lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20020819141607.5428.qmail@email.com> From: sockz at email.com (sockz loves you) Subject: Shiver me timbers. blackhats as serial car bombers? hmm... perhaps.... but then again its not really a faulty car is it. no, i just dont see how this analogy relates to computer security at all. i've only ever seen one computer physically explode, yes in real life, and no, it wasn't from a flaw in the software or from evil blackhat meddling. ----- Original Message ----- From: aliver@...il.com Date: Mon, 19 Aug 2002 06:30:03 -0700 To: full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] Shiver me timbers. > On Mon, 19 Aug 2002, Timothy J.Miller wrote: > > On the other hand, if your new car spontaneously bursts into flame while > > idling at a stop light, don't you have an obligation to tell the > > manufacturer *and* as many people with the same model as possible? > > Perhaps. However, the analogy may not be apt. First of all a car > that burst into flames idling at a stop light could very likely cause you > to lose your life. I'm not saying that a software vulnerability might not > indirectly cause an injury or death. However, it's not nearly as likely to > as an exploding gas tank. Also, an exploding gas tank is a spontaneous > event which isn't triggered by a premeditated act by another individual > (as exploiting a bug is). The only direct parallel is that the car > manufacturer (ie.. vendor) might have been negligent when engineering and > constructing the tank. > Secondly, in your analogy the person who points out that the gas > tank tends to explode is a person who found that out from a coincidental > experience, and without any effort or foreknowledge of his own. Ask > yourself if this parallels our situation. Vulnerabilities are not > something that often manifest themselves to people with no technical > knowledge who aren't looking for them. A person with experience and > specific ability is almost always the one to find them. That person, or > someone like him must use that knowledge to create an exploit, and that's > not something that just anyone can do. It takes both skill, and effort. > I think your analogy would be better if it was adjusted. For > example maybe something like this would be better. Does a mechanic > (hacker) who finds that a gas tank can be easily rigged to explode have an > obligation to report this finding to a corrupt car company (vendors)? > Should he give an insurance company (whitehats or ARIS) the results of a > painstaking analysis of the tank, and how to rig it to explode? Is he > obligated to give all his research on any related finds away no matter how > much of his time or energy it took? Would it be right if he rigged a > serial killer's tank to explode? > > aliver > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
Powered by blists - more mailing lists