lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Dec 2013 13:51:15 -0500
From: Gary Baribault <gary@...ibault.net>
To: Jordon Bedwell <envygeeks@...il.com>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: Where are you guys standing re: the (full)
 disclosure

Hey Jordon,

    The thing is that the 'hackers' who find these bugs are not a
uniform group who all studied some course in university. Some have a lot
of experience and therefore credibility and some are less experienced
and don't know exactly what to do or when to do it. Our OP is one of
those and he was smart enough to put that question on the list. Most big
companies know that and also know what you stated. They have teams that
work bugs and work the communications with whoever found the bug. They
try to keep the person up to date on what is going on, when a fix could
be expected and let them know that they appreciate the help and
patience. As I said, many people have the experience to know when the
bug is taken seriously and that the company is really working the issue.
Unfortunately there are some hackers who don't have the experience or
patience and they just disclose, and also there is Murphy's law, some
companies drop the ball, don't communicate with the hacker or just don't
care. I won't name the maker of home/small Internet routers, but they
often just ignore bug reports and don't seem to care. There are many
others like that and in that case I agree with George, to heck with
them, warn them of the date you will publish and then go ahead and do it.

    I didn't say that ethical hackers just release. I don't have an
official definition of 'ethical'. My definition and Georges are not the
same. Probably yours and Georges aren't either. I think an 'ethical' (my
definition) hacker will bend over backwards to wait for a fix before he
publishes. In this case the OP said he found the bug because someone
used it to attack one of his customers. Obviously someone out there with
a darker hat than mine is aware of this bug. Should it be considered in
the wild? I don't think that we have enough information to make that
judgment. Obviously if it is considered widely known in the Black Hat
arena, that will affect the case, both for Microsoft and for the OP.
Sounds like it's something that would be rather hard to defend against.

Gary B


On 12/13/2013 01:29 PM, Jordon Bedwell wrote:
> On Fri, Dec 13, 2013 at 12:15 PM, Gary Baribault <gary@...ibault.net> wrote:
>> Of course, all software companies would love for the disclosure to wait
>> for the fix to be released, and often, if the delay is considered
>> reasonable by the hacker in question who found the bug, then that's what
>> happens. I think it's only in the case where the company considers the
>> bug to be minor or non existent, and they are asking for a ridiculous
>> delay that many hackers will say, 'tough luck I'm disclosing on xx' and
>> he takes his chances that most of us agree with his decision. As Mikhail
>> said, if the hacker came across the bug without any illegal means then
>> he should be fine after the release (but IANAL).
> It's this so called "hacker" that defines this so called "time limit"
> which makes it both a moral and an ethical decision of your own
> making. If you don't see that the release schedule is fit.  The fact
> of the matter is that in large companies sometimes it  takes time to
> release updates and if you haul off and release a major security bug
> because you don't feel that the time line fits in with your guidelines
> that is your ethics decision.
>
> Most people do not disclose because of time lines, they disclose
> because of lack of updates and information on what is going on,
> companies are told (for example) "please respond within 90 days to let
> me know if you have fixed it and when release will happen so we can
> coordinate or I will disclose it."  More often than not when dealing
> with people I find that as long as you keep them informed of what's
> going on and when it's going to happen and that they will get credit
> for helping then they are more than happy to work with you.
>
> I don't know where you got this magical idea that ethical security
> researches just haul off and release a security bug if they think
> Microsoft or Apple took a week too long to release  the update.
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ