[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F956D54.5010409@science.org>
From: jasonc at science.org (Jason Coombs)
Subject: No Subject (re: openssh exploit code?)
Aloha, Mitch.
Your essay on the immorality of releasing exploit code was very well
thought out, and I commend you for it and for standing up for something
that you believe in -- particularly in a venue that is openly hostile to
your viewpoint.
That having been said, your conclusions are wrong. In part this is
caused by a simple slip of logic and perhaps a flawed understanding of
statistics.
We know beyond much doubt that virtually every computer in existence
today can be owned. We know that worms can spread quickly through
computer networks. We also know that a worm that immediately destroys
its host doesn't get a chance to replicate. We know that worms could be
designed to delay destruction of hosts, essentially dropping a Trojan
with a time bomb inside. We know that the release of exploit code for a
remote exploitable vulnerability in network service code makes it next
to trivial for most script kiddies to tool up precisely this sort of
hybrid attack. We also know that it doesn't happen in practice, despite
your fear that it will and the exploit will be to blame. Are we simply
*lucky* that this has not happened to date with a widely-successful
worm? (recall the many varieties of virii that do destroy the infected
host, but which do not spread and execute automatically)
Perhaps we have been lucky. Perhaps you are correct that we will not
always be so. However, you must reconsider your assessment of the damage
that will be done in the real world when the killer worm Trojan time
bomb does get released because we know from past worms that nowhere near
every vulnerable box gets owned by the beast, and we know that not all
boxes that are thought to be vulnerable actually end up being vulnerable
for one reason or another. A loss, and I mean a complete and
unrecoverable data loss, of 10% to 20% of the world's computers would
just not be a very big deal. Some of the more irresponsible companies
would go out of business, sure. Some people may even die. But people
die. And companies go out of business. Life goes on for everyone else,
and the survivors change and adapt. Damage that could have and should
have been prevented in the first place gets investigated and those
responsible get sued and maybe, if we're lucky just a little more, they
get put in jail for a very long time.
But what you're saying is that you will be one of those people who come
to my house carrying your pitch fork, your hangman's noose, and your
torch, chanting something dreadful along with the rest of the mob, when
the exploit code I release gets picked up by somebody and incorporated
into the malware that exposes the utterly insane and misguided reliance
upon unprotected, unprotectable software-based programmable computers
throughout the civilized world for elements of critical infrastructure.
What you're saying is that you will blame me, not the company that
refused to cut into their profits by installing redundant failsafes.
What you're saying is that you will convict me and sentence me because
my thoughts, disclosed publicly, were used by somebody else to create a
tool that caused your pretty little house of cards to collapse around you.
You *should* blame yourself for building houses of cards and calling
them something that they are not.
You *should* blame yourself for keeping quiet about the true causes of
the problems that lead to vulnerabilities, because you mistakenly and
arrogantly believe that your conclusion is the smarter one that results
in a safer world.
You *should* let go of the burden you feel for keeping the world safe
from all of your hypothetical threats, because it's not your job and it
is misguided to believe that such a thing is even possible with you as a
single point of failure.
You *should* recognize that those elite few who really care about
security can, will, and *do* pull the network cable out of the back of
boxes that are believed to be vulnerable to exploits *when* those
exploits get released. For obvious reasons of practical reality these
same people do not, in general, pull the plug on systems that they
*know* to be vulnerable *until* they see conclusive proof that there is
an immediate risk.
You *should* feel responsible, personally, for every penetration that
occurs that would have been avoided if you had helped to communicate
full disclosure with proof of concept exploit code, since only that
communication has been prove to trigger widespread social response in a
preventative manner. Advisories that attempt to explain complex
hypothetical vulnerabilities and recommend an immediate patch just do
not do the job.
You have an obligation to disclose information in detail that other
people can use to protect themselves immediately. Your failure to
disclose this information makes you nothing less than an accomplice
before the fact to every penetration that occurs in the future when
somebody else finds the hidden secret and exploits it.
I will continue this discussion with you in greater detail if you wish.
There is much need for this conversation to recur, because many people
just like you are still confused about the proper role of an information
security professional in the security process. Many people are also
still confused about the obligations that go along with knowledge,
mistaking those obligations as the same ones that go along with skill
and ability to take decisive action to contain or prevent imminent
damage or risk exposure. Knowledge that other people are at risk must be
disclosed -- and it must be disclosed in full detail and publicly when
there is no other way to communicate with most (if not all) of those
people. This is the inherent value of the Public, and you diminish this
value and reduce its protective power when you presume to know better
than the Public does what it can and can't cope with being told.
Sincerely,
Jason Combs
jasonc@...ence.org
mitch_hurrison@...lip.com wrote:
> Hi Paul,
>
> Again, what is it about your personality that makes you incapable
> of taking part in an adult discussion of responsible disclosure
> issues? Is it that anyone who has a different opinion than yours
> is automatically not worth your time? That sounds kind of nazi-like
> to me mr. Schmehl.
>
> It's quite saddening to see this list turn into a pack of hungry
> saliving fools at even a hint of an exploit for this issue. You
> seem to have more of a hardon for the "juarez" than any "kiddie"
> I've ever met. Even when trying to debate some of the issues
> surrounding the disclosure of such a potentially devastating
> exploit all one gets is "yeah, yeah. Now make with the warez".
>
> As far as it being "easy" to exploit. No it isn't. You have to
> abuse a lesser issue, a memory leak to be more precise, to get
> a heap layout that will allow you to survive the initial memset
> without landing in bad memory. Now without going into details
> anyone who manages to survive the initial memset should be able
> to debug the crash to the point of exploitation. This is managable
> on atleast Linux IA32 systems.
>
> Now I'll try and bring my original point forward one last time,
> allthough I fear it will just call for more immature commentary
> from the likes of Paul Schmehl.
>
> There is no need for anyone to release this exploit. It will change
> nothing about the fact that you need to upgrade your daemons. It
> will change nothing about the bugdetails already published. There
> is no reasoning for it other than "but I want to learn how to do it".
> And sorry but that's just not good enough to warrant the mayhem that
> will ensue when an exploit like this is released. So if you in
> your academic pursuits decide to tackle this problem. By all means
> go right ahead. But I think anyone who's discovered the real impact
> of this bug will realise that disclosing the exploit to the
> general public is highly irresponsible.
>
> Now on a larger scale, I think it's rather foolish to cop an attitude
> that assumes anything that doesn't exist in the public eye isn't
> possible. It reeks of the same arrogance I'm accused off. Is it
> arrogant to step forward to try and explain why noone who managed
> to exploit ossh is willing to step forward? Maybe it is.
>
> Fact
> remains that exploiting this issue requires creativity beyond
> the pre-chewed papers. And that's why you're not seeing the regular
> array of mediocre "hackers" producing exploit code. I'd like to
> think that anyone who was capable of writing this exploit also
> recognises the potential impact of releasing it.
>
> So instead of trying to poke fun at me Paul, why don't you do your
> duty as a knight of Full Disclosure and provide the good people
> of this list with a definite analysis on the ossh 32k nul heap
> munging? (buzzword quota filled).
>
> This is the year 2003. We aren't
> the only ones reading these lists people. Do you really want to
> be responsible for arming the more hostile elements in the world
> with such a tool? I can't stress it enough. Noone should release
> this exploit. And to be honoust in this day and age I think anyone
> releasing exploits to the general public is losing sight of a
> bigger picture that affects us all. Now I'm not talking about
> the Nth trivial snosoft local stack overflow "exploit". I'm talking about the apaches, the openssh's and the ms rpc's. Time and time
> again it's become apparent that full disclosure simply does not
> function. And allthough I realise that there will always be people supporting
> full disclosure, I think even with the disclosure of vulnerability
> information releasing exploits is something that's not justifiable
> in any way.
>
> There is simply no need for exploits, especially not one that would
> affect people and nations around the globe. You have to look beyond
> your own little egocentric world of friendly exploit dev and "but it's fun",
> and take a look at the bigger picture.
>
> So to you Paul, and to the rest of this list. I say once again
> if you can't write the exploit. You don't..need.. the exploit.
>
> With regards,
> Mitch
Powered by blists - more mailing lists