[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ILEPILDHBOLAHHEIMALBIENBEKAA.jasonc@science.org>
From: jasonc at science.org (Jason Coombs)
Subject: Sapphire worm POC that fulldisclosure policies hurt everyone
Wait, it just occurred to me that you're missing a critical technical point
in your knowledge of this debate. It's worth a couple paragraphs to help you
understand.
When a vendor releases compiled code (or source code, and which one is
easier to analyze is at times debatable) everyone has a baseline starting
point from which to conduct vulnerability analysis. This baseline is usually
pretty large, but with a debugger and some knowledge it is very easy to find
the most important parts of the software that control key input parsing and
decision-making. This is because a debugger, combined with the ability to
understand assembly language and knowledge of the structure of a process
(stack, heap, values and purpose of CPU registers, etc.) gives infosec
analysts everything they need to fully comprehend what the program is
capable of doing and where it fails to properly manifest security
precautions. This analysis takes time. Analyzing the whole baseline takes a
lot of time.
When a vendor releases a security patch or a service pack that includes some
security bug fixes and some non-security bug fixes, it is very easy to
compare the original baseline code with the updated code and pick out just
those bytes that have changed -- it is here that the analyst now focuses
their attention. This analysis takes far less time.
Publishing security fixes without full disclosure of what's being fixed is
absurd because it results in a few security analysts (some wearing white
hats and some wearing black hats) having full knowledge of the vulnerability
anyway. And then tools get built that exploit the vulnerability and the
reverse engineering security analysis process results in full disclosure to
the very small number of people who actually care and who can tolerate
reading white papers written by black hats.
According to your logic, vendors should never release security patches
because doing so reveals the points of vulnerability in unpatched software.
You've got a very good point, and I like it.
No security patches = no full disclosure = everyone is safer.
Should we publish full disclosure concurrent with the release of patches or
should we publish full disclosure in advance of patches? This is the only
point that is debatable, and there is no right answer -- it's a rhetorical
question asked and answered merely to help people who have the power to
publish full disclosure to decide which approach they prefer and follow it.
Sincerely,
Jason Coombs
jasonc@...ence.org
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of
methylketone@...hmail.com
Sent: Saturday, January 25, 2003 1:10 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Sapphire worm POC that fulldisclosure
policies hurt everyone
-----BEGIN PGP SIGNED MESSAGE-----
THE FULLDISCLOSURE PHILOSOPHY:
Vulnerability gets released on mailing lists
Admins patch machines <- IMPORTANT PART!
Internet is secure!
I hear alot of arguments put out by the naive in favor of fulldisclosure of
vulnerability information. But the fact is, fulldisclosure policies hurt
everyone, and this time, they have wreaked havoc across the entire internet.
The ms-sql vulnerability has been known to the public for six months. If the
fulldisclosure philosophy were correct, the vulnerability would have been
patched by the vast majority of admins out there. However, that isn't what
happened. Thousands of machines were compromised and it lead to a massive
internet-wide loss of service.
There are alot of attacks against the competency of administrators who
failed to put their databases behind their firewall, and also failed to
patch their machines, but fulldisclosure operates on the assumption that all
administrators are going to find out about the bug and patch their machines.
The fulldisclosure philosophy is flawed.
The vast majority of those reading this message probably won the
scriptkid/admin race of patching vs being compromised. But today, that
didn't stop the destructive power of this worm. Today's denial of service
was mostly caused by smaller enterprises with less competent administrators.
The message is "pay up to the security consultants or your machines get
owned". I would be more okay with this if it were just the machine's owners
that got affected, but it's the entire internet. Get a clue, your actions
have consequences.
If the ms-sql bug had never been disclosed, and was slipped quietly to
Microsoft, this never would have happened, and the same responsible
administrators would have upgraded their software. The odds are, those same
responsible administrators have had their database servers behind a firewall
anyways, so this is all irrelavant. This catastrophe was caused solely by
the disclosure of vulnerability information.
I urge you to be more responsible with your actions in the future. The
stability of the entire internet is at stake.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wmEEARECACEFAj4zGT0aHG1ldGh5bGtldG9uZUBodXNobWFpbC5jb20ACgkQsX0pyCcw
k+BI0ACgh/KwGDbK2C2EH7rszBKQ+yHKOp4AoLPlppnkMg1Tw2pB7dqq46pWGQox
=ym30
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists