lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue Apr 26 03:02:06 2005
From: zx at castlecops.com (Paul Laudanski)
Subject: Re: -==phpBB 2.0.14 Multiple Vulnerabilities==-

> There's a big difference between discussing disclosure etiquette and 
> demanding that one's terms of disclosure etiquette be followed.  Those 
> on the "full disclosure sucks" end tend to do the latter.

I don't think anyone here is arguing the concept of "full disclosure".  By 
all means go for it.  I've done so in the past myself.  Point I'm making 
here is, why issue a disclosure without suggesting any kind of patch 
coupled with the fact that the vendor wasn't even notified.

What's the point of humanity?  To me its helping each other out.  Without 
vendor notification and/or a suggested patch, what's the point of having a 
disclosure that actually helps sysadmins protect their systems?

Granted this disclosure calls itself a low risk.  But what if it were a 
high risk that could sweep itself across the net bringing websites down, 
causing people to lose time and sleep trying to figure out what a decent 
patch is?

Moral fiber.

> Frankly, Dave's right - it was never required to inform the vendor.  Is 
> it a nice thing to do?  Sure. (informing the vendor, that is...)  Is it 
> the responsible thing to do?  I tend to think so...

Its not about requirements.  Its about doing the right thing.  Lets 
analyze what the OP released.  If it contained a suggested patch then I 
would not have replied nor had an issue with the release.  We wouldn't 
even be having this discussion.

> But, should one be compelled to do so?  I don't think so.  Frankly, I'd 
> hate to see what the world would be like if we had to pass our actions 
> through Acme XYZ company whenever we do anything... I mean, I suppose if 
> you like servitude, then having to get permission for everything would 
> make sense...

Last I checked slavery was abolished.  The pros play nicely, and if 
someone wants to get into the game, then be mature about it and place nice 
too.

As above, I would have been fine if the OP posted a suggested patch.  One 
wasn't offered.  If not, then contact the vendor.  What was the reason to 
release the disclosure so quickly?  Was it about "losing credit"?  phpbb 
and other vendors I've worked with honor full credits. 

> It comes down to this: when real people find out something or other 
> regarding a product, they should be allowed to share that information 
> without restriction.  That's the organic nature of information: live 
> with it because it's not going to change.  The alternative is a freeze 
> on information that would amount to the destruction of all information 
> freedom and, ultimately, the death of democracy (if it ever actually 
> existed)...

I see the point I'm trying to deliver is being missed.  

> Now, responsible disclosure is one thing, but there is no requirement to 
> be responsible.  And that isn't to say that just disclosing a bug is 
> inherently irresponsible.  If the vendor is not responsive or has not 
> been responsive in the past, then I say disclose away.  At that point, 
> disclosure is the responsible thing to do.

That is perfectly fine in my book too.  But the OP didn't state that in 
his release now did he?  Some vendors can't be bothered about disclosures.  
So state that, and still offer a suggested patch.  If you are incapable of 
producing one, find someone who will. 

> Neither side bares a rosy picture:  full disclosure can result in users 
> being harmed... but those who've spent any remote amount of time amongst 
> real hackers/crackers know that that is no different than the status 
> quo.  (Most of them never end up as MS MVPs, btw)  The "full disclosure 
> sucks" side of the table results in a concept which forwards the idea 
> that a freeze on information ultimately is a good thing and we should 
> all eat from the corporate trough. 

Seems the whole MVP thing turns out to be a sticking point?  I've replied 
many times in these seclists and have never generated such a discussion 
before.  

> I'd take my chances with the status quo, keep the flow of information 
> moving, and use that information to protect myself. 

What is the status quo?  Russ Cooper of NTBugtraq wrote today about the 
NGS Software disclosure on Sybase and how Sybase was threatening them with 
legal action if it were released (to be in 3 months after vendor 
notification):

"NGS, a very responsible security company, informed Sybase of the 
vulnerabilities and stated they would publish details in three months. 
This is perfectly normal and acceptable practice in the security arena."



> No offense meant, but can't we all just get along on this little playground?

I thought that was the whole idea?  Getting along and helping each other 
out.  Ergo why I replied in the first place to the OP.

-- 
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CastleCopsWiki .. http://wiki.castlecops.com
MS MVPS Blog .... http://msmvps.com/castlecops
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html

http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com

Powered by blists - more mailing lists