| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: choose.a.username at hushmail.com (choose.a.username@...hmail.com) Subject: it\'s all about timing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How about some people are not lookin for them, they are so glaringly obvious that they literally leap out at you. How about some people have no time or interest to make a a job of submitting it and monitoring what the vendor does it with. How about that! Some people find them and simply submit them. There be done with it. It is interesting that the people screaming loudest for some sort of order in the submission of bugs, are in fact non-bug hunters at all. Rather a vocal group academics who intent of have their name on a draft or ratified document they came up with. Sure some may have posted a few findings but none are consistently doing so, and the bug hunters, sure don't sound like they need some else telling them what to do. You don't hear them crying to for order. Wonder why that is. There is always a group that will want to try and harness free energy. On Fri, 02 Aug 2002 15:44:19 +0100, full-disclosure@...ts.netsys.com wrote: >I propose an exercise: > >Why do people look for vulnerabilities? >Why do people publish vulnerabilities? > >If you take the broken window example Evrim Ulu has proposed, it is >clear that most of us do not walk around the streets carefully examining >windows to see if they are broken. Sometimes we spot a broken window, >but we don't actively look for them. Unless, of course, we are the shop >owner. Or a burglar. > >People look for vulnerabilities for the following reasons: > >- They want to stress the code they are running on their systems to make >sure it is safe (shop owner) >- They are looking for possible ways to abuse a system they do not own >(would-be burglar) >- They feel that they have a moral "duty" to use their skills and time >for other's good (concerned citizen) >- They have nothing else to do and think this is fun (vulnerability >hobbyist) >- They look for vulnerabilities because they are responsible for the >vulnerable product (vendors) >- They look for vulns with the express intention of publishing them and >make themselves noticed (karma whores) > >On the other hand, people publish vulnerability information for the >following reasons: > >- They publish vuln info to make themselves noticed (karma whores) >- They publish vuln info because they have customers that pay (or >otherwise produce revenue) for that service (watch dog) >- They publish vuln info because they are responsible for the vulnerable >code (vendors) >- They feel that they have a moral "duty" to publish this information >once they have it, since it may be a global risk (concerned citizen) >- They have nothing else to do and think this is fun (why nots) > >Professional security staff and vulnerability seekers are a special case >of the karma-whore/watch-dog combination. You find vulnerabilities in >order to have them published and have your name metioned, bacause that >is the basis for your revenue model. In turn, you have paying customers >that profit by either having early access to the vuln info or premium >access to patches and/or related security services. > >The whole DMCA vs. Full Disclosure issue must take into account the >deeper reasons I have mentioned. Why do people search for vulns, and why >do they publish them? > >Shop-owners: >Shop-owners that look for vulns on the products they use already have >the "right" attitude about this issue. They either contact vendors or >create their own patches and submit them to the vendors. Shop-owners are >not interested in early disclosure, since it might further expose their >systems. Enforcing any kind of n-day disclosure or no-disclosure law >would have no impact on their behavior. Except, of course, in the event >that the vendor does not fix their product and the shop-owner has to >create a patch to protect himself, and only them will he be willing do >publicly disclose the vuln. > >Would-be Burglars: >Burglars don't disclose vulnerabilities, just like in the real world >they don't go around telling other burglars about this nice broken >window they found. Burglars actively exploit vulns and will continue to >do so, regardless of any law on the subject. > >Vulnerability Hobbyists: >Hobbyists look for vulns because it's a challenge, and they would >probably continue to do so. But any challenge must have a reward, and >peer-recognition is part of that reward. If disclosure is banned, part >of the reward is gone and hobbyists will be less inclined to seek vulns, >directing their efforts to other things. Hobbyists thrive in recognition >from the established security industry, so they are likely to be >responsible in their disclosure procedure. Having an n-day policy would >not change the way they act. Having a no-disclosure policy would >probably lead them to diclose vulns in private forums, where it might >easily leak to would-be burglars before it reaches the white-hat >community and the affected system owners. > >Concerned Citizens: >Concerned Citizens (aka the white hat community) would be severely >affected by any restrictions of full disclosure. Most citizens already >report vulns primarily to the vendor, in the hope that the vendor will >solve the issue. If the vendor fails to comply, they look for a forum >where to advise their peers about the problem, the failure to comply, >and a possible fix. If such forums are outlawed, the citizens will still >feel the moral need to search for flaws and to warn others. Remember >that it is the concerned citizen attitude that is in the origin of every >neighbourhood watch and popular militia group in the world. If the means >to perform this "duty" in a responsible manner are banned, the citizens >will be pressured into finding other ways of spreading this information. >What is not volunteer work, white hat work, done for the global >community, may turn into commercial activities, if the citizen is so >pressured in his need to be "responsible" that he finds it in himself to >affiliate with a professional security company. It may turn into an >underground activity, if the citizen is forced to create an >"underground", "illegal" list in order to publish what he has found. Or >it may turn into an activity known to few, inside a members-only mailing >list for a small group of like.minded people that the citizens >personally know. Either way, any disclosure control law other than what >is now current practice (vendor first, CERT if you want to, back off 30 >days, then all hell breaks loose) will limit the activity of concerned >citizens and diminish global security. > >Karma Whores: >The karma whores are in it for the glitz. They look for vulns in order >to publish them, and publish them in order to get peer recognition. >Vulns are like hunting trophies. They will eventually report to the >vendor, if and only if the vendor will acknowledge what they report and >give them appropriate credit when it finally discloses the vuln, along >with the patch. If it is not like this, they will disclose the >information independently. The damage done by karma whores can only be >mitigated with better vendor responsiveness. And that is something that >no law can achieve. If any law requires vendors to be notified ahead of >time, the karma whores will still publish the vuln if the vendor does >not respond in appropriate time. And the next time a vuln comes along in >another product by the same vendor, karma whores are likely to disclose >on day 0, "just to show them". >Having a law will not change this. This is human nature at work. Today, >karma whores disclose on the public lists, and everyone benefits from >that. If <n-day is banned, or if disclosure is banned, the karma whores >will move into the black hat lists, into private forums, into the irc >networks. The effort required by the white hat community in order to >track all disclosed vulnerabilities will be greatly increased. > >Vendors: >Many vendors only disclose if they have to, if they are forced to >disclosure by full or partial disclosure by third parties. Increasing >the non-disclosure timeout period only gives vendors more time to react. >But the time already given is more than enough. Any vulnerability that >cannot be fixed in 30 days is not likely to be fixed in 45 or in 60 >days. And if the vendor contacts the vuln finder and asks for more time >before disclosure, most finder will gladly comply. >The problem is that many vendors don't respond when they are contacted. >And no law is going to fix that. The vendors that only respond after the >vuln is public, and after an exploit is in the wild, their customers are >not going to benefit from a delayed non-disclosure period. >Furthermore, the longer one waits after reporting to a vendor and before >full disclosure, the more chances that a separate, independent >researcher will fin the same vuln and disclose it into a black hat >forum, making all customers vulnerable. Vendors will not benefit from a >further delayed disclosure law. And customers will be hurt. > >Defense is very different from offense. >Defense must cover all the fronts, offense needs to concern with only one. >Black hats will continue to thrive if the public, general forums are >outlawed. No blackhat ever needs all the information about all the >products. He just needs one flaw in one product that he can exploit in >order to get into wherever he wants. If disclosure is harmed, they won't >suffer. The private forums and mailing lists and irc and icq and instant >messenger black-hat clubs will continue to exist and information will >continue to flow there. If anything, the law will help them, by moving >what would otherwise be responsible disclosure by citizens and hobbyists >into the blackhat zones. >White hats, on the other hand, will be forced to roam the blackhat zones >looking for information. They will need to pay much more attention to >their IDS systems. They will need much more people in their departments >to help with auditing and identifying potential attack attempts. If they >do not know about the vulnerabilities, they cannot protect themselves. > >I do not wish to propose full 0-day disclosure as a rule. 30-days is >appropriate. Even if it was 20 days, it would still be appropriate. But >any effort to delay the timeout period, or to limit the amout of >information that can be disclosed, is bad for the industry, bad for the >users, bad for the system administrators. >And, in fact, good for the burglars. > >Julião Duartenn > > > >_______________________________________________ >Full-Disclosure - We believe in it. >Full-Disclosure@...ts.netsys.com >http://lists.netsys.com/mailman/listinfo/full-disclosure > -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmYEARECACYFAj1KtHsfHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT 5JkCl0iMkE+IAKC/rlZjdmhFYGx+4S8w/jP+aqH9jQCeM3SDsuFeAEPL4cZB2Mf2Y6R7 Y3I= =e8hQ -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
Powered by blists - more mailing lists