All the rest of Slashdot reads it on the front page.</p><p>I always figured that the editors ruthlessly edit the headlines, as is their Cowboy-Neal-granted right. Maybe they don't even bother to do that anymore...</p></div>
	</htmltext>
<tokenext>In the submit story page , your proposed headline would look...Yeah , but one person looks at the headline on the Submit Story page .
Then an editor pokes it with a stick .
All the rest of Slashdot reads it on the front page.I always figured that the editors ruthlessly edit the headlines , as is their Cowboy-Neal-granted right .
Maybe they do n't even bother to do that anymore.. .</tokentext>
<sentencetext>In the submit story page, your proposed headline would look...Yeah, but one person looks at the headline on the Submit Story page.
Then an editor pokes it with a stick.
All the rest of Slashdot reads it on the front page.I always figured that the editors ruthlessly edit the headlines, as is their Cowboy-Neal-granted right.
Maybe they don't even bother to do that anymore...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728098</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729814</id>
	<title>Headline style</title>
	<author>Anonymous</author>
	<datestamp>1263208440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>Firm To Drop Database, Web Server 0-Days</p></div><p>Maybe it's just me, but does it make sense to use newspaper headline style, which was designed a century ago to convey information in minimal horizontal space, in an electronic format? What would have been the cost of writing this headline as "Firm to Drop 0-Day Exploits for Databases and Web Servers"? As it is, I thought that some firm was dropping their database and going back to 100\% paper records, and I couldn't really make sense of the phrase after the comma.</p></div>
	</htmltext>
<tokenext>Firm To Drop Database , Web Server 0-DaysMaybe it 's just me , but does it make sense to use newspaper headline style , which was designed a century ago to convey information in minimal horizontal space , in an electronic format ?
What would have been the cost of writing this headline as " Firm to Drop 0-Day Exploits for Databases and Web Servers " ?
As it is , I thought that some firm was dropping their database and going back to 100 \ % paper records , and I could n't really make sense of the phrase after the comma .</tokentext>
<sentencetext>Firm To Drop Database, Web Server 0-DaysMaybe it's just me, but does it make sense to use newspaper headline style, which was designed a century ago to convey information in minimal horizontal space, in an electronic format?
What would have been the cost of writing this headline as "Firm to Drop 0-Day Exploits for Databases and Web Servers"?
As it is, I thought that some firm was dropping their database and going back to 100\% paper records, and I couldn't really make sense of the phrase after the comma.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731232</id>
	<title>Re:Responsible Disclosure</title>
	<author>blueskies</author>
	<datestamp>1263215400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>It sounds like plain old extortion. Notice he does not say he provided the vendor with the vulnerability info, just that he contacted the vendor. Calling a vendor and saying 'you have a vulnerability, pay me x and I will tell you what it is, don't pay and I'll tell everyone else' is not 'being responsible', it is extortion.</p></div></blockquote><p>How is that extortion?  That's extortion in the same way that selling an idea to someone or their competitors is extortion.  Buy my idea that gives 200 MPG or i'll sell it or give it away for free to X.</p></div>
	</htmltext>
<tokenext>It sounds like plain old extortion .
Notice he does not say he provided the vendor with the vulnerability info , just that he contacted the vendor .
Calling a vendor and saying 'you have a vulnerability , pay me x and I will tell you what it is , do n't pay and I 'll tell everyone else ' is not 'being responsible ' , it is extortion.How is that extortion ?
That 's extortion in the same way that selling an idea to someone or their competitors is extortion .
Buy my idea that gives 200 MPG or i 'll sell it or give it away for free to X .</tokentext>
<sentencetext>It sounds like plain old extortion.
Notice he does not say he provided the vendor with the vulnerability info, just that he contacted the vendor.
Calling a vendor and saying 'you have a vulnerability, pay me x and I will tell you what it is, don't pay and I'll tell everyone else' is not 'being responsible', it is extortion.How is that extortion?
That's extortion in the same way that selling an idea to someone or their competitors is extortion.
Buy my idea that gives 200 MPG or i'll sell it or give it away for free to X.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729266</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727878</id>
	<title>Re:Irresponsible</title>
	<author>Anonymous</author>
	<datestamp>1263201480000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>The devil you don't know is less dangerous than the devil you know?  Fact is, the guy says he's got holes from Real from two years ago that haven't been patched.  Two years isn't enough time, now you want two years and three months?</p></htmltext>
<tokenext>The devil you do n't know is less dangerous than the devil you know ?
Fact is , the guy says he 's got holes from Real from two years ago that have n't been patched .
Two years is n't enough time , now you want two years and three months ?</tokentext>
<sentencetext>The devil you don't know is less dangerous than the devil you know?
Fact is, the guy says he's got holes from Real from two years ago that haven't been patched.
Two years isn't enough time, now you want two years and three months?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727708</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731260</id>
	<title>Re:Responsible Disclosure</title>
	<author>blueskies</author>
	<datestamp>1263215580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Even better, you should increase or decrease the expiry date based on past history/reputation of the company:  response time, severity of bug, number of vulnerabilities.  If the company is Donald Knuth, i guess you could start with a default expiry date of 10 years.</p><p>See if companies respond classical conditioning. The "bad" companies would eventually get 0-day notification anyway.</p></htmltext>
<tokenext>Even better , you should increase or decrease the expiry date based on past history/reputation of the company : response time , severity of bug , number of vulnerabilities .
If the company is Donald Knuth , i guess you could start with a default expiry date of 10 years.See if companies respond classical conditioning .
The " bad " companies would eventually get 0-day notification anyway .</tokentext>
<sentencetext>Even better, you should increase or decrease the expiry date based on past history/reputation of the company:  response time, severity of bug, number of vulnerabilities.
If the company is Donald Knuth, i guess you could start with a default expiry date of 10 years.See if companies respond classical conditioning.
The "bad" companies would eventually get 0-day notification anyway.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727744</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730216</id>
	<title>Naah.</title>
	<author>gelliantgutfright</author>
	<datestamp>1263210180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Surely the beta stage is the time for 'responsible disclosure'? Once it's publicly released, then you're not likely to be the only person aware of the vuln.
Why should you act responsibly on behalf of the guys who are taking your money for the privelige?
If it's fit for sale, it's fit for purpose.</htmltext>
<tokenext>Surely the beta stage is the time for 'responsible disclosure ' ?
Once it 's publicly released , then you 're not likely to be the only person aware of the vuln .
Why should you act responsibly on behalf of the guys who are taking your money for the privelige ?
If it 's fit for sale , it 's fit for purpose .</tokentext>
<sentencetext>Surely the beta stage is the time for 'responsible disclosure'?
Once it's publicly released, then you're not likely to be the only person aware of the vuln.
Why should you act responsibly on behalf of the guys who are taking your money for the privelige?
If it's fit for sale, it's fit for purpose.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729356</id>
	<title>Re:socialized risk</title>
	<author>zippthorne</author>
	<datestamp>1263206760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>What they should do is to meter out the information.</p><p>First day: notify the software company and enter info in the database.<br>-- info should include specifics, name of the program, an estimate of severity, and any info which can be released without actually revealing enough of the nature of the bug to continue.<br>-- The web site should handle allowing access to the specifics after the specified time.<br>-- The software vendor should be able to enter comments<br>-- The software vendor should be able to request extensions to the "full disclosure" date.*</p><p>*there should be a fee for each extension, and there definitely should be a public explanation for the need for extension, but somehow this feels like extortion.</p><p>Let the web site software handle out the metering out automatically, though, so you don't have to waste time butting heads against the software vendors.</p></htmltext>
<tokenext>What they should do is to meter out the information.First day : notify the software company and enter info in the database.-- info should include specifics , name of the program , an estimate of severity , and any info which can be released without actually revealing enough of the nature of the bug to continue.-- The web site should handle allowing access to the specifics after the specified time.-- The software vendor should be able to enter comments-- The software vendor should be able to request extensions to the " full disclosure " date .
* * there should be a fee for each extension , and there definitely should be a public explanation for the need for extension , but somehow this feels like extortion.Let the web site software handle out the metering out automatically , though , so you do n't have to waste time butting heads against the software vendors .</tokentext>
<sentencetext>What they should do is to meter out the information.First day: notify the software company and enter info in the database.-- info should include specifics, name of the program, an estimate of severity, and any info which can be released without actually revealing enough of the nature of the bug to continue.-- The web site should handle allowing access to the specifics after the specified time.-- The software vendor should be able to enter comments-- The software vendor should be able to request extensions to the "full disclosure" date.
**there should be a fee for each extension, and there definitely should be a public explanation for the need for extension, but somehow this feels like extortion.Let the web site software handle out the metering out automatically, though, so you don't have to waste time butting heads against the software vendors.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727968</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30735274</id>
	<title>Re:Irresponsible</title>
	<author>Tim C</author>
	<datestamp>1263299340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>That's not how I read the summary at all - I read that he's told (some) vendors <b>in the past</b> and they have done nothing, so in the future <b>he's not going to inform any vendors at all</b>.</p></htmltext>
<tokenext>That 's not how I read the summary at all - I read that he 's told ( some ) vendors in the past and they have done nothing , so in the future he 's not going to inform any vendors at all .</tokentext>
<sentencetext>That's not how I read the summary at all - I read that he's told (some) vendors in the past and they have done nothing, so in the future he's not going to inform any vendors at all.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727974</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728890</id>
	<title>Re:What's up with the confusing article title?</title>
	<author>Anonymous</author>
	<datestamp>1263205080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Um.  No.  That would be 'Warez'.  Wares are things that people sell.  A grocery store's wares include things like soup and dish detergent.</p></htmltext>
<tokenext>Um .
No. That would be 'Warez' .
Wares are things that people sell .
A grocery store 's wares include things like soup and dish detergent .</tokentext>
<sentencetext>Um.
No.  That would be 'Warez'.
Wares are things that people sell.
A grocery store's wares include things like soup and dish detergent.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728160</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728664</id>
	<title>drop database?</title>
	<author>gringer</author>
	<datestamp>1263204240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Shouldn't it be, "firm to SELECT 'Database', 'Web Server' FROM 0-Days;"?</p></htmltext>
<tokenext>Should n't it be , " firm to SELECT 'Database ' , 'Web Server ' FROM 0-Days ; " ?</tokentext>
<sentencetext>Shouldn't it be, "firm to SELECT 'Database', 'Web Server' FROM 0-Days;"?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729700</id>
	<title>Slashdot = Stooopuds .. get a clue dolts</title>
	<author>Anonymous</author>
	<datestamp>1263208080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Slashdot'ers don't know IT security obviously. These guys are one of the top professional exploit writing crews on the planet. They have been selling VulnDisco an awesome 0day exploit addon pack for Immunity Sec's CANVAS exploitation framework for years.  We are not talking about some silly little company, the Intevydis guys are hardcore... they are selling a bunch of nice 0day exploits and simply being generous by giving away such valuable information for free this month.  All the people bashing their disclosure choices are fools; this caliber of security crew is not going to give away all of their valuable intellectual property for free, get over it.. stop living in fantasy land, those guys are not morally obligated to spend their life slaving away doing basically free high quality QA work for big multinational mega-software giants.  They do their work, they write their 0day, they sell it and pentesters and intelligence agencies and everyone who cares, buys it.  Note, the vendors in question could also buy VulnDisco and CANVAS and then they would have the 0day (with proof of concept / exploit code) for a cheap price (much less than trying to hire a security analyst of that caliber) and they could have detailed information about the vulnerability and be a couple steps closer to fixing the vulnerabilities they want to pretend like they care about.</p></htmltext>
<tokenext>Slashdot'ers do n't know IT security obviously .
These guys are one of the top professional exploit writing crews on the planet .
They have been selling VulnDisco an awesome 0day exploit addon pack for Immunity Sec 's CANVAS exploitation framework for years .
We are not talking about some silly little company , the Intevydis guys are hardcore... they are selling a bunch of nice 0day exploits and simply being generous by giving away such valuable information for free this month .
All the people bashing their disclosure choices are fools ; this caliber of security crew is not going to give away all of their valuable intellectual property for free , get over it.. stop living in fantasy land , those guys are not morally obligated to spend their life slaving away doing basically free high quality QA work for big multinational mega-software giants .
They do their work , they write their 0day , they sell it and pentesters and intelligence agencies and everyone who cares , buys it .
Note , the vendors in question could also buy VulnDisco and CANVAS and then they would have the 0day ( with proof of concept / exploit code ) for a cheap price ( much less than trying to hire a security analyst of that caliber ) and they could have detailed information about the vulnerability and be a couple steps closer to fixing the vulnerabilities they want to pretend like they care about .</tokentext>
<sentencetext>Slashdot'ers don't know IT security obviously.
These guys are one of the top professional exploit writing crews on the planet.
They have been selling VulnDisco an awesome 0day exploit addon pack for Immunity Sec's CANVAS exploitation framework for years.
We are not talking about some silly little company, the Intevydis guys are hardcore... they are selling a bunch of nice 0day exploits and simply being generous by giving away such valuable information for free this month.
All the people bashing their disclosure choices are fools; this caliber of security crew is not going to give away all of their valuable intellectual property for free, get over it.. stop living in fantasy land, those guys are not morally obligated to spend their life slaving away doing basically free high quality QA work for big multinational mega-software giants.
They do their work, they write their 0day, they sell it and pentesters and intelligence agencies and everyone who cares, buys it.
Note, the vendors in question could also buy VulnDisco and CANVAS and then they would have the 0day (with proof of concept / exploit code) for a cheap price (much less than trying to hire a security analyst of that caliber) and they could have detailed information about the vulnerability and be a couple steps closer to fixing the vulnerabilities they want to pretend like they care about.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727728</id>
	<title>Re:Responsible Disclosure</title>
	<author>Anonymous</author>
	<datestamp>1263201000000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>Responsible Disclosure is like "pro choice" or "pro life". It is a deliberately positive term for purely demagogic reasons. You can't be for irresponsible disclosure, just like you can't be against choice or against life.</p><p>The protocol for publishing information about exploitable software bugs is an intensely debated topic and the choices affect multi-billion dollar businesses where it hurts them most: The bottom line. Do not for a second believe that anyone in this game argues for the sake of rational discourse alone.</p></htmltext>
<tokenext>Responsible Disclosure is like " pro choice " or " pro life " .
It is a deliberately positive term for purely demagogic reasons .
You ca n't be for irresponsible disclosure , just like you ca n't be against choice or against life.The protocol for publishing information about exploitable software bugs is an intensely debated topic and the choices affect multi-billion dollar businesses where it hurts them most : The bottom line .
Do not for a second believe that anyone in this game argues for the sake of rational discourse alone .</tokentext>
<sentencetext>Responsible Disclosure is like "pro choice" or "pro life".
It is a deliberately positive term for purely demagogic reasons.
You can't be for irresponsible disclosure, just like you can't be against choice or against life.The protocol for publishing information about exploitable software bugs is an intensely debated topic and the choices affect multi-billion dollar businesses where it hurts them most: The bottom line.
Do not for a second believe that anyone in this game argues for the sake of rational discourse alone.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727668</id>
	<title>Re:Responsible Disclosure</title>
	<author>gregarican</author>
	<datestamp>1263200820000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>Here's a quote from TFA...</p><p><div class="quote"><p>Legerov said. For example, he said, &ldquo;there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.&rdquo;</p></div><p>I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.</p></div>
	</htmltext>
<tokenext>Here 's a quote from TFA...Legerov said .
For example , he said ,    there will be published two years old Realplayer vulnerability soon , which we handled in a responsible way [ and ] contacted with a vendor.    I think that apparently the vendors are n't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner .
Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches .
Not the best business practices all the way around , but it 's the way it is .</tokentext>
<sentencetext>Here's a quote from TFA...Legerov said.
For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner.
Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches.
Not the best business practices all the way around, but it's the way it is.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727818</id>
	<title>Is it just me?</title>
	<author>gregarican</author>
	<datestamp>1263201300000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p>Or is the English language dying a painful death on<nobr> <wbr></nobr>/. as time passes. The past day's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.</p><p>Seriously, it took me three passes at reading this article headline to understand what the hell it meant. Maybe that's part of the entertainment value that I'm missing???</p></htmltext>
<tokenext>Or is the English language dying a painful death on / .
as time passes .
The past day 's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.Seriously , it took me three passes at reading this article headline to understand what the hell it meant .
Maybe that 's part of the entertainment value that I 'm missing ? ?
?</tokentext>
<sentencetext>Or is the English language dying a painful death on /.
as time passes.
The past day's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.Seriously, it took me three passes at reading this article headline to understand what the hell it meant.
Maybe that's part of the entertainment value that I'm missing??
?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728712</id>
	<title>Re:Responsible Disclosure</title>
	<author>Hurricane78</author>
	<datestamp>1263204420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><strong>tl;dr:</strong> Of course I prefer the company fixing the bug, but in case they fail at that, I at least want to know of it and be on the same level as the crackers.</p><p>You got something wrong: The position of the crackers is that it&rsquo;s the companies who act irresponsibly, e.g. by doing nothing when they should close the bugs, or by suing those who found some hole. Which I agree with. I&rsquo;d go so far as to offer a prize to anyone who can demonstrate an exploit for my software. With that prize always being worth enough to stop interest in pursuing other ways to take advantage of them. If someone is really good, he might even get a permanent post.</p><p>The only reason I can imagine, why someone would do something else, is because he still is a &ldquo;3 year old&rdquo; who can not handle any critique and has to become aggressive or repressive against anything that suggests he is not god.<br>In other words: Typical upper-level PHB behavior.</p><p>And under those circumstances, the responsible thing to do, is to at least protect the clients, by telling them about the risks of doing business with that company and of using that software.</p></htmltext>
<tokenext>tl ; dr : Of course I prefer the company fixing the bug , but in case they fail at that , I at least want to know of it and be on the same level as the crackers.You got something wrong : The position of the crackers is that it    s the companies who act irresponsibly , e.g .
by doing nothing when they should close the bugs , or by suing those who found some hole .
Which I agree with .
I    d go so far as to offer a prize to anyone who can demonstrate an exploit for my software .
With that prize always being worth enough to stop interest in pursuing other ways to take advantage of them .
If someone is really good , he might even get a permanent post.The only reason I can imagine , why someone would do something else , is because he still is a    3 year old    who can not handle any critique and has to become aggressive or repressive against anything that suggests he is not god.In other words : Typical upper-level PHB behavior.And under those circumstances , the responsible thing to do , is to at least protect the clients , by telling them about the risks of doing business with that company and of using that software .</tokentext>
<sentencetext>tl;dr: Of course I prefer the company fixing the bug, but in case they fail at that, I at least want to know of it and be on the same level as the crackers.You got something wrong: The position of the crackers is that it’s the companies who act irresponsibly, e.g.
by doing nothing when they should close the bugs, or by suing those who found some hole.
Which I agree with.
I’d go so far as to offer a prize to anyone who can demonstrate an exploit for my software.
With that prize always being worth enough to stop interest in pursuing other ways to take advantage of them.
If someone is really good, he might even get a permanent post.The only reason I can imagine, why someone would do something else, is because he still is a “3 year old” who can not handle any critique and has to become aggressive or repressive against anything that suggests he is not god.In other words: Typical upper-level PHB behavior.And under those circumstances, the responsible thing to do, is to at least protect the clients, by telling them about the risks of doing business with that company and of using that software.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30734270</id>
	<title>WTF has happened to slashdot crowd?</title>
	<author>frn123</author>
	<datestamp>1263329280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>WTF has happened? I remember when reasonable disclosure ment that the vendor was notified<br>and given 3 days to release a patch. AND that public was notified right away with no details.</p><p>Now some people speak about "responsible" (whatever that means) disclosure of 90(sic!) days!</p><p>Are you all gone mad collectivly?</p></htmltext>
<tokenext>WTF has happened ?
I remember when reasonable disclosure ment that the vendor was notifiedand given 3 days to release a patch .
AND that public was notified right away with no details.Now some people speak about " responsible " ( whatever that means ) disclosure of 90 ( sic !
) days ! Are you all gone mad collectivly ?</tokentext>
<sentencetext>WTF has happened?
I remember when reasonable disclosure ment that the vendor was notifiedand given 3 days to release a patch.
AND that public was notified right away with no details.Now some people speak about "responsible" (whatever that means) disclosure of 90(sic!
) days!Are you all gone mad collectivly?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728224</id>
	<title>Re:Responsible Disclosure</title>
	<author>TubeSteak</author>
	<datestamp>1263202740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>The alternative to responsible disclosure is irresponsible disclosure. Is that really better?</p></div><p>The alternative to "responsible disclosure" is "full disclosure".<br>"Irresponsible" is only disclosing 0-day exploits to black hats.</p><p>The world isn't black and white.<br>Just because someone frames the issue as "X or Y" doesn't mean that "or" isn't an option.</p></div>
	</htmltext>
<tokenext>The alternative to responsible disclosure is irresponsible disclosure .
Is that really better ? The alternative to " responsible disclosure " is " full disclosure " .
" Irresponsible " is only disclosing 0-day exploits to black hats.The world is n't black and white.Just because someone frames the issue as " X or Y " does n't mean that " or " is n't an option .</tokentext>
<sentencetext>The alternative to responsible disclosure is irresponsible disclosure.
Is that really better?The alternative to "responsible disclosure" is "full disclosure".
"Irresponsible" is only disclosing 0-day exploits to black hats.The world isn't black and white.Just because someone frames the issue as "X or Y" doesn't mean that "or" isn't an option.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728614</id>
	<title>It's Irresponsible</title>
	<author>SwashbucklingCowboy</author>
	<datestamp>1263204120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>While I don't blame them for releasing two year old vulnerabilities, they're going too far by not giving firms ANY TIME to fix vulnerabilities.  Give them six months and then release them, but give them time.  This does as great a disservice to users as those firms do by not fixing the vulnerabilities.</htmltext>
<tokenext>While I do n't blame them for releasing two year old vulnerabilities , they 're going too far by not giving firms ANY TIME to fix vulnerabilities .
Give them six months and then release them , but give them time .
This does as great a disservice to users as those firms do by not fixing the vulnerabilities .</tokentext>
<sentencetext>While I don't blame them for releasing two year old vulnerabilities, they're going too far by not giving firms ANY TIME to fix vulnerabilities.
Give them six months and then release them, but give them time.
This does as great a disservice to users as those firms do by not fixing the vulnerabilities.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727900</id>
	<title>Re:Responsible Disclosure</title>
	<author>morgan\_greywolf</author>
	<datestamp>1263201600000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>The term "responsible disclosure" is newspeak for "keep your mouth shut".  The alternative to 'responsible disclosure' is that the vulnerabilties continue to exist for sometimes years, with wild exploits happening perhaps unknown for long periods of time.</p><p>I think it's okay to notify the company and give them time to fix the bug, but time on the order of years is completely unreasonable.  On the Internet, a year is a very, very long time.</p></htmltext>
<tokenext>The term " responsible disclosure " is newspeak for " keep your mouth shut " .
The alternative to 'responsible disclosure ' is that the vulnerabilties continue to exist for sometimes years , with wild exploits happening perhaps unknown for long periods of time.I think it 's okay to notify the company and give them time to fix the bug , but time on the order of years is completely unreasonable .
On the Internet , a year is a very , very long time .</tokentext>
<sentencetext>The term "responsible disclosure" is newspeak for "keep your mouth shut".
The alternative to 'responsible disclosure' is that the vulnerabilties continue to exist for sometimes years, with wild exploits happening perhaps unknown for long periods of time.I think it's okay to notify the company and give them time to fix the bug, but time on the order of years is completely unreasonable.
On the Internet, a year is a very, very long time.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727774</id>
	<title>Re:Responsible Disclosure</title>
	<author>csartanis</author>
	<datestamp>1263201180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>Yes, because "responsible" goes both ways.  They're being responsible by notifying the vendor before going public.  If the vendor is not fixing the issue, it's time to go public.</p><p>As far as I'm concerned a public release is still a responsible one.  At least in that case <i>everyone</i> knows about it.</p><p>Irresponsible is selling unknown vulnerabilities to private parties that will use them for their own gain.  The vendor's customer's get screwed and the vendor has no idea that it's even happening.</p></htmltext>
<tokenext>Yes , because " responsible " goes both ways .
They 're being responsible by notifying the vendor before going public .
If the vendor is not fixing the issue , it 's time to go public.As far as I 'm concerned a public release is still a responsible one .
At least in that case everyone knows about it.Irresponsible is selling unknown vulnerabilities to private parties that will use them for their own gain .
The vendor 's customer 's get screwed and the vendor has no idea that it 's even happening .</tokentext>
<sentencetext>Yes, because "responsible" goes both ways.
They're being responsible by notifying the vendor before going public.
If the vendor is not fixing the issue, it's time to go public.As far as I'm concerned a public release is still a responsible one.
At least in that case everyone knows about it.Irresponsible is selling unknown vulnerabilities to private parties that will use them for their own gain.
The vendor's customer's get screwed and the vendor has no idea that it's even happening.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30734112</id>
	<title>Re:Responsible Disclosure</title>
	<author>Anonymous</author>
	<datestamp>1263326880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>http://www.youtube.com/watch?v=M3hge6Bx-4w</p></htmltext>
<tokenext>http : //www.youtube.com/watch ? v = M3hge6Bx-4w</tokentext>
<sentencetext>http://www.youtube.com/watch?v=M3hge6Bx-4w</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727964</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30733490</id>
	<title>Re:socialized risk</title>
	<author>Anonymous</author>
	<datestamp>1263232560000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>When you screw up in the auto industry, the company faces the massive expense of a product recall. That helps to keep you honest with your engineering quality.</p></div><p> <i>A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.</i> <a href="http://www.imdb.com/title/tt0137523/quotes" title="imdb.com" rel="nofollow">source</a> [imdb.com]</p><p><i>"Son, people will always try and fuck you. Don't waste your life planning for a fucking, just be alert when your pants are down."</i> <a href="http://twitter.com/shitmydadsays/status/4764948647" title="twitter.com" rel="nofollow">source</a> [twitter.com]</p><p>Minimum amount of effort for maximum amount of reward.</p></div>
	</htmltext>
<tokenext>When you screw up in the auto industry , the company faces the massive expense of a product recall .
That helps to keep you honest with your engineering quality .
A new car built by my company leaves somewhere traveling at 60 mph .
The rear differential locks up .
The car crashes and burns with everyone trapped inside .
Now , should we initiate a recall ?
Take the number of vehicles in the field , A , multiply by the probable rate of failure , B , multiply by the average out-of-court settlement , C. A times B times C equals X. If X is less than the cost of a recall , we do n't do one .
source [ imdb.com ] " Son , people will always try and fuck you .
Do n't waste your life planning for a fucking , just be alert when your pants are down .
" source [ twitter.com ] Minimum amount of effort for maximum amount of reward .</tokentext>
<sentencetext>When you screw up in the auto industry, the company faces the massive expense of a product recall.
That helps to keep you honest with your engineering quality.
A new car built by my company leaves somewhere traveling at 60 mph.
The rear differential locks up.
The car crashes and burns with everyone trapped inside.
Now, should we initiate a recall?
Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
source [imdb.com]"Son, people will always try and fuck you.
Don't waste your life planning for a fucking, just be alert when your pants are down.
" source [twitter.com]Minimum amount of effort for maximum amount of reward.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727968</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729192</id>
	<title>Re:It's Irresponsible</title>
	<author>Microlith</author>
	<datestamp>1263206160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Apparently people cannot read. These vulnerabilities are two years old. The companies have been notified and their response is not to fix the security hole but to ignore the reports entirely.</p><p>If you knew the inevitable result of every notification you gave to developers was to be ignored and have nothing come of the 3 months (or longer) you gave them, would you bother trying again, or just consider the goodwill pointless and get right down to the business of forcing them to fix their screwups?</p></htmltext>
<tokenext>Apparently people can not read .
These vulnerabilities are two years old .
The companies have been notified and their response is not to fix the security hole but to ignore the reports entirely.If you knew the inevitable result of every notification you gave to developers was to be ignored and have nothing come of the 3 months ( or longer ) you gave them , would you bother trying again , or just consider the goodwill pointless and get right down to the business of forcing them to fix their screwups ?</tokentext>
<sentencetext>Apparently people cannot read.
These vulnerabilities are two years old.
The companies have been notified and their response is not to fix the security hole but to ignore the reports entirely.If you knew the inevitable result of every notification you gave to developers was to be ignored and have nothing come of the 3 months (or longer) you gave them, would you bother trying again, or just consider the goodwill pointless and get right down to the business of forcing them to fix their screwups?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728614</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727702</id>
	<title>Re:Responsible Disclosure</title>
	<author>Anonymous</author>
	<datestamp>1263200940000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Yes, because it coerces vendors to fix vulns and therefore improves ecosystem health.</p><p>If the internet ecosystem were not under steady attack, it would be weak and much more vulnerable.</p><p>What does not kill it makes it stronger.</p></htmltext>
<tokenext>Yes , because it coerces vendors to fix vulns and therefore improves ecosystem health.If the internet ecosystem were not under steady attack , it would be weak and much more vulnerable.What does not kill it makes it stronger .</tokentext>
<sentencetext>Yes, because it coerces vendors to fix vulns and therefore improves ecosystem health.If the internet ecosystem were not under steady attack, it would be weak and much more vulnerable.What does not kill it makes it stronger.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30733396</id>
	<title>Re:What's up with the confusing article title?</title>
	<author>Anonymous</author>
	<datestamp>1263231660000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p><div class="quote"><p>Firm To Drop Database, Web Server 0-Days</p></div><p>The verb <em>to drop</em> has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:</p><p> <em>Fed-up security firm to release Database &amp; Web Server vulnerabilities publicly</em> </p><p>Look at how much more information is conveyed in that second title. A work of beauty, it is.</p></div><p>worry not about that which you have no influence over, or consume you it will.</p></div>
	</htmltext>
<tokenext>Firm To Drop Database , Web Server 0-DaysThe verb to drop has specific meaning w.r.t .
databases. A few more words in the title would have been acceptable .
How about : Fed-up security firm to release Database &amp; Web Server vulnerabilities publicly Look at how much more information is conveyed in that second title .
A work of beauty , it is.worry not about that which you have no influence over , or consume you it will .</tokentext>
<sentencetext>Firm To Drop Database, Web Server 0-DaysThe verb to drop has specific meaning w.r.t.
databases. A few more words in the title would have been acceptable.
How about: Fed-up security firm to release Database &amp; Web Server vulnerabilities publicly Look at how much more information is conveyed in that second title.
A work of beauty, it is.worry not about that which you have no influence over, or consume you it will.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731598</id>
	<title>Likely not as bad as it sounds.</title>
	<author>icepick72</author>
	<datestamp>1263217800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Maybe his remarks are just missing something in translation.</htmltext>
<tokenext>Maybe his remarks are just missing something in translation .</tokentext>
<sentencetext>Maybe his remarks are just missing something in translation.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727968</id>
	<title>socialized risk</title>
	<author>epine</author>
	<datestamp>1263201840000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk.  When you screw up in the auto industry, the company faces the massive expense of a product recall.  That helps to keep you honest with your engineering quality.</p><p>I personally think 30 days is a reasonable notification period.  Not pleasant for the vendor to have to respond that briskly, but this isn't about being pleasant.  If the vendor wants pleasant, they should invest more competence in the original product.  This isn't easy, and might move a few pointy-haired managers out of the executive suite.</p><p>Probably a more viable compromise is eight weeks.  This adds a thin margin for the possibility that key zero-day SWAT staff are booked off, that multiple issues are raised concurrently, or that a product has a stupendously long build cycle.</p><p>I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks, period, perhaps with the odd extension on a track record of good behaviour.</p><p>I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.</p><p>Speaking of which, that whole TCO thing really bends my biscuits.  It's just loaded with sly neglect of not entirely apparent costs, of which the year-long critical vulnerability update is one of the more egregious.</p><p>During that time, your pants are down if anyone less ethical discovers the same flaw.  It never happens that two scientists make the same discovery in the same year and end up in priority dispute, according to the industry of socialized risk.</p></htmltext>
<tokenext>This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk .
When you screw up in the auto industry , the company faces the massive expense of a product recall .
That helps to keep you honest with your engineering quality.I personally think 30 days is a reasonable notification period .
Not pleasant for the vendor to have to respond that briskly , but this is n't about being pleasant .
If the vendor wants pleasant , they should invest more competence in the original product .
This is n't easy , and might move a few pointy-haired managers out of the executive suite.Probably a more viable compromise is eight weeks .
This adds a thin margin for the possibility that key zero-day SWAT staff are booked off , that multiple issues are raised concurrently , or that a product has a stupendously long build cycle.I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks , period , perhaps with the odd extension on a track record of good behaviour.I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.Speaking of which , that whole TCO thing really bends my biscuits .
It 's just loaded with sly neglect of not entirely apparent costs , of which the year-long critical vulnerability update is one of the more egregious.During that time , your pants are down if anyone less ethical discovers the same flaw .
It never happens that two scientists make the same discovery in the same year and end up in priority dispute , according to the industry of socialized risk .</tokentext>
<sentencetext>This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk.
When you screw up in the auto industry, the company faces the massive expense of a product recall.
That helps to keep you honest with your engineering quality.I personally think 30 days is a reasonable notification period.
Not pleasant for the vendor to have to respond that briskly, but this isn't about being pleasant.
If the vendor wants pleasant, they should invest more competence in the original product.
This isn't easy, and might move a few pointy-haired managers out of the executive suite.Probably a more viable compromise is eight weeks.
This adds a thin margin for the possibility that key zero-day SWAT staff are booked off, that multiple issues are raised concurrently, or that a product has a stupendously long build cycle.I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks, period, perhaps with the odd extension on a track record of good behaviour.I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.Speaking of which, that whole TCO thing really bends my biscuits.
It's just loaded with sly neglect of not entirely apparent costs, of which the year-long critical vulnerability update is one of the more egregious.During that time, your pants are down if anyone less ethical discovers the same flaw.
It never happens that two scientists make the same discovery in the same year and end up in priority dispute, according to the industry of socialized risk.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730212</id>
	<title>Re:Responsible Disclosure</title>
	<author>Myopic</author>
	<datestamp>1263210180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yes, we all wish that the computer world was free from attacks. That would be a great world. But since we live in this world, the environmental metaphor is apt.</p></htmltext>
<tokenext>Yes , we all wish that the computer world was free from attacks .
That would be a great world .
But since we live in this world , the environmental metaphor is apt .</tokentext>
<sentencetext>Yes, we all wish that the computer world was free from attacks.
That would be a great world.
But since we live in this world, the environmental metaphor is apt.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727572</id>
	<title>Who gives a fuck?</title>
	<author>Anonymous</author>
	<datestamp>1263200520000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext>I mean really.</htmltext>
<tokenext>I mean really .</tokentext>
<sentencetext>I mean really.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730396
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727728
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728798
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727668
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728944
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727818
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727878
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727708
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728890
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728160
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728224
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729356
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727968
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731232
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729266
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727668
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729034
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727818
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732692
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728676
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729036
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727702
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30734112
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727964
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732604
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727702
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729192
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728614
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728896
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728098
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731260
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727744
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727774
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730212
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727702
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732404
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727964
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731330
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30735128
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729752
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727964
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30733396
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729254
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727668
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729562
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727818
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728794
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727768
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732874
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727728
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30735274
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727974
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727708
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730950
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727974
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727708
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732208
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727938
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728250
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30733490
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727968
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728712
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729234
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727728
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_11_1640232_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728316
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728920
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727572
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727588
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727964
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729752
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30735128
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30734112
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732404
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727900
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727774
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728712
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727744
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731260
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727668
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728798
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729254
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729266
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731232
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728224
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727702
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728534
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730212
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729036
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732604
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727728
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732874
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729234
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730396
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727768
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728794
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727818
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729562
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729034
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728944
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727938
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732208
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727708
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727974
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30735274
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30730950
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727878
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727654
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728676
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30732692
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30731330
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727968
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729356
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30733490
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728664
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30727652
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728316
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30733396
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728098
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728896
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728160
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728890
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728250
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_11_1640232.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30728614
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_11_1640232.30729192
</commentlist>
</conversation>
