Re: Valid disclosure analogy

[full-disclosure () lists netsys com (Defender Defender)]

> > You are client of 'bank A'. You find out about a way to break in
> > 'bank A' in a quite complicated and tricky manner, but yet possible.
>
> bank 'A' has one 'copy' whereas a given piece of software has N. the
> fact that you can attack/expoit it doesn't automatically give you
> the ability to exploit all N copies whereas it does give you the
> ability to compromise all accounts in bank 'A'. the fallacy of analogies at 
> its best. who did you say was the moron again? mind you, Guninski's wasn't 
> perfect either but at least he doesn't suffer from >the attitude problem 
> you have.

What?! One copy exploitable but other not? How could they be copies then? 
You must be kidding me on this one!

> > a) Dont do anything: all banks are vulnerable at some point. It's all a 
> > matter of risk, and keeping it secret is the best way to keep
> > the risk at its lowest. Furthermore, the vulnerability does not compromise 
> > the quality of the service itself;
>
> you must be a 'blackhat', 'cos this one actually looks applicable to
> both software and banks. congratulations for spreading the philosophy of 
> non-disclosure!

Blackhat?! Where did I talk of hacking here?

And thank you for your congrats. Yes, I do evaluate both disclosure and 
non-disclosure in my possible responses to the discovery of a vulnerability.

> > b) Your money is at risk: remove it from 'bank A', put it in 'bank B';
>
> what if there is no bank 'B'?

Then the fact that there is "no bank 'B'" available is the real problem, not 
the fact that bank 'A' is vulnerable.

> am i supposed to create one? preferably in no time?

1) You do have time (thankfully) given the vulnerability(ies) have not
   yet been disclosed. Obviously, this solution path would imply that
   non-disclosure not only is voluntary, but also enforced (through
   law, for exemple).

2) Yes, starting your own service is the legitimate way of solving the
   problem (not putting gun on most popular bank CEO head so he fixes
   the problems in his bank security).

> what if bank 'B' does not provide (some of) the services of bank 'A'
> which are vital to my own business?

This is most likely to be the case. Security comes at a cost. Welcome to the 
real world! Maybe you understand now why microsoft software is "full" of 
bugs.

Once again, the only legitimate way you can intervene is by starting your 
own service or product line. You cannot force a vendor to do anything 
against his will (regarding quality of his product), even if you are his 
client. That's why its called a *free* market.

> will bank 'B' provide me with enough details of her own internal systems so 
> that i can do it in a reasonable timeframe?

If the bank wants to. Again, free market. Vendor is free to define its 
offer, you are free to define your demands!

> willthey accept my changes to their own system?

Why would they? I dunno, ask them! ;)

> what if i can't afford switching banks right now?

Then switch later. This would be a good reason not to disclose now, given it 
would put you at risk between the moment of the disclosure, and the moment 
the vendor (or bank) fixes its vulnerability. No alternative = no security. 
That's the real problem.

> am i supposed to fix bank 'A'?

Send them your resume, they might want to hire you for it. Otherwise, I dont 
see how you could (and should) fix their product.

> will they give me enough information to do it? will they accept my 
> > changes?

Probably not, for good reasons ;)
At least I hope for their own security they do not accept changes from 
external people...

> what if it's not up to me to decide and i can't convince those who can but 
> don't want to?

Then I guess you answered the question right: it not up to you to decide.

> am i supposed to quit my job?

Why? They pay you bad?

> am i supposed to make the switch to bank 'B' 'behind the scenes' and >hope 
> noone will notice or at least blame me later?

If not your job, then no. If your job, then do it 'on the scene', and take 
promotion when bank 'B' is hacked.

> and finally, you still sure your analogy holds between the world of
> banks and software? are you living on the moon or something? at least 
> you've never worked for a real bank if you think you could pull >off the 
> above.

Well, I did answer, haven't I?
And yes, I would have answered the same if we had been talking of a software 
vendor.

> > c) Break in 'bank A' and steal other people's money, get plane ticket for 
> > bermudas;
>
> the worst part of your analogy as pointed out at the beginning.

Revisit analogy: autohack all openssh vX.X and mass-own the world thanks to 
duke and his ISS sponsor. Yes, the bug was (somehow) reproduced in all the 
copies, what a coincidence. ;)

> > d) The evil 'bank A' put people at risk. Regardless of fact that you are 
> > not the owner of the bank, nor that you represent the interest of each and 
> > every of its clients, take the initiative to >>inform the world of the 
> > vulnerability details, how to exploit it, and if
> > possible, make a point-and-click robot that breaks into the bank
> > and steal money for you, and give a free copy to everyone who wants one;
>
> wow, the second best shot, this time against full disclosure!
>
> and while you failed to point out where 'responsible' disclosure would fit 
> in here, i'll guess that it would be the one that would >minimize the 
> embarassment for the bank and keep the public in dark as >long as possible.

Disclosure is disclosure. It fits in my toilet, that where it fits.




_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com