lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F123qMk7LiHdlQgdYXS000229f3@hotmail.com>
From: poohpooh000 at hotmail.com (pooh pooh)
Subject: Re: Valid disclosure analogy

>What?! One copy exploitable but other not? How could they be copies
>then? You must be kidding me on this one!

yup. maybe as a hacker you should really pay attention to the details
please! to quote my own words: "...it doesn't automatically give you
the ability to exploit...". do you see the difference between
'exploitability' and 'having the ability to exploit'? no? ever heard
of closed networks (having a piece of those N copies)? places you don't
get your foot inside unless you work for them? of course, i must be
kidding on this one!

>Blackhat?! Where did I talk of hacking here?

ah, not again these silly definition wars. hackers hack, period, as
someone else put it already. if you write exploits and compromise
systems, you hack (if you get busted, you'll go on CNN as a 'hacker').
and keeping secret a discovered vulnerability is exactly what blackhats
(self-defined or not, i don't care) promote. if you don't understand
it, read the earlier mails on this list.

>Then the fact that there is "no bank 'B'" available is the real
>problem, not the fact that bank 'A' is vulnerable.

says who (besides you)? what if bank 'A' happens to be your country's
'national bank'? by definition, there can be only one. and yes, it is
a real problem when someone figures out that they're vulnerable.

again, the banking world is the wrong analogy.

>1) You do have time (thankfully) given the vulnerability(ies) have not
>   yet been disclosed. Obviously, this solution path would imply that
>   non-disclosure not only is voluntary, but also enforced (through
>   law, for exemple).

you must be kidding. do you know what it takes to create a bank? well,
ok, i don't blame you, there're no banks on the moon, so why would you
know better. here on earth, it takes a bit more than 'time'. especially
when it's something like a 'national bank' or 'world bank'.

besides, why would i have the time? what would make me feel sure about
that noone else has discovered the same problem (or will, while i'm
working on establishing my little pet bank, donations are being accepted
btw, i'm a bit short on cash these days)?

>2) Yes, starting your own service is the legitimate way of solving the
>   problem (not putting gun on most popular bank CEO head so he fixes
>   the problems in his bank security).

great, now we're getting down to black&white solutions. so telling the
bank without the gun episode is no longer an option (let alone
legitimate)? and you seriously believe that there's a place for a new
bank/service each time someone finds a problem in bank 'A'? something
tells me that your suggestion is not scalable, at least here in the
real world.

>This is most likely to be the case. Security comes at a cost. Welcome
>to the real world! Maybe you understand now why microsoft software
>is "full" of bugs.

i'm not sure that *you* understand why software has bugs and why MS is
so 'full' of them. if it was a matter of paying that 'cost', MS would
definitely have the money or whatever else it takes. the problem is
that 'security' as a human concept appears as 'chaotic' or of 'fractal'
nature when it is mapped onto the digital world. simply put, we don't
have a way to *define* security. we can give examples of situations at
most and they all come with the exceptions - something similar to when
you try to cover the mandelbrot set with a finite number of circles or
squares, there's just no perfect coverage, you either cover too much or
miss something here and there (this holds true for many other concepts,
not only security of course). this is not to say that MS cannot do
better, but they (or anyone else) cannot do a perfect job, regardless
of 'cost'.

>Once again, the only legitimate way you can intervene is by starting
>your own service or product line. You cannot force a vendor to do
>anything against his will (regarding quality of his product), even if
>you are his client. That's why its called a *free* market.

bullshit. first, it's not a free market in many situations (MS has been
declared a monopoly, maybe the news hasn't hit the moon yet). second,
ever heard of organizations that oversee a given market (for compliance
with various regulations, including safety/quality/whatnot)? you think
they are not legitimate? also, even when it's a free market, the cost
of entry is often prohibitive (how much is it in the US to establish
a bank?).

>If the bank wants to. Again, free market. Vendor is free to define its
>offer, you are free to define your demands!

bullshit. a bank will *never* provide you with such info. don't trust
me on this, go call yours and ask them.

<>will they accept my changes to their own system?
>Why would they? I dunno, ask them! ;)

exactly, they would probably never take an outsider's advice at face
value. which is absolutely different from the software world where you
can even fix a bug and distribute it yourself. i'm afraid, your banking
analogy still stinks.

>Then switch later. This would be a good reason not to disclose now,
>given it would put you at risk between the moment of the disclosure,
>and the moment the vendor (or bank) fixes its vulnerability.

right, we're back to non-disclosure. and since no bug hunter can ever
know if there might be *other* clients/users in this situation, this
would mean that no bug should ever be disclosed. which happens to be
what 'blackhats' have also been saying all the time.

>Send them your resume, they might want to hire you for it. Otherwise,
>I dont see how you could (and should) fix their product.

i'm sorry to disappoint you, but this is not how banks work. especially
not their security staff. which i'm not sure is true for the software
world (how did ISS/NAI/etc hire their people?). also, the fact that one
cannot/should not fix a bank's security problem is in stark contrast to
what he can do in the software world, you've just proved your banking
analogy again incomplete.

>Probably not, for good reasons ;)
>At least I hope for their own security they do not accept changes from
>external people...

me too, for that matter. which is not how the software world works where
you can often fix the problem at the source yourself. again, the banking
world is the wrong analogy.

<>am i supposed to quit my job?
>Why? They pay you bad?

no, but i can no longer do it *and* be responsible (since i know that
bank 'A' has a problem waiting to be exploited and i did not manage to
save our assets in time). this part of your analogy could even apply to
the software world, except noone takes such issues too seriously and
would probably never quit as a result, whereas you most definitely would
not want to be blamed for letting say $100 million go. in other words,
in the banking/financial world you have responsibility, whereas in the
software world you're rarely (if ever) fired (let alone prosecuted) for
running a given piece of software (how many CIOs/CTOs got fired after
Nimda last year?).

>If not your job, then no.

that's a great advice thanks. next time we have our money in the same
bank and someone gets all of it by abusing a security problem, i'm sure
you will thank me a thousand times that i kept silent all that time.

>If your job, then do it 'on the scene', and take promotion when
>bank 'B' is hacked.

you mean bank 'A'. and no, i cannot do it, as the preposition said that
i'd failed to convince those who could have decided. i don't see what
else what one could besides resigning.

>Well, I did answer, haven't I?
>And yes, I would have answered the same if we had been talking of a 
> >software vendor.

yes, you did answer and pretty much every argument of yours has been
shown to support to exact opposite, that is the banking world is the
wrong analogy. if you still think it's not, prove it.

>Revisit analogy: autohack all openssh vX.X and mass-own the world
>thanks to duke and his ISS sponsor. Yes, the bug was (somehow)
>reproduced in all the copies, what a coincidence. ;)

not all the copies. i know of a dozen at least that have never been
exploited. not too surprising as the machines have never been attached
to public networks, but i'm sure many more copies on the internet have
been left alone too. let me guess, next time you will revisit the
definition of 'all' to fit your purposes.

>Disclosure is disclosure. It fits in my toilet, that where it fits.

then what was the point of attacking Guninski's analogy? if i'm not
mistaken his point was that the whole 'responsible' disclosure belongs
to what you called the toilet. if you disagree on the 'full' version,
then you have yet to show a better analogy that proves your point (if
you care to, that is).

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ