| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1123575724.19045.39.camel@numero> Date: Tue Aug 9 09:22:10 2005 From: dan at losangelescomputerhelp.com (Daniel H. Renner) Subject: "responsible disclosure" explanation I have only one thing to say to you Jason: Rock on!!! (Or Rant and Grumble on - as you wish.) No, explanations as to my opinions regarding Windows vulnerabilities need be spouted here... And I hope you are always successfull in teaching those that need it. :-) Dan On Tue, 2005-08-09 at 07:43 +0100, full-disclosure-request@...ts.grok.org.uk wrote: > Date: Mon, 08 Aug 2005 17:51:18 -1000 > From: Jason Coombs <jasonc@...ence.org> > Subject: Re: [Full-disclosure] "responsible disclosure" explanation > To: full-disclosure@...ts.grok.org.uk > Message-ID: <42F82836.4030101@...ence.org> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > "responsible disclosure" causes serious harm to people. It is no > different than being an accessory to the intentional destruction of > innocent lives. > > Anyone who believes that "responsible disclosure" is a good thing > needs > to volunteer their time to teach law enforcement, judges, > prosecutors, > and attorneys that the consequence of everyone communicating with > everyone else online is that some people use secret knowledge of > security vulnerabilities to ruin other people's lives or commit > crimes > by hijacking innocent persons' vulnerable computers. > > Some of you may know that I work as an expert witness in civil and > criminal court cases that involve computer forensics, information > security, and electronic evidence. > > I just received a phone call from a member of the armed services in > the > U.S. who is being court martialed for possession of computerized > child > pornography. > > This happens every day in courtrooms throughout the world. > > On a regular basis somebody accused of this crime finds me and asks > for > my help explaining that a third-party could have been responsible for > the crime. In every case the prosecution is alleging that the > computer > forensics prove beyond a reasonable doubt that the defendant is > guilty > of the crime because it was their Windows computer that was used to > commit it. > > Often, some incompetent computer forensics professional will have > already done work on behalf of the defense and authored a report of > their own. These reports read like those authored by the > prosecution's > computer forensic examiners, they list the contents of the hard > drive, > itemize entries from Internet Explorer history files and explain that > some "deleted" files were recovered that further incriminate. > > So you tell me, those of you who believe that "responsible > disclosure" > is a good thing, how can you justify holding back any detail of the > security vulnerabilities that are being used against innocent > victims, > when the court system that you refuse to learn anything about is > systematically chewing up and spitting out innocent people who are > accused of crimes solely because the prosecution, the judge, the > forensic examiners, investigators, and countless "computer people" > think > it is unrealistic for a third-party to have been responsible for the > actions that a defendant's computer hard drive clearly convicts them > of? > > You cannot withhold the details of security vulnerabilities or you > guarantee that victims of those vulnerabilities will suffer far worse > than the minor inconvenience that a few companies encounter when they > have no choice but to pull the plug on their computer network for the > day in order to patch vulnerabilities that they could otherwise > ignore > for a while longer. > > "Responsible disclosure" is malicious. Plain and simple, it is wrong. > > "Responsible disclosure" ensures that ignorance persists, and there > is > no doubt whatsoever that ignorance is the enemy. > > Therefore, supporters of "responsible disclosure" are the source of > the > enemy and you must be destroyed. Hopefully some patriotic hacker will > break into your computers and plant evidence that proves you are > guilty > of some horrific crime against children. Then you will see how nice > it > is that all those "responsible" people kept hidden the details that > you > needed to prevent your own conviction on the charges brought against > you > by the prosecution. > > How can "responsible" people be so maliciously stupid and ignorant? > > Please, somebody tell me that I'm not the only one inviting judges to > phone me at 2am so that I can teach them a little about why a Windows > 2000 computer connected to broadband Internet and powered-on 24/7 > while > a member of the armed forces is at work defending the nation could in > fact have easily been compromised by an intruder and used to swap > warez, > pirated films and music, and kiddie porn without the service member's > knowledge. > > How can trained "computer forensics" professionals from the DCFL and > private industry author reports that fail to explain information > security? The answer is that the people who teach computer forensics > don't understand information security. It is not "responsible" to > suppress knowledge of security vulnerabilities that impact ordinary > people. Suppress security vulnerability knowledge that impacts only > military computer systems, but don't suppress security vulnerability > knowledge that impacts computer systems owned and operated by > ordinary > people; for doing so ruins lives and you, the suppressing agent, are > to > blame for it moreso than anyone else. > > Grr. Rant. Rant. Grumble. > > Sincerely, > > Jason Coombs > jasonc@...ence.org
Powered by blists - more mailing lists