lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Jan 2012 15:29:37 -0500 From: Benjamin Kreuter <ben.kreuter@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Rate Stratfor's Incident Response -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sat, 14 Jan 2012 13:11:37 -0600 Paul Schmehl <pschmehl_lists@...rr.com> wrote: > --On January 14, 2012 8:33:13 AM -0700 Sanguinarious Rose > <SanguineRose@...ultusTerra.com> wrote: > > > I've been watching this chat for a while and I have to say a lot of > > views here does not impress me and in fact why I will never report a > > vulnerability if I found one. Why would I want to even risk getting > > arrested and/or FBI trouble from observing a security flaw? My > > policy on finding them is to quietly just move a long. I'm sure I > > am not the only one that does this or come to such a conclusion of > > is it even worth the trouble. > > > > The reaction of a security professional like me to this is, why > aren't you looking for security flaws on your own site? You / your organization's developers wrote your system, perhaps building on some other systems. That gives me the intellectual challenge of trying to find the flaws in *your* design. It is just a different sort of game from finding flaws in my own designs. > Why are you > looking for security flaws on other people's sites? If you want to > do security research, setup a site virtually and bang away at it to > your heart's content. Then report your findings. Meanwhile, your systems continue to be vulnerable, and the bad guys who want to exploit those vulnerabilities for criminal purposes will continue to do so. Unless you system is just a bunch of off-the-shelf components that you assembled, there are going to be parts of your system that you wrote yourself, and that in all likelihood will be vulnerable to some sort of attack. It helps if someone who is not familiar with your development process and who is not operating under the same assumptions that you are operating under tries to attack that system. Most places do not already have in-house pen testers for these things, so the only way they will get any useful information on the security of their systems is if someone tries to attack them. > > I like how the assumptions are always this person is horrible and > > bad for have founding a security flaw, he must not be trusted and > > treated like a criminal. > > You missed the point. It isn't that I think that you're a criminal. > It's that, as a security professional, I cannot take the chance that > you are not. It is more that if one person found the vulnerability, then any number of other people might have found and exploited it. What makes you think that the first person to identify a problem is the only person to have spotted it? Again, I would be more worried about the people who might have found the vulnerability and not reported it than the person who found the vulnerability and did report it. > So why do you think it's acceptable for you to do some minimal work > to force others to do lots of extra work? Or perhaps save a lot of work, by identifying a vulnerability before it is exploited by someone who creates a big mess. > Nobody's talking about punishing people for finding security flaws, That is pretty much how I read a lot of the comments in this discussion. People are basically saying that the only way someone could report a problem without facing prosecution is if they stop at the hypothetical part -- "You seem to be running an old version of Apache that could be attacked using this buffer overflow." It is hard to convince anyone that a hypothetical problem needs to be fixed, and it is easy to dismiss someone who provides no evidence. Just take a look at the argument between Red Hat's SELinux team and the Mozilla developers on the topic of writable/executable memory if you think hypothetical attacks are enough to convince people about security problems. > but you're punishing the security professionals By telling them that there is an exploitable vulnerability in their system? Their job is to fix those problems; how is reporting problems to them in any way a punishment? > If I find a vulnerability in > our assets, I can simply fix or remediate the problem. If you find > it, I have to treat it as a breach, or I'm not doing my job. So if you found a vulnerability, you would not immediately audit the vulnerable system? You have no concerns about all those hackers out there who might not have bothered to report the problem to you? > It's 2012. I seriously doubt most sites ignore vulnerabilities any > more. Really, you doubt that? You can still access security cameras in arbitrary places by entering the right keywords into Google. A lot of people run unpatched Wordpress blogs. There are still SQL injection attacks out there, XSS attacks, and CSRF attacks. People are still not salting password hashes, and in some cases they are storing passwords in the clear. Many websites are still not using TLS for things like logins. These are basic, common, well-known vulnerabilities that people are ignoring, and these only cover problems related to websites; plenty more problems exist with other systems. We have a long way to go before we can say that vulnerabilities are not being ignored. > We HAVE learned a few things over the years. We are constantly > auditing for flaws, assessing for flaws and insisting that flaws are > corrected. *You* and your organization might be doing that. All you need to do is read the details about attacks that make the news to see that plenty of high profile companies are not doing that. > We don't need your help to do our jobs. I can assure you > that we are not sitting around waiting for someone like you to help > us. Good for your organization, but what about all those others who are not auditing, who do not take security seriously, and who are not going to listen to people who come to them with hypothetical attacks? - -- Ben - -- Benjamin R Kreuter UVA Computer Science brk7bx@...ginia.edu - -- "If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." - George Orwell -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBCgAGBQJPEeWxAAoJEOV0+MnZK9ij/H4P/jFFymQcDhiAwjZga1as0MzI dP2nZoQ3i6YKhObSDRh6NUinLZ/DaVx6wTetV+HM4CUSOvswhFMXhLpedR8ARt6s PPV6s2RtrqsJohS9g5gftjYPqq01/4k9nbIgDr0qBO8/Jw/JWlYhvDPcqRGIfMhA hiCvBod1sVK9bJY8LKVGl8B++nKxHuo0nLBlTWlIYw6ronyhn15kuwlk6eoD0ATI mQFRalFHo8gEUOYbjQOQi0Bul/rrgZNa9psc5oJ0LN/90clAEOqFbdfnyiGEcxLg bUGBky2nrii6TK/Biq7hjuy5ViXjE7NNnDzW8duu/U99sQ+MYb4fyeNkKeXYD4A+ gCDDdvXDBXo/fsJVHNfp6okfg7bE8hSJl7KIqqgMwwbm1w9caQA8iQYsqOROt7h+ 9DMnFXotrBk5j6lj9BrgJGDIGdAz2cToB/OOMY/IoQT99VK117iIWHm05TO4MffG 5JsMPjqMdXpbdQHZT7iFZ4ijqrrDGfVh6/iXbq9YSHdJ/jb723Dauw0/i6QnTe1J P9lehxONlNYhUeOzKwFovk0BNmPSWhf65cyi5+WCS4/ZqQsSu/BthuD9HqnLQG9N RlXFagUrJ59ZVBL1aqesYXRQQFHQHZVXMXDq5OgLdbcUnpo7EM+rXAR+fFpqOAbw YU/DaNgo3SIgTTOhkjad =1phK -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists