| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Aug 9 06:27:38 2005 From: DDavis at pivx.com (Dominique Davis) Subject: "responsible disclosure" I must first state that the following post in no way reflects on the views of my company and are In no way that of my employers.They are all my own. However i do take issue with a few of the statements you have posted below and as a thinking free man i cannot allow these to pass un-addressed. point one : "responsible disclosure" causes serious harm to people. It is no different than being an accessory to the intentional destruction of innocent lives. Rebuttal In the intrest of "responsibily discloseing " information you belived needed to be spread to the public without a objective third party couterbalance to verify the facts you have caused harm to innocents who were just doing their jobs without thought to the harm it might cause them making you a "accessory to the intentional destruction of innocent lives." In the name of righting injustice outside of the established legal process with no justifaction other than your own views and intrest. Point two: Often, some incompetent computer forensics professional will have already done work on behalf of the defense and authored a report of their own. These reports read like those authored by the prosecution's computer forensic examiners, they list the contents of the hard drive, itemize entries from Internet Explorer history files and explain that some "deleted" files were recovered that further incriminate. Rebuttal: Can you state here in public that you have never done the samewhen you were starting out.Nothing personal bud ,But those who live in glass houses shouldnt through stones. ________________________________ From: full-disclosure-bounces@...ts.grok.org.uk on behalf of Jason Coombs Sent: Mon 8/8/2005 8:51 PM To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] "responsible disclosure" explanation "responsible disclosure" causes serious harm to people. It is no different than being an accessory to the intentional destruction of innocent lives. Anyone who believes that "responsible disclosure" is a good thing needs to volunteer their time to teach law enforcement, judges, prosecutors, and attorneys that the consequence of everyone communicating with everyone else online is that some people use secret knowledge of security vulnerabilities to ruin other people's lives or commit crimes by hijacking innocent persons' vulnerable computers. Some of you may know that I work as an expert witness in civil and criminal court cases that involve computer forensics, information security, and electronic evidence. I just received a phone call from a member of the armed services in the U.S. who is being court martialed for possession of computerized child pornography. This happens every day in courtrooms throughout the world. On a regular basis somebody accused of this crime finds me and asks for my help explaining that a third-party could have been responsible for the crime. In every case the prosecution is alleging that the computer forensics prove beyond a reasonable doubt that the defendant is guilty of the crime because it was their Windows computer that was used to commit it. Often, some incompetent computer forensics professional will have already done work on behalf of the defense and authored a report of their own. These reports read like those authored by the prosecution's computer forensic examiners, they list the contents of the hard drive, itemize entries from Internet Explorer history files and explain that some "deleted" files were recovered that further incriminate. So you tell me, those of you who believe that "responsible disclosure" is a good thing, how can you justify holding back any detail of the security vulnerabilities that are being used against innocent victims, when the court system that you refuse to learn anything about is systematically chewing up and spitting out innocent people who are accused of crimes solely because the prosecution, the judge, the forensic examiners, investigators, and countless "computer people" think it is unrealistic for a third-party to have been responsible for the actions that a defendant's computer hard drive clearly convicts them of? You cannot withhold the details of security vulnerabilities or you guarantee that victims of those vulnerabilities will suffer far worse than the minor inconvenience that a few companies encounter when they have no choice but to pull the plug on their computer network for the day in order to patch vulnerabilities that they could otherwise ignore for a while longer. "Responsible disclosure" is malicious. Plain and simple, it is wrong. "Responsible disclosure" ensures that ignorance persists, and there is no doubt whatsoever that ignorance is the enemy. Therefore, supporters of "responsible disclosure" are the source of the enemy and you must be destroyed. Hopefully some patriotic hacker will break into your computers and plant evidence that proves you are guilty of some horrific crime against children. Then you will see how nice it is that all those "responsible" people kept hidden the details that you needed to prevent your own conviction on the charges brought against you by the prosecution. How can "responsible" people be so maliciously stupid and ignorant? Please, somebody tell me that I'm not the only one inviting judges to phone me at 2am so that I can teach them a little about why a Windows 2000 computer connected to broadband Internet and powered-on 24/7 while a member of the armed forces is at work defending the nation could in fact have easily been compromised by an intruder and used to swap warez, pirated films and music, and kiddie porn without the service member's knowledge. How can trained "computer forensics" professionals from the DCFL and private industry author reports that fail to explain information security? The answer is that the people who teach computer forensics don't understand information security. It is not "responsible" to suppress knowledge of security vulnerabilities that impact ordinary people. Suppress security vulnerability knowledge that impacts only military computer systems, but don't suppress security vulnerability knowledge that impacts computer systems owned and operated by ordinary people; for doing so ruins lives and you, the suppressing agent, are to blame for it moreso than anyone else. Grr. Rant. Rant. Grumble. Sincerely, Jason Coombs jasonc@...ence.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050808/fb3e8285/attachment.html
Powered by blists - more mailing lists