[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0504252144560.25408-100000@bugsbunny.castlecops.com>
Date: Tue Apr 26 03:02:06 2005
From: zx at castlecops.com (Paul Laudanski)
Subject: Re: -==phpBB 2.0.14 Multiple Vulnerabilities==-
> There's a big difference between discussing disclosure etiquette and
> demanding that one's terms of disclosure etiquette be followed. Those
> on the "full disclosure sucks" end tend to do the latter.
I don't think anyone here is arguing the concept of "full disclosure". By
all means go for it. I've done so in the past myself. Point I'm making
here is, why issue a disclosure without suggesting any kind of patch
coupled with the fact that the vendor wasn't even notified.
What's the point of humanity? To me its helping each other out. Without
vendor notification and/or a suggested patch, what's the point of having a
disclosure that actually helps sysadmins protect their systems?
Granted this disclosure calls itself a low risk. But what if it were a
high risk that could sweep itself across the net bringing websites down,
causing people to lose time and sleep trying to figure out what a decent
patch is?
Moral fiber.
> Frankly, Dave's right - it was never required to inform the vendor. Is
> it a nice thing to do? Sure. (informing the vendor, that is...) Is it
> the responsible thing to do? I tend to think so...
Its not about requirements. Its about doing the right thing. Lets
analyze what the OP released. If it contained a suggested patch then I
would not have replied nor had an issue with the release. We wouldn't
even be having this discussion.
> But, should one be compelled to do so? I don't think so. Frankly, I'd
> hate to see what the world would be like if we had to pass our actions
> through Acme XYZ company whenever we do anything... I mean, I suppose if
> you like servitude, then having to get permission for everything would
> make sense...
Last I checked slavery was abolished. The pros play nicely, and if
someone wants to get into the game, then be mature about it and place nice
too.
As above, I would have been fine if the OP posted a suggested patch. One
wasn't offered. If not, then contact the vendor. What was the reason to
release the disclosure so quickly? Was it about "losing credit"? phpbb
and other vendors I've worked with honor full credits.
> It comes down to this: when real people find out something or other
> regarding a product, they should be allowed to share that information
> without restriction. That's the organic nature of information: live
> with it because it's not going to change. The alternative is a freeze
> on information that would amount to the destruction of all information
> freedom and, ultimately, the death of democracy (if it ever actually
> existed)...
I see the point I'm trying to deliver is being missed.
> Now, responsible disclosure is one thing, but there is no requirement to
> be responsible. And that isn't to say that just disclosing a bug is
> inherently irresponsible. If the vendor is not responsive or has not
> been responsive in the past, then I say disclose away. At that point,
> disclosure is the responsible thing to do.
That is perfectly fine in my book too. But the OP didn't state that in
his release now did he? Some vendors can't be bothered about disclosures.
So state that, and still offer a suggested patch. If you are incapable of
producing one, find someone who will.
> Neither side bares a rosy picture: full disclosure can result in users
> being harmed... but those who've spent any remote amount of time amongst
> real hackers/crackers know that that is no different than the status
> quo. (Most of them never end up as MS MVPs, btw) The "full disclosure
> sucks" side of the table results in a concept which forwards the idea
> that a freeze on information ultimately is a good thing and we should
> all eat from the corporate trough.
Seems the whole MVP thing turns out to be a sticking point? I've replied
many times in these seclists and have never generated such a discussion
before.
> I'd take my chances with the status quo, keep the flow of information
> moving, and use that information to protect myself.
What is the status quo? Russ Cooper of NTBugtraq wrote today about the
NGS Software disclosure on Sybase and how Sybase was threatening them with
legal action if it were released (to be in 3 months after vendor
notification):
"NGS, a very responsible security company, informed Sybase of the
vulnerabilities and stated they would publish details in three months.
This is perfectly normal and acceptable practice in the security arena."
> No offense meant, but can't we all just get along on this little playground?
I thought that was the whole idea? Getting along and helping each other
out. Ergo why I replied in the first place to the OP.
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CastleCopsWiki .. http://wiki.castlecops.com
MS MVPS Blog .... http://msmvps.com/castlecops
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
part000.txt - is OK
http://castlecops.com
Powered by blists - more mailing lists