| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Mar 2011 16:54:16 +0000 From: Luigi Auriemma <aluigi@...istici.org> To: Jim Harrison <Jim@...tools.org> Cc: Michal Zalewski <lcamtuf@...edump.cx>, "J. Oquendo" <sil@...iltrated.net>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Re: Vulnerabilities in some SCADA server softwares > I fundamentally disagree with the idea that public disclosure > as a means of vendor notification serves any purpose no problem, if you don't agree with full-disclosure or how I and the other researchers like me handle these security vulnerabilities you have the full power and freedom of finding them by yourself and handling them as you desire. so now the question is, why don't all these "good guys" spend their personal time and skills to find these vulnerabilities and reporting them to the vendors before me? the answer is that usually such people don't have the skills or simply don't like the idea of doing a professional work completely for free and even with the obligation of doing everything the vendor wants before the releasing of the patch that can take months or even years... practically a slave. or do you think that you can contact the vendor asking funds for the research you have already found? it would be logical but it's a non-written rule in the security community: it's better to go with full-disclosure for free. the only exceptions are Mozilla and Google with their bug bounty programs but oh well, they are pioneers. anyway regarding this particular case of SCADA I didn't like the behaviour of ICS-CERT at all. this entity has the full power for handling the security research and the communication between vendor and researcher with benefits (knowledge, funds and credits) for both but simply does nothing as resulted from the mails I exchanged with them covering all these aspects... I even don't understand what should be its work at this point except saying "there is a bug in this SCADA" and "now the vendor says it's fixed". > beyond tooting one's own horn and causing a panic state for the > application vendor and users. my mail was completely neutral and had no alarmism in it, I'm even amazed that someone noticed it. as usual the panic is generated by non-technician people or people who have personal interests in speculating on the thing. Bugtraq is a technical mailing-list for people in the security field and in same cases its content may not be ready or correctly filtered for the other people who could see risks that are different than the reality. > Anyone who honestly believes that the "bad guys" are not watching the > same lists where the "good guys" are communicating is operating far > too close to a famous Egyptian river. be sure that the "bad guys" are already aware of similar problems but you can't know it. if I can find these vulnerabilities in some hours without knowledge of SCADA and with a motivation not much far from the "mah let's try this program" imagine what can be done by how has strong motivation, time and knowledge. > IMHO, "public disclosure" only serves to increase the threat for the > vendor's customers. take the following consideration: SCADA systems are intended to work in isolated private networks so nobody except the authorized users should be able to even "ping" the machines where are running the vulnerable softwares. if this happens means that the security of the company has been already compromised before. now that the users of the vulnerable products are aware of the vulnerabilities they can verify if their network is really safe like it should be in any case and in the meantime they will wait the patches of the vendors. --- Luigi Auriemma http://aluigi.org
Powered by blists - more mailing lists