Full Disclosure mailing list archives
Shiver me timbers.
From: full-disclosure () lists netsys com (sockz loves you)
Date: Mon, 19 Aug 2002 09:16:07 -0500
blackhats as serial car bombers? hmm... perhaps.... but then again its not really a faulty car is it. no, i just dont see how this analogy relates to computer security at all. i've only ever seen one computer physically explode, yes in real life, and no, it wasn't from a flaw in the software or from evil blackhat meddling. ----- Original Message ----- From: aliver () xexil com Date: Mon, 19 Aug 2002 06:30:03 -0700 To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Shiver me timbers.
On Mon, 19 Aug 2002, Timothy J.Miller wrote:On the other hand, if your new car spontaneously bursts into flame while idling at a stop light, don't you have an obligation to tell the manufacturer *and* as many people with the same model as possible?Perhaps. However, the analogy may not be apt. First of all a car that burst into flames idling at a stop light could very likely cause you to lose your life. I'm not saying that a software vulnerability might not indirectly cause an injury or death. However, it's not nearly as likely to as an exploding gas tank. Also, an exploding gas tank is a spontaneous event which isn't triggered by a premeditated act by another individual (as exploiting a bug is). The only direct parallel is that the car manufacturer (ie.. vendor) might have been negligent when engineering and constructing the tank. Secondly, in your analogy the person who points out that the gas tank tends to explode is a person who found that out from a coincidental experience, and without any effort or foreknowledge of his own. Ask yourself if this parallels our situation. Vulnerabilities are not something that often manifest themselves to people with no technical knowledge who aren't looking for them. A person with experience and specific ability is almost always the one to find them. That person, or someone like him must use that knowledge to create an exploit, and that's not something that just anyone can do. It takes both skill, and effort. I think your analogy would be better if it was adjusted. For example maybe something like this would be better. Does a mechanic (hacker) who finds that a gas tank can be easily rigged to explode have an obligation to report this finding to a corrupt car company (vendors)? Should he give an insurance company (whitehats or ARIS) the results of a painstaking analysis of the tank, and how to rig it to explode? Is he obligated to give all his research on any related finds away no matter how much of his time or energy it took? Would it be right if he rigged a serial killer's tank to explode? aliver _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
Current thread:
- Shiver me timbers. sockz loves you (Aug 19)
- <Possible follow-ups>
- Re: Shiver me timbers. Steven M. Christey (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 20)
- Shiver me timbers. Scott Francis (Aug 20)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 20)