lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: yossarian at planet.nl (yossarian) Subject: Sapphire worm POC that fulldisclosure policies hurt everyone > I hear alot of arguments put out by the naive in favor of fulldisclosure of vulnerability information. But the fact is, fulldisclosure policies hurt everyone, and this time, they have wreaked havoc across the entire internet. The ms-sql vulnerability has been known to the public for six months. If the fulldisclosure philosophy were correct, the vulnerability would have been patched by the vast majority of admins out there. However, that isn't what happened. Thousands of machines were compromised and it lead to a massive internet-wide loss of service. Who is naive here? It doesn't hurt me that MS SQL servers fall over. If my bank will get hurt by this virus, I will choose a bank that can be trusted. Funny thing is, my bank is spending a lot of money and effort in preventing this, and are succesful at it. My guess is that shooting the messenger is naive. It might be a flaw in fulldisclosure policy that the responsible admins don't read them, and irresponsible ones do. It is a major flaw in cars that people who are not good drivers, can drive in them. Full disclosure does not enable viruses. It IS a matter of timing, of course, posting a full exploit on the 1st day it is discovered, might be a bit over the top. But then again, it is the first day YOU know it is there, other might have known for ages. Example: on DefCon 2000, the trust factory went full disclosure, more or less, on an exploit in Lotus Notes. It was said to be unbreakable, rock solid etc., for years. This very same hole had been exploited earlier, I and many colleagues with me had seen it in 1998 or 1999, when it was used against a bank and a car manufacturer. We didn't disclose it, maybe no one did, but bottom line is that it had been used way before disclosure. Most stories don't hit the press, most vulns are not reported, and eventually forgotten. But they are also never fixed. If you say don't disclose, you are fighting the lesser evil. As a researcher, you find large numbers of holes. It is just a matter of time and effort. The lesser evil is computer viruses. The bigger menace might well be digital armageddon. I don't think it is possible today, but it will be some time in the future. Someone can shut down the powergrid, probably with a targeted computer virus. Remember, digital warfare will most likely be a form of economic warfare, unless integrated warfare will be vulnerable. It certainly will, but it is not there, yet. The pentagon is working toward it, which means that soldiers can command landmines to move to another spot - over TCP/IP. Sounds silly, but some people are building this, it is not SF. If the vulnerability of the used technologies are not known, high tech countries will be attacked by their own smart weaponry. Compared to some ATM's out of order, this might well be digital armageddon. But no, we don't want to strenghten our defences, since their will be collatoral damage, since companies continue to employ incompetent people. What is worse, the internet completely down today, or say in ten years time with all the new dependencies. maybe including SDI and military early warning systems, and certainly including the power grid, hospital support - not just PC - systems and all telephone communications? > There are alot of attacks against the competency of administrators who failed to put their databases behind their firewall, and also failed to patch their machines, but fulldisclosure operates on the assumption that all administrators are going to find out about the bug and patch their machines. The fulldisclosure philosophy is flawed. Well, if you use ligit software, you are paying for support and supposed to follow the instructions of the manufacturer. If you don't, who is to blame? It is like not following your doctors advice. All admins should do their jobs properly, because that it is what they are paid for. The information is free, it is out there, very easy to get, but no, since not all the people read it, FD doesn't work? The sad truth is that many admins are incompetent. Finding out about a bug, especially if it is MS or some other major companies software is very, very easy. Or would you dare to call people who don't read the suppliers advice (or the manuals) as competent? > The vast majority of those reading this message probably won the scriptkid/admin race of patching vs being compromised. But today, that didn't stop the destructive power of this worm. Today's denial of service was mostly caused by smaller enterprises with less competent administrators. The message is "pay up to the security consultants or your machines get owned". I would be more okay with this if it were just the machine's owners that got affected, but it's the entire internet. Get a clue, your actions have consequences. Duh, what a race, if you are more than six month's behind. It doesn't take six months to write a virus. The consequences of no disclosure, because that IS what you are advocating, is that systems will never get fixed. See my rant about digital armageddon. It is not pay up to the security companies but just use the software you understand. A fool with a tool is a dangerous fool. If a smaller company decides to use a tool it cannot control, it is stupid. But you don't need a security consultant to apply a fix, well, i sincerly hope that any admin can update a system, either a fix or just a new app. There is no difference. Also, there is no excuse for incompetence. Even smaller companies have their buildings constructed by competent companies, not by someone who is dirt cheap and.they met in bar. If a building collapses due to incompetence, the construction company gets sued. If people die, the company owners might go to jail. >If the ms-sql bug had never been disclosed, and was slipped quietly to Microsoft, this never would have happened, and the same responsible administrators would have upgraded their software. The odds are, those same responsible administrators have had their database servers behind a firewall anyways, so this is all irrelavant. This catastrophe was caused solely by the disclosure of vulnerability information. This would have happend, since if MS was told quietly about this bug, these sorry excuses for admins would still not have updated their systems. There are hundreds of bugs in MSSQL, fixed and not fixed, but only a few were ever used in a virus. MS is spending lots of money, just fixing the holes they do find. Why? Because they might get exploited, whether it is known or unknown. Most holes that are fixed were found by MS people, and never disclosed. Just check on their site, and see what is in the updates. Some security hotfixes are because of disclosed holes, many are not. In the service packs, many other security holes are closed, MS tells you all about it, if you were to read technet. BTW, technet is not for security consultant only. Let me give you an example on disclosure vs. MS: in 1997 in MSDN someone from MS warned developers about the risks of using, or rather thoughtless use of several codesets. In 2001 the Unicode exploits surfaced, and MS fixed them. But many admins didn't. Do you blame MS? > I urge you to be more responsible with your actions in the future. The stability of the entire internet is at stake. Funny, the net was built and designed to withstand nuclear war, but a single 15 y/o will take it down? The net is some corporate databases. It wouldn't be interesting if it was. And all the extra traffic, well anything can cause that, not only viruses. If they were to put a new single from any major popband on-line, would the traffic be very heavy? I urge people to disclose in an effective AND responsible way, since not the stability but the future of the Internet is at stake.
Powered by blists - more mailing lists