From: jasonc at science.org (Jason Coombs)
Subject: No Subject (re: openssh exploit code?)

Aloha, Mitch.

Your essay on the immorality of releasing exploit code was very well 
thought out, and I commend you for it and for standing up for something 
that you believe in -- particularly in a venue that is openly hostile to 
your viewpoint.

That having been said, your conclusions are wrong. In part this is 
caused by a simple slip of logic and perhaps a flawed understanding of 
statistics.

We know beyond much doubt that virtually every computer in existence 
today can be owned. We know that worms can spread quickly through 
computer networks. We also know that a worm that immediately destroys 
its host doesn't get a chance to replicate. We know that worms could be 
designed to delay destruction of hosts, essentially dropping a Trojan 
with a time bomb inside. We know that the release of exploit code for a 
remote exploitable vulnerability in network service code makes it next 
to trivial for most script kiddies to tool up precisely this sort of 
hybrid attack. We also know that it doesn't happen in practice, despite 
your fear that it will and the exploit will be to blame. Are we simply 
*lucky* that this has not happened to date with a widely-successful 
worm? (recall the many varieties of virii that do destroy the infected 
host, but which do not spread and execute automatically)

Perhaps we have been lucky. Perhaps you are correct that we will not 
always be so. However, you must reconsider your assessment of the damage 
that will be done in the real world when the killer worm Trojan time 
bomb does get released because we know from past worms that nowhere near 
every vulnerable box gets owned by the beast, and we know that not all 
boxes that are thought to be vulnerable actually end up being vulnerable 
for one reason or another. A loss, and I mean a complete and 
unrecoverable data loss, of 10% to 20% of the world's computers would 
just not be a very big deal. Some of the more irresponsible companies 
would go out of business, sure. Some people may even die. But people 
die. And companies go out of business. Life goes on for everyone else, 
and the survivors change and adapt. Damage that could have and should 
have been prevented in the first place gets investigated and those 
responsible get sued and maybe, if we're lucky just a little more, they 
get put in jail for a very long time.

But what you're saying is that you will be one of those people who come 
to my house carrying your pitch fork, your hangman's noose, and your 
torch, chanting something dreadful along with the rest of the mob, when 
the exploit code I release gets picked up by somebody and incorporated 
into the malware that exposes the utterly insane and misguided reliance 
upon unprotected, unprotectable software-based programmable computers 
throughout the civilized world for elements of critical infrastructure.

What you're saying is that you will blame me, not the company that 
refused to cut into their profits by installing redundant failsafes.

What you're saying is that you will convict me and sentence me because 
my thoughts, disclosed publicly, were used by somebody else to create a 
tool that caused your pretty little house of cards to collapse around you.

You *should* blame yourself for building houses of cards and calling 
them something that they are not.

You *should* blame yourself for keeping quiet about the true causes of 
the problems that lead to vulnerabilities, because you mistakenly and 
arrogantly believe that your conclusion is the smarter one that results 
in a safer world.

You *should* let go of the burden you feel for keeping the world safe 
from all of your hypothetical threats, because it's not your job and it 
is misguided to believe that such a thing is even possible with you as a 
single point of failure.

You *should* recognize that those elite few who really care about 
security can, will, and *do* pull the network cable out of the back of 
boxes that are believed to be vulnerable to exploits *when* those 
exploits get released. For obvious reasons of practical reality these 
same people do not, in general, pull the plug on systems that they 
*know* to be vulnerable *until* they see conclusive proof that there is 
an immediate risk.

You *should* feel responsible, personally, for every penetration that 
occurs that would have been avoided if you had helped to communicate 
full disclosure with proof of concept exploit code, since only that 
communication has been prove to trigger widespread social response in a 
preventative manner. Advisories that attempt to explain complex 
hypothetical vulnerabilities and recommend an immediate patch just do 
not do the job.

You have an obligation to disclose information in detail that other 
people can use to protect themselves immediately. Your failure to 
disclose this information makes you nothing less than an accomplice 
before the fact to every penetration that occurs in the future when 
somebody else finds the hidden secret and exploits it.

I will continue this discussion with you in greater detail if you wish. 
There is much need for this conversation to recur, because many people 
just like you are still confused about the proper role of an information 
security professional in the security process. Many people are also 
still confused about the obligations that go along with knowledge, 
mistaking those obligations as the same ones that go along with skill 
and ability to take decisive action to contain or prevent imminent 
damage or risk exposure. Knowledge that other people are at risk must be 
disclosed -- and it must be disclosed in full detail and publicly when 
there is no other way to communicate with most (if not all) of those 
people. This is the inherent value of the Public, and you diminish this 
value and reduce its protective power when you presume to know better 
than the Public does what it can and can't cope with being told.

Sincerely,

Jason Combs
jasonc@...ence.org


mitch_hurrison@...lip.com wrote:
> Hi Paul,
> 
> Again, what is it about your personality that makes you incapable
> of taking part in an adult discussion of responsible disclosure
> issues? Is it that anyone who has a different opinion than yours
> is automatically not worth your time? That sounds kind of nazi-like
> to me mr. Schmehl. 
> 
> It's quite saddening to see this list turn into a pack of hungry
> saliving fools at even a hint of an exploit for this issue. You
> seem to have more of a hardon for the "juarez" than any "kiddie"
> I've ever met. Even when trying to debate some of the issues
> surrounding the disclosure of such a potentially devastating
> exploit all one gets is "yeah, yeah. Now make with the warez".
> 
> As far as it being "easy" to exploit. No it isn't. You have to
> abuse a lesser issue, a memory leak to be more precise, to get
> a heap layout that will allow you to survive the initial memset
> without landing in bad memory. Now without going into details
> anyone who manages to survive the initial memset should be able
> to debug the crash to the point of exploitation. This is managable
> on atleast Linux IA32 systems. 
> 
> Now I'll try and bring my original point forward one last time,
> allthough I fear it will just call for more immature commentary
> from the likes of Paul Schmehl.
> 
> There is no need for anyone to release this exploit. It will change
> nothing about the fact that you need to upgrade your daemons. It
> will change nothing about the bugdetails already published. There
> is no reasoning for it other than "but I want to learn how to do it".
> And sorry but that's just not good enough to warrant the mayhem that
> will ensue when an exploit like this is released. So if you in
> your academic pursuits decide to tackle this problem. By all means
> go right ahead. But I think anyone who's discovered the real impact
> of this bug will realise that disclosing the exploit to the 
> general public is highly irresponsible. 
> 
> Now on a larger scale, I think it's rather foolish to cop an attitude
> that assumes anything that doesn't exist in the public eye isn't
> possible. It reeks of the same arrogance I'm accused off. Is it 
> arrogant to step forward to try and explain why noone who managed
> to exploit ossh is willing to step forward? Maybe it is. 
> 
> Fact 
> remains that exploiting this issue requires creativity beyond
> the pre-chewed papers. And that's why you're not seeing the regular
> array of mediocre "hackers" producing exploit code. I'd like to
> think that anyone who was capable of writing this exploit also
> recognises the potential impact of releasing it.
> 
> So instead of trying to poke fun at me Paul, why don't you do your
> duty as a knight of Full Disclosure and provide the good people
> of this list with a definite analysis on the ossh 32k nul heap
> munging? (buzzword quota filled).
> 
> This is the year 2003. We aren't
> the only ones reading these lists people. Do you really want to
> be responsible for arming the more hostile elements in the world
> with such a tool? I can't stress it enough. Noone should release
> this exploit. And to be honoust in this day and age I think anyone
> releasing exploits to the general public is losing sight of a
> bigger picture that affects us all. Now I'm not talking about
> the Nth trivial snosoft local stack overflow "exploit". I'm talking about the apaches, the openssh's and the ms rpc's. Time and time
> again it's become apparent that full disclosure simply does not
> function. And allthough I realise that there will always be people supporting 
> full disclosure, I think even with the disclosure of vulnerability
> information releasing exploits is something that's not justifiable
> in any way.
> 
> There is simply no need for exploits, especially not one that would
> affect people and nations around the globe. You have to look beyond
> your own little egocentric world of friendly exploit dev and "but it's fun",
> and take a look at the bigger picture. 
> 
> So to you Paul, and to the rest of this list. I say once again
> if you can't write the exploit. You don't..need.. the exploit.
> 
> With regards,
> Mitch

Powered by blists - more mailing lists