[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F328427.2040007@likes.smart-girlies.org>
From: gridrun at likes.smart-girlies.org (gridrun)
Subject: Vulnerability Disclosure Debate
Vulnerability Disclosure Debate
by gridrun on 8/07/03
The security alliance around Microsoft is trying to push its "reasonable
vulnerability disclosure guidelines", which seeks to prevent security
researchers from publishing proof-of-concept code alltogether, and wants
them to make only limited, next to useless, information about security
flaws available to the public.
In my humble, personal opinion, this step seeks to maximize income of
several large security firms, as they would release any detailed
information only to paying groups of subscribers... An inherently
dangerous plan, and the argumentation behind it is severely flawed.
They state that those releasing proof-of-concept code to the public are
responsible for the creation of various malware, virii and worms,
exploiting the discovered vulnberabilities.
Let me tell you one thing: If you believe that you are the only ones
finding vulnerabilities, then you are to be considered a bunch of
arrogant, self deceited stupid ignorant bitches. Do you really think you
are the only ones "31337" enough to find sec vulns??? Latest example:
The people here at spacebitch.com noticed intrusions using the RPC/DCOM
vulnerability at least a month before any information about it was
published at all. Now that its published, everyone goes BIG NEWS about
it, and predicts the advent of the next "internet destroying" worm which
will take over all our systems. It doesnt matter to these people, that
the most effective worms and trojans are far more low profile then for
example "slammer" worm was (an inherently dumb program, raising
immediate attention just by the exorbitant amount of bandwidth consumed
by it). They dont even mention that there are so many worms and trojans
making their ways thru cyberspace, mostly undetected and unnoticed,
spreading slowly and in a limited manner only.
Hackers, Crackers and Script Kiddies alike are known to engage in
exploit trading and often, they are discovering and exploiting
vulnerabilities without going BIG NEWS about it... Do you really
believe, people are sending all their 0day to @stake & co in advance,
just to let them make money of the news?? Would you not rather believe
that crackers finding new vulnerabilities would keep them 0day as long
as possible, exploiting them undiscovered, because the majority doesnt
even know the hole exists?? To me, it would seem perfectly logical for
hackers and crackers alike to ONLY publish their findings after the
problem was initially noticed by the public? Would it not make sense to
you? To keep 0day for fun and profit as long as possible, and then
releasing a modified variant of the 0day as "proof-of-concept" code, as
soon as the public is noticed, and credits and publicity are to be
gained by releasing the exploit code to the public?
To me, full disclosure makes perfect sense. Tell people about the
vulnerability as soon as you notice it exists, you'll see
"proof-of-concept" code appearing within days - essentially a proof that
there were other people knowing about the vulnerability already.
Also, full disclosure, including exploit code, frees you from the
obligation to believe in software vendor advisories and patches -
another critical issue, demonstrated again by the RPC/DCOM flaw:
Apparently, M$' fix doesnt really fix the problem to its full extent,
and in some cases, is believed to leave machines vulnerable to the
attack. Again, something which was to be discovered by END USERS loading
proof-of-concept exploits and trying them on their own systems. To me,
it makes no sense to blindly trust in a software vendor's patch, when it
has repeately been shown that software vendor's patches often do not
fully provide the anticipated security fixes.
Obviously, time has NOT yet come to say goodbye to full disclosure, and
doing so would leave end users at the fate of some sotware producers'
industry consortium to take care of OUR security - which they have
repeatedly shown to be incapable of.
Spread the knowledge, take resposibility, take care!
- gridrun
http://softlabs.spacebitch.com
Powered by blists - more mailing lists