Re: It takes two to tango

[Stan Bubrouski <stan () ccs neu edu>]

I agree fully, with what both of you have to say, and I have another
point to bring up.  If  companies like HP or Microsoft can put in their
license, terms which remove all liability of themselves for damage
caused security in their products or general defects, and this stands
up in court (and as we know it has), how can teh courts say that the
producer of the product is not liable at all, but that a consumer
investigating security holes in that product is liable for damages
resulting from his research on vulnerabilities in that product.

The whole concept itself is ludicrous,  and the HP case is particularly
troubling.  If indeed HP knew of the bug for a year and either didn't
acknowledge the problem or didn't fix it, then would it be safe to say
they knew of its existence, but chose to not proceed in announcing
or fixing the problem?  What is a consumer to do?  The company is
not liable for the hole in their product, has in most cases to way to
fix it, and the lack of liability on HP's part makes it impossible for
the consumer to force them to fix it. This leaves the consumer with
a dangerous and defective product which could cost them endless
amounts financial loss if the problem is not resolved before a hacker
resolves to take advantage.

In publishing an exploit for said vulnerability, a consumer is in a sense
promoting action to be taken by administrators (assuming a patch is
available) and on HP's part as well, now that the public is aware of
the hole more pressure can be levied to get the company to fix the
problem.  But this now leaves them vulnerable to be sued under
Copyright laws? Where does the Copyright come into play?  Is the
'su' on HP systems purely HP's code or is it derived from older
shared code?  What right then would have to sue them if this
vulnerability affected other operating systems as well.  Furthermore
the exploit is not remote and thus its hard to see how HP could
prove damages from such an exploit given it's local nature on the OS.

This brings me to Phase.  Phase () mail ru, is he even in the US or is
he indeed in Russia? I hate this whole situation and the power large
corporations have over our government and our courts.  I look at
the law about allowing groups like MPAA to hack the systems of
consumers and their networks based on cirumstantial evidence as
a clear sign that corporate corruption in our government has already
gone to far, and too many of our rights are already limited for them
to stop now.  I'm not so sure any court is going to be willing to
challenge this , as lawmakers are too influenced by large corporations
to care about learning the least bit about programming and compters
work. They rely on their pocket-lining supporters to tell them that. 
Things look grim, and my goal of being a security researcher is far
from certain.  If such limitation are arising that you cannot investigate
commercial software's vulnerabilities, I don't see a lucrative future
and may continue down a different in the near future.  I lost faith
in my government long ago.

-Stan Bubrouski
(Soon to be ) Middler Computer Science Major at Northeastern University, 
Boston, MA


Chris Paget wrote:

> <snip>
>
>  
>
> >   "Ferson also said that HP reserves
> >   the right to sue SnoSoft and its members "for monies
> >   and damages caused by the posting and any use of the
> >   buffer overflow exploit."
> >    
>
> This raises a very interesting point.  Bruce Schneier has stated
> publicly that he believes vendors should be held responsible for
> security flaws in their products
> (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html).  I
> agree with this viewpoint, as, I am sure, do many people on this list.
> However, how would this affect the vulnerability disclosure process?
>
> 1)  Researcher R finds a security hole in vendor V's product.
> 2)  R attempts to contact V to reveal the bug.
> 3)  V does not respond.
> 4)  R attempts communication several times over the next 90 days, but
> never receives a response.
> 5)  R releases an advisory.
> 6)  Attacker A writes an exploit for the hole, and uses it to hack
> into company C.
> 7)  C successfully sues V for several million dollars compensation.
>
> Does V still have the right to sue R?  If vendors are made liable for
> security holes, and those vendors have the right to sue the people who
> find advisories and / or release exploits, then we'll be seeing
> security researchers on the wrong end of multi-million dollar
> lawsuits.  I'm sure I'm not the only person who feels uncomfortable
> about this.  Buffer overflow exploits are not difficult to write; it
> doesn't come down to whether there's exploit code or just an advisory.
>
> IMHO, vendors SHOULD be responsible for security holes.  However,
> before that can be done there needs to be some kind of law put in
> place to protect the researchers who find the holes.  Doesn't need to
> be much, just a blanket law that if the researcher has taken
> reasonable steps to alert the vendor, they cannot be held liable for
> the consequences of releasing the advisory. If that doesn't happen,
> things are going to get messy.
>
> Chris
>
>