lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.SGI.4.44.0208190611590.152670-100000@hexeris>
From: aliver at xexil.com (aliver@...il.com)
Subject: Shiver me timbers.

On Mon, 19 Aug 2002, Timothy J.Miller wrote:
> On the other hand, if your new car spontaneously bursts into flame while
> idling at a stop light, don't you have an obligation to tell the
> manufacturer *and* as many people with the same model as possible?

	Perhaps. However, the analogy may not be apt. First of all a car
that burst into flames idling at a stop light could very likely cause you
to lose your life. I'm not saying that a software vulnerability might not
indirectly cause an injury or death. However, it's not nearly as likely to
as an exploding gas tank. Also, an exploding gas tank is a spontaneous
event which isn't triggered by a premeditated act by another individual
(as exploiting a bug is). The only direct parallel is that the car
manufacturer (ie.. vendor) might have been negligent when engineering and
constructing the tank.
	Secondly, in your analogy the person who points out that the gas
tank tends to explode is a person who found that out from a coincidental
experience, and without any effort or foreknowledge of his own. Ask
yourself if this parallels our situation. Vulnerabilities are not
something that often manifest themselves to people with no technical
knowledge who aren't looking for them. A person with experience and
specific ability is almost always the one to find them. That person, or
someone like him must use that knowledge to create an exploit, and that's
not something that just anyone can do. It takes both skill, and effort.
	I think your analogy would be better if it was adjusted. For
example maybe something like this would be better. Does a mechanic
(hacker) who finds that a gas tank can be easily rigged to explode have an
obligation to report this finding to a corrupt car company (vendors)?
Should he give an insurance company (whitehats or ARIS) the results of a
painstaking analysis of the tank, and how to rig it to explode? Is he
obligated to give all his research on any related finds away no matter how
much of his time or energy it took? Would it be right if he rigged a
serial killer's tank to explode?

aliver


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ