lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20020819141607.5428.qmail@email.com>
From: sockz at email.com (sockz loves you)
Subject: Shiver me timbers.

blackhats as serial car bombers?  hmm... perhaps....
but then again its not really a faulty car is it.  no, i
just dont see how this analogy relates to computer security
at all.  i've only ever seen one computer physically explode,
yes in real life, and no, it wasn't from a flaw in the
software or from evil blackhat meddling.


----- Original Message -----
From: aliver@...il.com
Date: Mon, 19 Aug 2002 06:30:03 -0700 
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Shiver me timbers.


> On Mon, 19 Aug 2002, Timothy J.Miller wrote:
> > On the other hand, if your new car spontaneously bursts into flame while
> > idling at a stop light, don't you have an obligation to tell the
> > manufacturer *and* as many people with the same model as possible?
> 
> 	Perhaps. However, the analogy may not be apt. First of all a car
> that burst into flames idling at a stop light could very likely cause you
> to lose your life. I'm not saying that a software vulnerability might not
> indirectly cause an injury or death. However, it's not nearly as likely to
> as an exploding gas tank. Also, an exploding gas tank is a spontaneous
> event which isn't triggered by a premeditated act by another individual
> (as exploiting a bug is). The only direct parallel is that the car
> manufacturer (ie.. vendor) might have been negligent when engineering and
> constructing the tank.
> 	Secondly, in your analogy the person who points out that the gas
> tank tends to explode is a person who found that out from a coincidental
> experience, and without any effort or foreknowledge of his own. Ask
> yourself if this parallels our situation. Vulnerabilities are not
> something that often manifest themselves to people with no technical
> knowledge who aren't looking for them. A person with experience and
> specific ability is almost always the one to find them. That person, or
> someone like him must use that knowledge to create an exploit, and that's
> not something that just anyone can do. It takes both skill, and effort.
> 	I think your analogy would be better if it was adjusted. For
> example maybe something like this would be better. Does a mechanic
> (hacker) who finds that a gas tank can be easily rigged to explode have an
> obligation to report this finding to a corrupt car company (vendors)?
> Should he give an insurance company (whitehats or ARIS) the results of a
> painstaking analysis of the tank, and how to rig it to explode? Is he
> obligated to give all his research on any related finds away no matter how
> much of his time or energy it took? Would it be right if he rigged a
> serial killer's tank to explode?
> 
> aliver
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ