lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <F2252FjeBktMXqqQbSw00010e7a@hotmail.com>
From: poohpooh000 at hotmail.com (pooh pooh)
Subject: Re: Valid disclosure analogy

>You are client of 'bank A'. You find out about a way to break in
>'bank A' in a quite complicated and tricky manner, but yet possible.

bank 'A' has one 'copy' whereas a given piece of software has N. the
fact that you can attack/expoit it doesn't automatically give you
the ability to exploit all N copies whereas it does give you the
ability to compromise all accounts in bank 'A'. the fallacy of analogies
at its best. who did you say was the moron again? mind you, Guninski's
wasn't perfect either but at least he doesn't suffer from the attitude
problem you have.

>a) Dont do anything: all banks are vulnerable at some point. It's all
>   a matter of risk, and keeping it secret is the best way to keep
>   the risk at its lowest. Furthermore, the vulnerability does not
>   compromise the quality of the service itself;

you must be a 'blackhat', 'cos this one actually looks applicable to
both software and banks. congratulations for spreading the philosophy
of non-disclosure!

>b) Your money is at risk: remove it from 'bank A', put it in 'bank B';

what if there is no bank 'B'? am i supposed to create one? preferably in no 
time?

what if bank 'B' does not provide (some of) the services of bank 'A'
which are vital to my own business? am i supposed to create them
myself? will bank 'B' provide me with enough details of her own internal
systems so that i can do it in a reasonable timeframe? will they accept
my changes to their own system?

what if i can't afford switching banks right now? am i supposed to fix
bank 'A'? will they give me enough information to do it? will they
accept my changes?

what if it's not up to me to decide and i can't convince those who can
but don't want to? am i supposed to quit my job? am i supposed to make
the switch to bank 'B' 'behind the scenes' and hope noone will notice
or at least blame me later?

and finally, you still sure your analogy holds between the world of
banks and software? are you living on the moon or something? at least
you've never worked for a real bank if you think you could pull off the
above.

>c) Break in 'bank A' and steal other people's money, get plane ticket
>   for bermudas;

the worst part of your analogy as pointed out at the beginning.

>d) The evil 'bank A' put people at risk. Regardless of fact that you
>   are not the owner of the bank, nor that you represent the interest
>   of each and every of its clients, take the initiative to inform the
>   world of the vulnerability details, how to exploit it, and if
>   possible, make a point-and-click robot that breaks into the bank
>   and steal money for you, and give a free copy to everyone who wants
>   one;

wow, the second best shot, this time against full disclosure!

and while you failed to point out where 'responsible' disclosure would
fit in here, i'll guess that it would be the one that would minimize
the embarassment for the bank and keep the public in dark as long as
possible.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ