Date: Fri, 25 Jul 2008 11:56:15 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Kaminsky's Law

So what you're saying is HD Moore and |)ruid are exploiting a loop
hole in the law to do what they do... looks like we need to get the
law tightened.

I say a "Responsible Disclosure Act" is drawn up, and anyone who
breaks it goes to jail.

That will mean:

- People will think twice before hitting send on blog entries,

- People will think twice about releasing code early,

- That the decided time line for disclosure can be enforced,

- That the people who release information and/or code early, they get
fined for every computer system compromised because of the
vulnerability information and/or code disclosure, on top of the jail
sentence.

So instead for the future its not just a verbal contract for
responsible disclosure, its a legally binding contract as well meaning
if the Responsible Disclosure Act has been signed by the security
researcher and its affected vendors, then ass hats like HD Moore and
|)ruid are breaking the law.

The details are a bit fuzzy right now, but i'm sure the big guys in
the industry can draw up proper rules for a Responsible Disclosure
Act.

Its likely the Responsible Disclosure Act would only be used in
exceptional circumstances like this DNS caching vulnerability, and the
approval of the act per vulnerability case has to be decided on by a
judge in a court of law, so that the Responsible Disclosure Act can't
be over used and abused, to keep the use of the act fair and
proportional in relation to the level of the threat.

That means, Full-Disclosure of vulnerability information and/or
wouldn't be illegal all the time, just in exceptional circumstances
that has to be OK'd by a judge.

This safe guards the deployment of a patch or patches while telling
what the importance of patching is to the public, while disallowing
security researchers to release information and/or code before the
time line for responsible disclosure.

So the scenario would be,

jake: hey did you hear about the patches being deployed and the news
reports about the flaw and why the patch is critical?

joe: yes, but the responsible disclosure act has been signed so we
need to wait until it expires before we can share info.

jake: no way, whats the assigned disclosure date?

joe: the standard 4 weeks, although with the responsible disclosure
act, after the 4 weeks, the security researcher and vendors can go
back to the judge to ask for an extra 4 week extension onto that, so
it could be eight weeks bro before we can become famous for five
minutes by releasing attack code.

jake: ah, sucks for us, but yeah if the judge has approved the signing
there isn't alot we can do unless we want to be labeled criminals, and
hunted down by interpol.

What has to be told to the community under the act:

- The community must be told the Responsible Disclosure Act has been
signed and OK'd by a judge.

- The community must be told the date the Responsible Disclosure Act
expires and disclosure can be made.

- The community must be told that security researcher and vendor can
go back to the judge after 4 weeks and ask for extension of the act if
extra time is needed, this must be announced to the community again
with notice.

All members of the community who break the Responsible Disclosure Act
are breaking the law and face charges.

Obviously this is just an email I rattled up in five minutes during a
water machine break, so the big guys in the industry can take these
ideas and throw them into a properly put together act.

I think Dan Kaminsky should lobby the industry and the government to
get something like this drawn up, since he is the one who has inspired
me to come up with the Responsible Disclosure Act.

I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid
had to be dick heads about releasing code on purpose against his
request of Dan Kaminsky, the vendors and people who agree with
responsible disclosure, especially in exceptional circumstances like
the DNS flaw.

Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan.

All the best,

n3td3v


---------- Forwarded message ----------
From:  <Valdis.Kletnieks@...edu>
Date: Thu, Jul 24, 2008 at 5:56 PM
Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in the wild
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk


On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said:

> This whole HD Moore savior of info sec thing has gone on long enough,
> its time to see him for what he is and get him slammed up in jail
> along with his counterpart |)ruid.

I'll point out that you happen to live in the country that invented the
concept of "habeus corpus".  In other words, you cant slam him in jail
unless you actually *charge* him with something.

Please tell us which countr(y|ies) you intend to have him charged, and what
offense.  Specific references to statutes would be appreciated (for starters,
I'll help you out and point out that in the US, he probably could *not* be
charged under 17 USC 1201 (the DMCA anti-circumvention clause), nor under 18
USC 1030 (the primary federal anti-hacking statute), unless you have actual
evidence that HD personally hacked into a computer covered by 18 USC 1030. You
run into similar issue with 18 USC 2701 (access to stored communication).

You *might* be able to make a case under 18 USC 2512 (dealing in devices for
intercepting communications), except that there's the nasty clause "knowing or
having reason to know that the design of such device renders it primarily
useful for the purpose of the surreptitious interception of wire, oral, or
electronic communications;" - and you'd fail on the "primarily" because there's
lots of *other* uses for Metasploit.

He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC 7523(a)(1),
however.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists