Re: Vulnerability Disclosure Debate

["Joel R. Helgeson" <joel () helgeson com>]

If they did that, how could we write NESSUS plugins that would accurately
scan for vulnerabilities?

I say it'll never happen.  Full Disclosure is the way to go.

Managing security by applying patches is fundamentally flawed.  The
programmers need to write secure code.  The onus is on them, not us.

"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll
be warm for the rest of his life."
----- Original Message ----- 
From: "gridrun" <gridrun () likes smart-girlies org>
To: <full-disclosure () lists netsys com>
Sent: Thursday, August 07, 2003 11:53 AM
Subject: [Full-disclosure] Vulnerability Disclosure Debate


> Vulnerability Disclosure Debate
> by gridrun on 8/07/03
>
> The security alliance around Microsoft is trying to push its "reasonable
> vulnerability disclosure guidelines", which seeks to prevent security
> researchers from publishing proof-of-concept code alltogether, and wants
> them to make only limited, next to useless, information about security
> flaws available to the public.
> In my humble, personal opinion, this step seeks to maximize income of
> several large security firms, as they would release any detailed
> information only to paying groups of subscribers... An inherently
> dangerous plan, and the argumentation behind it is severely flawed.
>
> They state that those releasing proof-of-concept code to the public are
> responsible for the creation of various malware, virii and worms,
> exploiting the discovered vulnberabilities.
> Let me tell you one thing: If you believe that you are the only ones
> finding vulnerabilities, then you are to be considered a bunch of
> arrogant, self deceited stupid ignorant bitches. Do you really think you
> are the only ones "31337" enough to find sec vulns??? Latest example:
> The people here at spacebitch.com noticed intrusions using the RPC/DCOM
> vulnerability at least a month before any information about it was
> published at all. Now that its published, everyone goes BIG NEWS about
> it, and predicts the advent of the next "internet destroying" worm which
> will take over all our systems. It doesnt matter to these people, that
> the most effective worms and trojans are far more low profile then for
> example "slammer" worm was (an inherently dumb program, raising
> immediate attention just by the exorbitant amount of bandwidth consumed
> by it). They dont even mention that there are so many worms and trojans
> making their ways thru cyberspace, mostly undetected and unnoticed,
> spreading slowly and in a limited manner only.
>
> Hackers, Crackers and Script Kiddies alike are known to engage in
> exploit trading and often, they are discovering and exploiting
> vulnerabilities without going BIG NEWS about it... Do you really
> believe, people are sending all their 0day to @stake & co in advance,
> just to let them make money of the news?? Would you not rather believe
> that crackers finding new vulnerabilities would keep them 0day as long
> as possible, exploiting them undiscovered, because the majority doesnt
> even know the hole exists?? To me, it would seem perfectly logical for
> hackers and crackers alike to ONLY publish their findings after the
> problem was initially noticed by the public? Would it not make sense to
> you? To keep 0day for fun and profit as long as possible, and then
> releasing a modified variant of the 0day as "proof-of-concept" code, as
> soon as the public is noticed, and credits and publicity are to be
> gained by releasing the exploit code to the public?
>
> To me, full disclosure makes perfect sense. Tell people about the
> vulnerability as soon as you notice it exists, you'll see
> "proof-of-concept" code appearing within days - essentially a proof that
> there were other people knowing about the vulnerability already.
> Also, full disclosure, including exploit code, frees you from the
> obligation to believe in software vendor advisories and patches -
> another critical issue, demonstrated again by the RPC/DCOM flaw:
> Apparently, M$' fix doesnt really fix the problem to its full extent,
> and in some cases, is believed to leave machines vulnerable to the
> attack. Again, something which was to be discovered by END USERS loading
> proof-of-concept exploits and trying them on their own systems. To me,
> it makes no sense to blindly trust in a software vendor's patch, when it
> has repeately been shown that software vendor's patches often do not
> fully provide the anticipated security fixes.
>
> Obviously, time has NOT yet come to say goodbye to full disclosure, and
> doing so would leave end users at the fate of some sotware producers'
> industry consortium to take care of OUR security - which they have
> repeatedly shown to be incapable of.
>
> Spread the knowledge, take resposibility, take care!
> - gridrun
>
>
> http://softlabs.spacebitch.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html