| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: poohpooh000 at hotmail.com (pooh pooh) Subject: Re: Valid disclosure analogy >You are client of 'bank A'. You find out about a way to break in >'bank A' in a quite complicated and tricky manner, but yet possible. bank 'A' has one 'copy' whereas a given piece of software has N. the fact that you can attack/expoit it doesn't automatically give you the ability to exploit all N copies whereas it does give you the ability to compromise all accounts in bank 'A'. the fallacy of analogies at its best. who did you say was the moron again? mind you, Guninski's wasn't perfect either but at least he doesn't suffer from the attitude problem you have. >a) Dont do anything: all banks are vulnerable at some point. It's all > a matter of risk, and keeping it secret is the best way to keep > the risk at its lowest. Furthermore, the vulnerability does not > compromise the quality of the service itself; you must be a 'blackhat', 'cos this one actually looks applicable to both software and banks. congratulations for spreading the philosophy of non-disclosure! >b) Your money is at risk: remove it from 'bank A', put it in 'bank B'; what if there is no bank 'B'? am i supposed to create one? preferably in no time? what if bank 'B' does not provide (some of) the services of bank 'A' which are vital to my own business? am i supposed to create them myself? will bank 'B' provide me with enough details of her own internal systems so that i can do it in a reasonable timeframe? will they accept my changes to their own system? what if i can't afford switching banks right now? am i supposed to fix bank 'A'? will they give me enough information to do it? will they accept my changes? what if it's not up to me to decide and i can't convince those who can but don't want to? am i supposed to quit my job? am i supposed to make the switch to bank 'B' 'behind the scenes' and hope noone will notice or at least blame me later? and finally, you still sure your analogy holds between the world of banks and software? are you living on the moon or something? at least you've never worked for a real bank if you think you could pull off the above. >c) Break in 'bank A' and steal other people's money, get plane ticket > for bermudas; the worst part of your analogy as pointed out at the beginning. >d) The evil 'bank A' put people at risk. Regardless of fact that you > are not the owner of the bank, nor that you represent the interest > of each and every of its clients, take the initiative to inform the > world of the vulnerability details, how to exploit it, and if > possible, make a point-and-click robot that breaks into the bank > and steal money for you, and give a free copy to everyone who wants > one; wow, the second best shot, this time against full disclosure! and while you failed to point out where 'responsible' disclosure would fit in here, i'll guess that it would be the one that would minimize the embarassment for the bank and keep the public in dark as long as possible. _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
Powered by blists - more mailing lists