lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050809072229.GA5570@5002.rapturesecurity.org>
Date: Tue Aug  9 08:22:38 2005
From: robert at dyadsecurity.com (robert@...dsecurity.com)
Subject: "responsible disclosure" explanation (an
	example of the fallacy of idealistic thought)

Matthew Murphy(mattmurphy@...rr.com)@Tue, Aug 09, 2005 at 01:42:36AM -0500:
> In this scenario, much as a software vulnerability, two factors are
> consistent.  The threat (the malicious individual seeking to move
> things illegally or harm life or property) is fixed, as is the
> vulnerability (the weakness that allows that individual access).  The
> only component of the puzzle that is not static is the actual risk of
> the threat becoming reality (exploitation of the vulnerability).

This arguement is old and neither side can be substantiated to the point
of swaying opinion.  That said, it is really arrogant to assume that the
1st security researcher to share the information publicly was the 1st
person (or only person) to find the problem.  We (at dyad) find multiple
"0day" problems in software every week.  We don't share any of them with
the community at large, partly because of ingrateful people like you,
and partly because it doesn't provide any real value anyway.  I know
we're not the only researchers to feel this way.  Just know that for
every advisory that comes out, there are likely 100-1000x more problems
being discovered, harvested, and used for noble and malicious purposes.

On the internet, information flow isn't contained.  The people who
create the software are not the only people who find the problems,
therefore they can not be the only source for information exchange, and
indeed may not be the most appropriate source for vulnerability
information.

> The point you miss is that by withholding vulnerability details, I
> guarantee nothing, other than that those details are less widely
> known.  I agree that patch processes should be more expeditious, but
> the solution to that dilemma is not to force companies to sacrifice
> quality by creating an imminent risk that did not otherwise exist.

The imminent risk is caused by the vulnerability existing in the
software being discovered, not by having the advisory with good details
publicly shared.  Having the details shared helps the end users know
their risks.

With tools like unicornscan (http://www.unicornscan.org) becoming more
widely deployed, as soon as an 0day is discovered, it's a simple matter
to hit every publicly available IP on the internet in under 24 hours. 
There is imminent risk as soon as the 1st malicious person finds the
bug.

Robert

-- 
Robert E. Lee
CEO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@...dsecurity.com
M - (949) 394-2033

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ