lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 23 Feb 2006 09:01:56 +0100
From: Jure Koren <jure@...bix.org>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilites in new laws on computer hacking

On Monday 20 February 2006 22:39, Bigby Findrake wrote:
> Perhaps this is beating a dead horse, but could someone explain to me why
> the addition of a $50 computer found at a garage sale, a $10 NIC, and a
> $20 switch or hub to any would-be-infosec's arsenal wouldn't suffice for
> this purpose?  We're not trying to brute force 4 kilobit pgpkeys, we're
> trying to present a host to attack.  FreeBSD, NetBSD, OpenBSD, Linux...
> all free operating systems.  Isn't there an x86 version of solaris that's
> free?  $500 computers aren't needed for this testing.  I suggest that the
> necessity for more expensive hardware is the exception, and not the rule.
> Bochs may not be speedy, but it works.

This is only OK for examining stuff you _can_ get your hands on.

> I would also suggest that anyone who finds that money is an obstacle is
> looking for excuses.  I have often found ways to make outdated hardware
> useful in a variety of situations.

Money can't buy you software an online content provider has made themselves. I 
have discovered a vulnerability in an online public telephone directory once. 
The vulnerability was definitely not discovered by accident. I had browsed 
through their HTML sources and found a number of things suggesting the 
completely braindead way to do security without any real checking of user 
input. I have written an exploit, sent it to them, waited to no avail, and 
then published it. I never let myself run that exploit, but somebody must 
have, because after publication, the site was down for three full days, and 
when it was back it wasn't vulnerable anymore.

Whoever fixed it was actually a good, security conscious programmer and I hope 
he made a lot of money. I was trying to protect subscriber customers whose 
accounts were trivial to compromise (and this was already happening on a 
regular basis) to gain access to their own personal address books.

If the service provider couldn't provide the security, the customers had no 
choice (since there is only one telephone services provider in the entire 
country) and there is no way to tell the provider that they have a problem 
without getting busted, well, what do you suggest?

I think it's not a case of "breaking and entering", but rather a case of "your 
windowsill flowerpot is about to fall on one of your customers, and I'm going 
to move it". I make no mistake that this is in fact illegal tampering with 
someone else's property, but I can tell it's quite ethical to politely force 
the provider in question to fix their security, because security experts' 
responsibility lies with everyone adversely affected by a particular problem, 
not just the owner of a service.



I think this is a good example of when you just can't do a wholly responsible 
thing. Walking away is not an option because users are at risk. Talking to 
the provider is only an option when they talk back. Proof of concept is, 
unfortunately, one of the few options left open. I would like to hear from 
anyone who can tell me another, less invasive, and if possible less illegal 
way of dealing with this.

Regards,

-- 
Jure Koren, n.i.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ