Full Disclosure mailing list archives
it's all about timing
From: full-disclosure () lists netsys com (Alan Rouse)
Date: Thu, 1 Aug 2002 13:28:13 -0400
Timothy J.Miller [cerebus () sackheads org] wrote:
I can't agree. In my day job I maintain systems for a defense agency,
and I *have* to know what my exposures are *at all times*, whether a
fix
exists or not, since lives can be dependent (directly or indirectly)
on
the availability and integrity of my systems. Without this information, I can't mitigate my risk. Leaving *my* risk
in the hands of a vendor-- who has a vested interest in *not* letting
me
know-- is wrong.
If one person can discover a vulnerability, so can another person. When you discover a previously unpublished vulnerability you should assume that either (1) someone else has also discovered it and is keeping it secret for future use; or (2) someone like that will discover it soon. The vendor must not be permitted to sweep it under the rug, or to put it on the back burner. If they do, a day of reckoning will come to them and to all their customers. Some naive people think the visible blackhat hackers are the real enemy. These people break into sites, deface them, maybe even steal some files or install Trojans... IMO that's NOT the main problem. Maybe that kind of thing is not nice, not legal, maybe it causes monetary losses to victims... but it's not nearly the worst problem. A major terrorist organization or enemy country would do far worse. Undoubtedly there are others out there, with greater resources, and much more serious in their intent to do harm. They are busy discovering vulnerabilities, and building an inventory of individual exploits and compound exploits which would make everything we've seen to date look like child's play. In this kind of world, the public needs to know immediately of the vulnerability. We need to be able to determine unambiguously whether we are vulnerable. We need to be able to implement countermeasures, and then we need to be able to test those countermeasures. This means we need a proof of concept exploit, and we need it immediately. And we need source code for that exploit so we can verify that this code itself is not an enemy. Now, that proof of concept exploit should not do any actual damage. And it should not be easily converted into a damaging tool by pseudo-technical script-kiddie types. That is where ethics and good judgment are required. There will probably be differing opinions on what should be released. I lean toward more disclosure rather than less, but the rules of the game must protect the publisher of the vulnerability, because he provides a critical service. We cannot afford to squelch those who expose these problems. Unfortunately some companies have shown themselves to be unwilling to correct vulnerabilities without a threat of harm. I don't know whether that justifies the blackhat vandals. But in the absence of legal recourse (e.g. vendor liability lawsuits) it may be the one thing that forces vendors to close the holes. Publicly disclose the vulnerability immediately, along with recommendations for temporary countermeasures until a fix is available, and provide a way to test those countermeasures. That's about the best we can do IMO. Ok that's my rant. I feel better.
Current thread:
- it's all about timing, (continued)
- it's all about timing Joey Kelly (Aug 01)
- it's all about timing Ron DuFresne (Aug 01)
- it's all about timing full-disclosure () lists netsys com (Jul 31)
- Re: it's all about timing Steven M. Christey (Jul 31)
- Re: it's all about timing Georgi Guninski (Aug 01)
- Re: it's all about timing Tom Perrine (Aug 01)
- Re: it's all about timing Georgi Guninski (Aug 01)
- Re: it's all about timing Adam Megacz (Jul 31)
- RE: it's all about timing Scott, Richard (Aug 01)
- Re: it's all about timing Sunil James (Aug 01)
- it's all about timing Timothy J.Miller (Aug 01)
- it's all about timing Alan Rouse (Aug 01)
- it's all about timing Rohny Jotton (Aug 01)
- Re: it's all about timing Steven M. Christey (Aug 01)
- Re: it's all about timing Georgi Guninski (Aug 02)
- Re: it's all about timing Colin Stefani (Aug 01)
- it's all about timing Don (Aug 01)
- it's all about timing Dunbar, Gregory (Aug 01)
- it's all about timing Steven M. Christey (Aug 01)
- it's all about timing Steven M. Christey (Aug 01)
- it's all about timing Kurt Seifried (Aug 02)
- it's all about timing Steven M. Christey (Aug 01)