Re: Valid disclosure analogy

[full-disclosure () lists netsys com (Defender Defender)]

> the fact that you have an exploit in your hands does not mean
> that you can exploit all running instances of the given piece of
> software. this is because you may not have (and as a matter of fact,
> you most certainly do not) access to all of them. capito?

That fact does not break the analogy.

If I find a flaw in a bank's security system, I might not be the one who 
will be able to exploit it. Furthermore, some bank accounts may only be 
accessible with specific credentials required by someone working in the 
bank, which will be exactly the same as the situation of a 'closed network' 
you were presenting.

"You are client of 'bank A'. You find out about a way to break in 'bank A' 
in a quite complicated and tricky manner, but yet possible."

Read. I do not mention anything else then your ability to break in the bank. 
No mention on what client accounts are vulnerable.

In one word, since your first post, you only talk shit, frenchie.

> i'm not saying anything pro or contra, just referring to what others
> have said before. besides i don't see how you drew the above conclusion
> from what i said. in particular, where did i say hacker (who compromises
> systems) = criminal? tell that to the spooks of .au and they will have
> a good laugh. as would many others (internal pentesters of a company,
> more spooks, etc). they all can have their 0-day and use them to
> compromise systems and be called hackers and not be criminals.

You clearly said "blackhat"
I guess that implies criminal, unless you now consider pentester are 
blackhats?

> > Then report to your government. If the government doesnt want to act,
> > switch your vote.
>
> great advices except i don't see the analogy in the software world
> (which is the whole point of your exercise of course, or so i thought).
> who is my 'software government'? since when do i get to vote for them?
> oh, and where is the 'country'?

Man, are you for real?

> > You live in a democracy. You cannot take decision on behalf of
> > everyone else. Same as for free market: freedom of others is defined
> > by the limits of your own. It sucks to know that your voice is not
> > heard, that you have no impact, that you are not alone. But that's
> > how society works.
> >
> > And yes, government not only have banks, but also use software. And
> > same path should be followed for a software vulnerability.
>
> which is? your post listed options, it didn't say which one you
> preferred.
>
> > I repeat: "Obviously, this solution path would imply that non->disclosure 
> > not only is voluntary, but also enforced (through law, for
> > exemple)."
> > Please read what I write or dont make me waste my time.
>
> and? why would the enforcement of non-disclosure ensure that others who
> have also discovered the problem are not going to actually exploit it
> (or had done so already)? you still haven't shown why i would have all
> the time to take action (to found a bank).
>
> > "You are client of 'bank A'. You find out about a way to break
> > in 'bank A' in a quite complicated and tricky manner, but yet
> > possible. You inform 'bank A', but no answer! What to do?"
>
> > Again, please read what I write...
>
> i did. you also said: "starting your own service is the legitimate way of 
> solving the problem" implying that the others are not. do you
> understand the difference between the various articles ('the' vs 'a')?

Blah blah blah
If people want to raise interesting arguments, please tell.
Tired of replying to your low IQ crap.

> <>bullshit. a bank will *never* provide you with such info. don't trust
> <> me on this, go call yours and ask them.
>
> > Why you say bullshit? You mean its not up to them?
>
> it's not only not up to them, it's what i said: they will never give you
> that info (there are regulations they have to follow).

Absolutely not. Banks have the entire right to show you their security 
measures. In fact, for specific clients ($$$$$), they do.

You seem to enjoy using bullshit arguments, dont you?

> > No. I doubt you can 'fix a bug' in oracle or windows and distribute it 
> > without breaking law. As for making a binary patch, I have yet to see >any 
> > poster on this mailing list do it ;)
>
> did i say that one could fix *all* bugs? i just stated that you could
> even fix them, as the case may be. and whether you doubt it or not,
> there are bugs fixed in binaries, i think a few weeks ago someone posted
> one on bugtraq, impatch.zip or something like that, against IMail 7.11.
> and i doubt you can generalize about 'breaking the law', every country
> is different, a patch is at most against the license which may or may
> not be legal/enforcable in a given country.

You used it? You trust it? I guessed so.
Therefore, this ability you have of fixing thing is irrelevent, and not even 
used by bugtraq posters.

People want to disclose, thats all.

> > And microsoft rarely take outsider advice at face value. Thus why so
> > many ppl disclose their bugs in order to 'force them to fix'.
> > Exactly same as bank, again.
>
> wrong, MS is not the sole software company on the planet, and definitely
> not the only one having bugs in their software.

And? Why you say I'm wrong? Where did I say MS is the sole software company 
on the planet or that its the only one having bugs in their software?

> > Maybe you misunderstand me. Option (b) was option of non-disclosure,
> > that was the very point.
>
> i understand the points, but i don't understand which one you're
> promoting yourself. remember that the whole 'debate' started when you
> attacked Guninski's analogy and wanted to provide your own - supposedly
> to support the responsible disclosure argument as he was attacking it.
> if i'm misunderstanding something then it's because i failed to figure
> out the whole point behind your posts. maybe time to establish it?

Why the fuck would you care about what path I prefer?

I dont "promote myself".

> > Who cares if the bank would hire you or not. I say its up to them. You 
> > > still dont understand that? You still dont understand other people
> > have freedom and rights also?
> > And guess what... same goes for software vendors.
>
> no, you don't understand what i said. banks would never hire you (the
> bug hunter) to fix their security problem, there is exactly 0 freedom
> of choice for them (if you don't believe me, just call up your bank
> and ask around).

What part of your imagination you take that bullshit from?

> > Read what I previously said regarding right to change software code
> > and current availability of binary patches upon disclosure of a bug.
> > It would be funny to see any bugtraqer actually *fix* bugs instead of
> > disclosing them.
>
> http://archives.neohapsis.com/archives/bugtraq/2002-07/0326.html

God, you really thought I was saying 'any' litteraly?
I meant bugtraqers (yes, that basicaly means more than one) disclose bugs in 
commercial software with the intent of forcing the vendors to fix them. It 
is not common behavior to give a patch for commercial software.

> boy, do i have that smile on my face ;-).

Boy, you must look stupid.

> > If you open your mouth and someone gets it by abusing the security
> > problem, it will not be thanks that you will get from me.
>
> and if i don't (notice what i wrote: "that i kept silent all that
> time")? looks like your non-disclosure argument didn't quite work out,
> did it ;-).

If you dont then it wont be your reponsability, and I wont beat the shit out 
of your fucking skull.

> > You did your job, you are well paid, its not your responsability, and
> > you want to resign? funny.
>
> ok, you lost me somewhere on this thread, in that example i was
> supposedly in the position to ensure that the company assets were in
> 'good hands' - if i can no longer guarantee that, i can no longer do
> my job.

You also say you do not have the authority to switch the managers of the 
company assets. That kinda conflicts, dont you think?

> > I did not say all were compromised. I said all could be compromised.
> > I think you are intelligent enough to understand that.
>
> you did? where can i find the words 'could' or 'can' in:
>
> > > Revisit analogy: autohack all openssh vX.X and mass-own the world
> > > thanks to duke and his ISS sponsor. Yes, the bug was (somehow)
> > > reproduced in all the copies, what a coincidence. ;)

Where you see "all" ?

Thus my sentence "I thought you are intelligent enough to understand that". 
Obviously you are not.

> to me 'mass-own' and 'was reproduced' imply not ability but actual
> actions.

mass-own implies "massively owned" not "all owned". Has nothing to do with 
actual actions or not, just fact that them not all being owned is 
irrelevent.

> but hey, i speak shit english too not to mention the lack of
> intelligence.

As a matter of fact, all frenchies in the field that are not blackhats do 
speak shit english and lack intelligence.




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx