[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <653D74053BA6F54A81ED83DCF969DF08017ABA29@pivxes1.pivx.com>
Date: Tue Aug 9 06:27:38 2005
From: DDavis at pivx.com (Dominique Davis)
Subject: "responsible disclosure"
I must first state that the following post in no way reflects on the views of my company and are In no way that of my employers.They are all my own.
However i do take issue with a few of the statements you have posted below and as a thinking free man i cannot allow these to pass un-addressed.
point one :
"responsible disclosure" causes serious harm to people. It is no
different than being an accessory to the intentional destruction of
innocent lives.
Rebuttal
In the intrest of "responsibily discloseing " information you belived needed to be spread to the public without a objective third party couterbalance to verify the facts you have caused harm to innocents who were just doing their jobs without thought to the harm it might cause them making you a "accessory to the intentional destruction of
innocent lives." In the name of righting injustice outside of the established legal process with no justifaction other than your own views and intrest.
Point two:
Often, some incompetent computer forensics professional will have
already done work on behalf of the defense and authored a report of
their own. These reports read like those authored by the prosecution's
computer forensic examiners, they list the contents of the hard drive,
itemize entries from Internet Explorer history files and explain that
some "deleted" files were recovered that further incriminate.
Rebuttal:
Can you state here in public that you have never done the samewhen you were starting out.Nothing personal bud ,But those who live in glass houses shouldnt through stones.
________________________________
From: full-disclosure-bounces@...ts.grok.org.uk on behalf of Jason Coombs
Sent: Mon 8/8/2005 8:51 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] "responsible disclosure" explanation
"responsible disclosure" causes serious harm to people. It is no
different than being an accessory to the intentional destruction of
innocent lives.
Anyone who believes that "responsible disclosure" is a good thing needs
to volunteer their time to teach law enforcement, judges, prosecutors,
and attorneys that the consequence of everyone communicating with
everyone else online is that some people use secret knowledge of
security vulnerabilities to ruin other people's lives or commit crimes
by hijacking innocent persons' vulnerable computers.
Some of you may know that I work as an expert witness in civil and
criminal court cases that involve computer forensics, information
security, and electronic evidence.
I just received a phone call from a member of the armed services in the
U.S. who is being court martialed for possession of computerized child
pornography.
This happens every day in courtrooms throughout the world.
On a regular basis somebody accused of this crime finds me and asks for
my help explaining that a third-party could have been responsible for
the crime. In every case the prosecution is alleging that the computer
forensics prove beyond a reasonable doubt that the defendant is guilty
of the crime because it was their Windows computer that was used to
commit it.
Often, some incompetent computer forensics professional will have
already done work on behalf of the defense and authored a report of
their own. These reports read like those authored by the prosecution's
computer forensic examiners, they list the contents of the hard drive,
itemize entries from Internet Explorer history files and explain that
some "deleted" files were recovered that further incriminate.
So you tell me, those of you who believe that "responsible disclosure"
is a good thing, how can you justify holding back any detail of the
security vulnerabilities that are being used against innocent victims,
when the court system that you refuse to learn anything about is
systematically chewing up and spitting out innocent people who are
accused of crimes solely because the prosecution, the judge, the
forensic examiners, investigators, and countless "computer people" think
it is unrealistic for a third-party to have been responsible for the
actions that a defendant's computer hard drive clearly convicts them of?
You cannot withhold the details of security vulnerabilities or you
guarantee that victims of those vulnerabilities will suffer far worse
than the minor inconvenience that a few companies encounter when they
have no choice but to pull the plug on their computer network for the
day in order to patch vulnerabilities that they could otherwise ignore
for a while longer.
"Responsible disclosure" is malicious. Plain and simple, it is wrong.
"Responsible disclosure" ensures that ignorance persists, and there is
no doubt whatsoever that ignorance is the enemy.
Therefore, supporters of "responsible disclosure" are the source of the
enemy and you must be destroyed. Hopefully some patriotic hacker will
break into your computers and plant evidence that proves you are guilty
of some horrific crime against children. Then you will see how nice it
is that all those "responsible" people kept hidden the details that you
needed to prevent your own conviction on the charges brought against you
by the prosecution.
How can "responsible" people be so maliciously stupid and ignorant?
Please, somebody tell me that I'm not the only one inviting judges to
phone me at 2am so that I can teach them a little about why a Windows
2000 computer connected to broadband Internet and powered-on 24/7 while
a member of the armed forces is at work defending the nation could in
fact have easily been compromised by an intruder and used to swap warez,
pirated films and music, and kiddie porn without the service member's
knowledge.
How can trained "computer forensics" professionals from the DCFL and
private industry author reports that fail to explain information
security? The answer is that the people who teach computer forensics
don't understand information security. It is not "responsible" to
suppress knowledge of security vulnerabilities that impact ordinary
people. Suppress security vulnerability knowledge that impacts only
military computer systems, but don't suppress security vulnerability
knowledge that impacts computer systems owned and operated by ordinary
people; for doing so ruins lives and you, the suppressing agent, are to
blame for it moreso than anyone else.
Grr. Rant. Rant. Grumble.
Sincerely,
Jason Coombs
jasonc@...ence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050808/fb3e8285/attachment.html
Powered by blists - more mailing lists