lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Apr 26 03:02:06 2005 From: zx at castlecops.com (Paul Laudanski) Subject: Re: -==phpBB 2.0.14 Multiple Vulnerabilities==- > There's a big difference between discussing disclosure etiquette and > demanding that one's terms of disclosure etiquette be followed. Those > on the "full disclosure sucks" end tend to do the latter. I don't think anyone here is arguing the concept of "full disclosure". By all means go for it. I've done so in the past myself. Point I'm making here is, why issue a disclosure without suggesting any kind of patch coupled with the fact that the vendor wasn't even notified. What's the point of humanity? To me its helping each other out. Without vendor notification and/or a suggested patch, what's the point of having a disclosure that actually helps sysadmins protect their systems? Granted this disclosure calls itself a low risk. But what if it were a high risk that could sweep itself across the net bringing websites down, causing people to lose time and sleep trying to figure out what a decent patch is? Moral fiber. > Frankly, Dave's right - it was never required to inform the vendor. Is > it a nice thing to do? Sure. (informing the vendor, that is...) Is it > the responsible thing to do? I tend to think so... Its not about requirements. Its about doing the right thing. Lets analyze what the OP released. If it contained a suggested patch then I would not have replied nor had an issue with the release. We wouldn't even be having this discussion. > But, should one be compelled to do so? I don't think so. Frankly, I'd > hate to see what the world would be like if we had to pass our actions > through Acme XYZ company whenever we do anything... I mean, I suppose if > you like servitude, then having to get permission for everything would > make sense... Last I checked slavery was abolished. The pros play nicely, and if someone wants to get into the game, then be mature about it and place nice too. As above, I would have been fine if the OP posted a suggested patch. One wasn't offered. If not, then contact the vendor. What was the reason to release the disclosure so quickly? Was it about "losing credit"? phpbb and other vendors I've worked with honor full credits. > It comes down to this: when real people find out something or other > regarding a product, they should be allowed to share that information > without restriction. That's the organic nature of information: live > with it because it's not going to change. The alternative is a freeze > on information that would amount to the destruction of all information > freedom and, ultimately, the death of democracy (if it ever actually > existed)... I see the point I'm trying to deliver is being missed. > Now, responsible disclosure is one thing, but there is no requirement to > be responsible. And that isn't to say that just disclosing a bug is > inherently irresponsible. If the vendor is not responsive or has not > been responsive in the past, then I say disclose away. At that point, > disclosure is the responsible thing to do. That is perfectly fine in my book too. But the OP didn't state that in his release now did he? Some vendors can't be bothered about disclosures. So state that, and still offer a suggested patch. If you are incapable of producing one, find someone who will. > Neither side bares a rosy picture: full disclosure can result in users > being harmed... but those who've spent any remote amount of time amongst > real hackers/crackers know that that is no different than the status > quo. (Most of them never end up as MS MVPs, btw) The "full disclosure > sucks" side of the table results in a concept which forwards the idea > that a freeze on information ultimately is a good thing and we should > all eat from the corporate trough. Seems the whole MVP thing turns out to be a sticking point? I've replied many times in these seclists and have never generated such a discussion before. > I'd take my chances with the status quo, keep the flow of information > moving, and use that information to protect myself. What is the status quo? Russ Cooper of NTBugtraq wrote today about the NGS Software disclosure on Sybase and how Sybase was threatening them with legal action if it were released (to be in 3 months after vendor notification): "NGS, a very responsible security company, informed Sybase of the vulnerabilities and stated they would publish details in three months. This is perfectly normal and acceptable practice in the security arena." > No offense meant, but can't we all just get along on this little playground? I thought that was the whole idea? Getting along and helping each other out. Ergo why I replied in the first place to the OP. -- Sincerely, Paul Laudanski .. Computer Cops, LLC. Microsoft MVP Windows-Security 2005 CastleCops(SM)... http://castlecops.com CastleCopsWiki .. http://wiki.castlecops.com MS MVPS Blog .... http://msmvps.com/castlecops CC Blog ......... http://blog.castlecops.com Staff Blogs ..... http://busterbunny.castlecops.com Our Vision ...... http://castlecops.com/postt63382.html http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com
Powered by blists - more mailing lists