lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40E9AC5A.2000506@isecom.org>
From: pete at isecom.org (Pete Herzog)
Subject: Re:  Public Review of OIS Security Vulnerability Reporting and Response
 Guidelines

All,

The number of researchers locked out of this opinion piece are not alone 
in questioning the motives of the OIS.  I can only speak for myself but 
this process of vulnerability reporting that the OIS suggests is elitist 
and unethical.  Much more unethical than the releasing of information 
publicly to all even if no fix is available.

That there are significant problems with the OIS guidelines is an 
understatement. While I agree that there is a need for proposing 
guidelines, the actual premise of these particular guidelines 
essentially proposes less security.  And while the OIS claims it will 
not be made into law (http://www.oisafety.org/about.html#6) there is 
serious doubt on this premise 
(http://www.sbq.com/sbq/vuln_disclosure/sbq_disclosure_liability.pdf) as 
existing laws may already be applicable and sure to cause a chilling 
effect on security research if these guidelines turn up the heat.  Then 
the "30 days to disclosure" has no consequence if the research can't be 
made in the first place. It would seem that puts the vendor under less 
pressure and not more 
(http://att.com.com/Panel+defends+flaw+disclosure+guidelines/2100-1002_3-5057914.html).

Another problem is that OIS refused to give independent security 
researchers a voice (http://www.oisafety.org/about.html#3) which is the 
exact opposite of the claim that the process will actually meet the 
needs of the security community (http://www.oisafety.org/about.html#4). 
  There can be no positive, security reason for this.  Are we to assume 
that, as according to your guidelines, you will take feedback from all 
who are not independent security researchers?  How is that label even 
defined?  How is one a "dependent security researcher" if not dependent 
to the vendor?

As if locking out non-vendor-related researchers is not enough, it 
becomes even more suspect.  Section 2.3 Timeline proposes that the 
system be elitist with no mention of how these first-choice groups are 
who get the information or how abuse will be handled by those who break 
the OIS code of ethics for sharing it with customers, selling it or 
auctioning this early warning information. If exploit code is not 
allowed and OIS has "no illusions" 
(http://www.oisafety.org/about.html#12) that others may already have it, 
then why the elitism on who gets to know about it first?  This brings me 
to the key issue.

The largest problem is that these guidelines don't scale much past the 
present where vulnerabilities at worst cause a loss of money. Therefore, 
I can't imagine a future where it works when human lives are directly 
affected.  Vulnerability disclosure aside, it's always better to have 
the choice to hear warnings and make rational choices on those warnings 
because only the choice maker knows the true value of those choices. 
OIS is proposing otherwise (http://www.oisafety.org/about.html#10 and 
the "...no illusions...." in
http://www.oisafety.org/about.html#12).  Witholding information in an 
elitist manner and not giving the public the choice to make their own 
security decisions is wrong and unethical.

The OIS committee and guidelines as they stand are absolutely the wrong 
foot forward to this future.  Not only security researchers should be 
angry with this proposal.

Sincerely,
-pete.

Pete Herzog
Managing Director, ISECOM
www.isecom.org


dave wrote:

> Nobody trusts the OIS or its motives. I imagine this is similar to the 
> feedback you've gotten from everyone else as well, but Immunity has no 
> plans to subscribe to your guidelines, and is going to oppose any 
> efforts you make to legislate those guidelines as law. In section 1.1 
> the draft proposes that the purpose of the OIS's model is to protect 
> systems from vulnerabilities. This is fairly obviously untrue - the 
> purpose of the OIS is to lobby towards a business model for Microsoft 
> and the other OIS members that involves the removal of non-compliant 
> security researchers.
> 
> This call for feedback is a thinly disguised attempt to get public 
> legitimacy and allow the OIS to claim it has community backing, which it 
> clearly does not.
> 
> It's rare, but there are still security companies and individuals who do 
> not owe their entire business to money from Microsoft. It's July 4th. 
> and some of us are Americans who understand the concept of independance.
> 
> Dave Aitel
> Immunity, Inc.
> 
> 
> 
> 
> OIS wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> The Organization for Internet Safety (OIS) extends an invitation to
>>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ