[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C6AF3ECACA6E9A46A2CB2FABCDCB35C40CE9AAEB@swilnts810.wil.fusa.com>
Date: Wed, 18 Apr 2007 10:53:18 -0400
From: <Glenn.Everhart@...se.com>
To: <neal.krawetz@....hush.com>, <full-disclosure@...ts.grok.org.uk>,
<ge@...uxbox.org>
Subject: Re: UK ISP threatens security researcher
Extortion is AFAIK the demand for money or valuables without legal
authority. I do not believe "fame" qualifies, and in any event one who
points out a bug in public has his fame or infamy independently of what
a company does.
At a former employer (an OS vendor) the general line was to ask customers
to not disclose vulnerabilities. However this was accompanied by an almost
paranoid internal search-and-destroy attitude toward security holes
and by prompt fixes to such problems as became known. As a result the customers
supported this stand.
Mind, there was little or none of the childish "counting coup" that seems to
go on in some quarters involved. Those who advocated disclosing problems did not
"claim credit" for finding the problems in the cases that surfaced. The discussion
about whether to do so was always centered on the theory (with some observational
support) that attackers knew of the bugs already and countermeasures could often be
used if the attacks were known to exist.
To my mind, a company that wants its problems to be kept quiet externally till
fixed needs to earn that consideration by such paranoia. If a company is smart
it will communicate with outsiders who point out problems. (Communicating
about problems that can affect third party software is also a good thing. Many of
us did.)
Still, one who reveals a problem to the public is contributing to public knowledge,
and that act by itself is not extortion or bullying. It should not be confused
with such. The ethical issues center around whether the warning might help avoid
a problem, or simply precipitate it.
A similar ethical issue appeared in science fiction and is a caution to the "reveal
everything" side. In the story a small group learns to build a cheap doomsday device.
In the end one of them kills the others because he worries about it being used for
extortion. However, he is shortly afterwards killed by his wife, who worries that if
the device can be built her children's lives cannot be safe.
The law ought to be clear that revealing information freely is OK, but that something
that risks precipitating a catastrophe is not. A properly defended (in 2nd Amendment sense!)
society might very well in clear cases resort to the science fiction solution.
On the other hand, claiming such risk for every oversight, and at the same time not
advertising your code does not run in hostile environments, is a kind of public
fraud which does not deserve either protection or respect.
The science fiction example is in clearly defined territory. Computer risks are seldom
so, and before legal (or extralegal societal extreme) measures get involved there should
be much more proof than has been common, and clarity about what is arguably beneficial and what
is thuggery.
When I propose designs, by the way, I am very glad to have heard about vulnerabilities in
different technical areas so I might design around them. If I must propose a kludge I
am also very glad to have heard about where the dangers lie. At least it allows my guesstimates
of how long the kludge might be used to be more accurate.
In the case referred to, the ISP's arguments remind me of what English banks were reputed
to do some years ago when thefts occurred: argue that (in so many words) "our systems are
secure so you must have done something wrong to breach them". Yep, bullying seems to be
going on, but from the ISP. A response more along the lines of fixing the holes (as Microsoft
has done when holes cropped up in its mail systems) would be more responsible. Had they
considered that the researcher was giving them free help, having found the problem due to
some vulnerabilities the ISP's software was causing on his home system, the ISP would have
wound up looking better. Reading the original post btw shows the guy gives a workaround for
customers to close the holes created in their home systems. No evidence there far as I can see
that the guy wanted anything other than to alert others about a hole in their own systems that
the ISP software created (perhaps inadvertently), and what he noted.
(That they responded noting that the terms & conditions say a customer is responsible for
security of account passwords selected by the customer, and claiming this somehow applies to passwords
evidently "selected" by the ISP, is an indication of CYA, not of problem solving.)
Glenn Everhart
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk]On Behalf Of Dr. Neal
Krawetz, PhD
Sent: Wednesday, April 18, 2007 8:01 AM
To: full-disclosure@...ts.grok.org.uk; ge@...uxbox.org
Subject: Re: [Full-disclosure] UK ISP threatens security researcher
**********************************************************************
This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.
**********************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Let's keep in mind that publishing most security information
borders extortion. There isn't any other industry where fat nerds
try to strongarm large corporations into admitting there are
weaknesses in their products, defaming them publicly, causing their
stock prices to fall, or otherwise damaging their public image and
thus causing financial damage, et cetera.
Gadi, I doubt your people would be thrilled if you tried to
petition Yahweh with complaints regarding His children being
vulnerable to pieces of metal fired at high velocity from guns, and
demanding that if things aren't fixed within what you consider a
satisfactory timeframe (which, in the end is just some arbitrary
number invented by people with no concept of industry and
economics) that you will arm every man, woman, child, and lizard of
bordering Arabic nations to Israel in order to teach that big guy
up in the sky a lesson about not making humans impervious to
gunfire!
Come on man! You're smarter than this! When socially inept people
who possess only rudimentary computer skills start bullying (call
it what you will, in the end if you argue against my points you
clearly are one of those people who can't make it in the real
world) corporations for fame and money, which have real-world
financial consequences to said corporate entities, you are in the
least committing extortion. And while you might think these
efforts are noble, the reality of the situation is simple - this is
absolutely no different than a bunch of Russians with botnets,
forcing businesses to comply with their demands if that business
wishes to continue existing on the Internet.
When was the last time an auto manufacturer was humiliated publicly
because their car windows can easily be broken and contents of the
car stolen? When have chain manufacturers been chastised by the
mass media for the existence of bolt cutters? What about the
serious threat of hacksaws?
People, grow up. If your life is spent behind a computer
discovering uninteresting oversights in software design, where you
clearly lack experience and ability, and proclaiming yourself the
#chatzone badass and drolling saying "I'm the best evah!!!" doesn't
make you important. The sad state of this industry is that there
are enough ignorant people that find it impressive, and who don't
understand the ramifications of their publicity whoring and the
obvious parallels to other industries.
The long and short of it is:
If you want to act like a criminal, be prepared to be treated
like a criminal, and don't cry about the choices you've made in
life. You aren't a fucking martyr when your motivations and cause
are only self-promoting and otherwise selfish.
Always remember the embarrassment to hackers, humans, and Hebrews
everywhere that is Kevin Mitnick.
- - Dr. Neal Krawetz, PhD
http://www.hackerfactor.com/blog/
On Tue, 17 Apr 2007 19:30:54 -0400 Gadi Evron <ge@...uxbox.org>
wrote:
>http://www.theregister.com/2007/04/17/hackers_service_terminated/
>
>"A 21-year-old college student in London had his internet service
>terminated and was threatened with legal action after publishing
>details
>of a critical vulnerability that can compromise the security of
>the ISP's
>subscribers."
>
>I happen to know the guy, and I am saddened by this.
>
> Gadi.
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wpwEAQECAAYFAkYmCAUACgkQDpFP8dW5K4bwFgP/Z2cmOC7HiPZ9Bp1p0VqC/1IMv40l
Vxi/gS/jMQMDG9XiIZqnDQQwMGm8OhnBu6LfMPi66Xnfr9ZV5zcE3wCeqlRfDsyAuAD7
TvpzfqAfhdLDgfG6hmX9BBZdpALXIa4ijwKuo4zs5uqtA/najmlIwgDjmGXC1NefQsZP
acyWgT8=
=zSxl
-----END PGP SIGNATURE-----
--
Click here for free information on earning a criminal justice degree today.
http://tagline.hushmail.com/fc/CAaCXv1S4xxoKJy71c1syHceuiPxgdCh/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
**********************************************************************
This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.
**********************************************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists