| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jasonc at science.org (Jason Coombs) Subject: Sapphire worm POC that fulldisclosure policies hurt everyone Wait, it just occurred to me that you're missing a critical technical point in your knowledge of this debate. It's worth a couple paragraphs to help you understand. When a vendor releases compiled code (or source code, and which one is easier to analyze is at times debatable) everyone has a baseline starting point from which to conduct vulnerability analysis. This baseline is usually pretty large, but with a debugger and some knowledge it is very easy to find the most important parts of the software that control key input parsing and decision-making. This is because a debugger, combined with the ability to understand assembly language and knowledge of the structure of a process (stack, heap, values and purpose of CPU registers, etc.) gives infosec analysts everything they need to fully comprehend what the program is capable of doing and where it fails to properly manifest security precautions. This analysis takes time. Analyzing the whole baseline takes a lot of time. When a vendor releases a security patch or a service pack that includes some security bug fixes and some non-security bug fixes, it is very easy to compare the original baseline code with the updated code and pick out just those bytes that have changed -- it is here that the analyst now focuses their attention. This analysis takes far less time. Publishing security fixes without full disclosure of what's being fixed is absurd because it results in a few security analysts (some wearing white hats and some wearing black hats) having full knowledge of the vulnerability anyway. And then tools get built that exploit the vulnerability and the reverse engineering security analysis process results in full disclosure to the very small number of people who actually care and who can tolerate reading white papers written by black hats. According to your logic, vendors should never release security patches because doing so reveals the points of vulnerability in unpatched software. You've got a very good point, and I like it. No security patches = no full disclosure = everyone is safer. Should we publish full disclosure concurrent with the release of patches or should we publish full disclosure in advance of patches? This is the only point that is debatable, and there is no right answer -- it's a rhetorical question asked and answered merely to help people who have the power to publish full disclosure to decide which approach they prefer and follow it. Sincerely, Jason Coombs jasonc@...ence.org -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of methylketone@...hmail.com Sent: Saturday, January 25, 2003 1:10 PM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] Sapphire worm POC that fulldisclosure policies hurt everyone -----BEGIN PGP SIGNED MESSAGE----- THE FULLDISCLOSURE PHILOSOPHY: Vulnerability gets released on mailing lists Admins patch machines <- IMPORTANT PART! Internet is secure! I hear alot of arguments put out by the naive in favor of fulldisclosure of vulnerability information. But the fact is, fulldisclosure policies hurt everyone, and this time, they have wreaked havoc across the entire internet. The ms-sql vulnerability has been known to the public for six months. If the fulldisclosure philosophy were correct, the vulnerability would have been patched by the vast majority of admins out there. However, that isn't what happened. Thousands of machines were compromised and it lead to a massive internet-wide loss of service. There are alot of attacks against the competency of administrators who failed to put their databases behind their firewall, and also failed to patch their machines, but fulldisclosure operates on the assumption that all administrators are going to find out about the bug and patch their machines. The fulldisclosure philosophy is flawed. The vast majority of those reading this message probably won the scriptkid/admin race of patching vs being compromised. But today, that didn't stop the destructive power of this worm. Today's denial of service was mostly caused by smaller enterprises with less competent administrators. The message is "pay up to the security consultants or your machines get owned". I would be more okay with this if it were just the machine's owners that got affected, but it's the entire internet. Get a clue, your actions have consequences. If the ms-sql bug had never been disclosed, and was slipped quietly to Microsoft, this never would have happened, and the same responsible administrators would have upgraded their software. The odds are, those same responsible administrators have had their database servers behind a firewall anyways, so this is all irrelavant. This catastrophe was caused solely by the disclosure of vulnerability information. I urge you to be more responsible with your actions in the future. The stability of the entire internet is at stake. -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wmEEARECACEFAj4zGT0aHG1ldGh5bGtldG9uZUBodXNobWFpbC5jb20ACgkQsX0pyCcw k+BI0ACgh/KwGDbK2C2EH7rszBKQ+yHKOp4AoLPlppnkMg1Tw2pB7dqq46pWGQox =ym30 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists