lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <F123qMk7LiHdlQgdYXS000229f3@hotmail.com> From: poohpooh000 at hotmail.com (pooh pooh) Subject: Re: Valid disclosure analogy >What?! One copy exploitable but other not? How could they be copies >then? You must be kidding me on this one! yup. maybe as a hacker you should really pay attention to the details please! to quote my own words: "...it doesn't automatically give you the ability to exploit...". do you see the difference between 'exploitability' and 'having the ability to exploit'? no? ever heard of closed networks (having a piece of those N copies)? places you don't get your foot inside unless you work for them? of course, i must be kidding on this one! >Blackhat?! Where did I talk of hacking here? ah, not again these silly definition wars. hackers hack, period, as someone else put it already. if you write exploits and compromise systems, you hack (if you get busted, you'll go on CNN as a 'hacker'). and keeping secret a discovered vulnerability is exactly what blackhats (self-defined or not, i don't care) promote. if you don't understand it, read the earlier mails on this list. >Then the fact that there is "no bank 'B'" available is the real >problem, not the fact that bank 'A' is vulnerable. says who (besides you)? what if bank 'A' happens to be your country's 'national bank'? by definition, there can be only one. and yes, it is a real problem when someone figures out that they're vulnerable. again, the banking world is the wrong analogy. >1) You do have time (thankfully) given the vulnerability(ies) have not > yet been disclosed. Obviously, this solution path would imply that > non-disclosure not only is voluntary, but also enforced (through > law, for exemple). you must be kidding. do you know what it takes to create a bank? well, ok, i don't blame you, there're no banks on the moon, so why would you know better. here on earth, it takes a bit more than 'time'. especially when it's something like a 'national bank' or 'world bank'. besides, why would i have the time? what would make me feel sure about that noone else has discovered the same problem (or will, while i'm working on establishing my little pet bank, donations are being accepted btw, i'm a bit short on cash these days)? >2) Yes, starting your own service is the legitimate way of solving the > problem (not putting gun on most popular bank CEO head so he fixes > the problems in his bank security). great, now we're getting down to black&white solutions. so telling the bank without the gun episode is no longer an option (let alone legitimate)? and you seriously believe that there's a place for a new bank/service each time someone finds a problem in bank 'A'? something tells me that your suggestion is not scalable, at least here in the real world. >This is most likely to be the case. Security comes at a cost. Welcome >to the real world! Maybe you understand now why microsoft software >is "full" of bugs. i'm not sure that *you* understand why software has bugs and why MS is so 'full' of them. if it was a matter of paying that 'cost', MS would definitely have the money or whatever else it takes. the problem is that 'security' as a human concept appears as 'chaotic' or of 'fractal' nature when it is mapped onto the digital world. simply put, we don't have a way to *define* security. we can give examples of situations at most and they all come with the exceptions - something similar to when you try to cover the mandelbrot set with a finite number of circles or squares, there's just no perfect coverage, you either cover too much or miss something here and there (this holds true for many other concepts, not only security of course). this is not to say that MS cannot do better, but they (or anyone else) cannot do a perfect job, regardless of 'cost'. >Once again, the only legitimate way you can intervene is by starting >your own service or product line. You cannot force a vendor to do >anything against his will (regarding quality of his product), even if >you are his client. That's why its called a *free* market. bullshit. first, it's not a free market in many situations (MS has been declared a monopoly, maybe the news hasn't hit the moon yet). second, ever heard of organizations that oversee a given market (for compliance with various regulations, including safety/quality/whatnot)? you think they are not legitimate? also, even when it's a free market, the cost of entry is often prohibitive (how much is it in the US to establish a bank?). >If the bank wants to. Again, free market. Vendor is free to define its >offer, you are free to define your demands! bullshit. a bank will *never* provide you with such info. don't trust me on this, go call yours and ask them. <>will they accept my changes to their own system? >Why would they? I dunno, ask them! ;) exactly, they would probably never take an outsider's advice at face value. which is absolutely different from the software world where you can even fix a bug and distribute it yourself. i'm afraid, your banking analogy still stinks. >Then switch later. This would be a good reason not to disclose now, >given it would put you at risk between the moment of the disclosure, >and the moment the vendor (or bank) fixes its vulnerability. right, we're back to non-disclosure. and since no bug hunter can ever know if there might be *other* clients/users in this situation, this would mean that no bug should ever be disclosed. which happens to be what 'blackhats' have also been saying all the time. >Send them your resume, they might want to hire you for it. Otherwise, >I dont see how you could (and should) fix their product. i'm sorry to disappoint you, but this is not how banks work. especially not their security staff. which i'm not sure is true for the software world (how did ISS/NAI/etc hire their people?). also, the fact that one cannot/should not fix a bank's security problem is in stark contrast to what he can do in the software world, you've just proved your banking analogy again incomplete. >Probably not, for good reasons ;) >At least I hope for their own security they do not accept changes from >external people... me too, for that matter. which is not how the software world works where you can often fix the problem at the source yourself. again, the banking world is the wrong analogy. <>am i supposed to quit my job? >Why? They pay you bad? no, but i can no longer do it *and* be responsible (since i know that bank 'A' has a problem waiting to be exploited and i did not manage to save our assets in time). this part of your analogy could even apply to the software world, except noone takes such issues too seriously and would probably never quit as a result, whereas you most definitely would not want to be blamed for letting say $100 million go. in other words, in the banking/financial world you have responsibility, whereas in the software world you're rarely (if ever) fired (let alone prosecuted) for running a given piece of software (how many CIOs/CTOs got fired after Nimda last year?). >If not your job, then no. that's a great advice thanks. next time we have our money in the same bank and someone gets all of it by abusing a security problem, i'm sure you will thank me a thousand times that i kept silent all that time. >If your job, then do it 'on the scene', and take promotion when >bank 'B' is hacked. you mean bank 'A'. and no, i cannot do it, as the preposition said that i'd failed to convince those who could have decided. i don't see what else what one could besides resigning. >Well, I did answer, haven't I? >And yes, I would have answered the same if we had been talking of a > >software vendor. yes, you did answer and pretty much every argument of yours has been shown to support to exact opposite, that is the banking world is the wrong analogy. if you still think it's not, prove it. >Revisit analogy: autohack all openssh vX.X and mass-own the world >thanks to duke and his ISS sponsor. Yes, the bug was (somehow) >reproduced in all the copies, what a coincidence. ;) not all the copies. i know of a dozen at least that have never been exploited. not too surprising as the machines have never been attached to public networks, but i'm sure many more copies on the internet have been left alone too. let me guess, next time you will revisit the definition of 'all' to fit your purposes. >Disclosure is disclosure. It fits in my toilet, that where it fits. then what was the point of attacking Guninski's analogy? if i'm not mistaken his point was that the whole 'responsible' disclosure belongs to what you called the toilet. if you disagree on the 'full' version, then you have yet to show a better analogy that proves your point (if you care to, that is). _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Powered by blists - more mailing lists