| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Jul 2008 10:03:03 -0500
From: "Robert Holgstad" <rholgstad@...il.com>
To: Exibar <exibar@...lair.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Kaminsky's Law
who are you and why do we care about your opinion?
On Fri, Jul 25, 2008 at 7:00 AM, Exibar <exibar@...lair.com> wrote:
> I think we should have "n3td3v's law" where n3td3v and all his aliases
> (professor, uleet, <insert troll douche's name here>, etc) are required to
> get signed written authorization from the community before he can post a
> single message....anywhere.... if it's not a unanimous agreement that he
> can post, and he does so anyway, he goes to jail....
>
>
> ----- Original Message -----
> From: "n3td3v" <xploitable@...il.com>
> To: <full-disclosure@...ts.grok.org.uk>
> Sent: Friday, July 25, 2008 6:56 AM
> Subject: [Full-disclosure] Kaminsky's Law
>
>
> > So what you're saying is HD Moore and |)ruid are exploiting a loop
> > hole in the law to do what they do... looks like we need to get the
> > law tightened.
> >
> > I say a "Responsible Disclosure Act" is drawn up, and anyone who
> > breaks it goes to jail.
> >
> > That will mean:
> >
> > - People will think twice before hitting send on blog entries,
> >
> > - People will think twice about releasing code early,
> >
> > - That the decided time line for disclosure can be enforced,
> >
> > - That the people who release information and/or code early, they get
> > fined for every computer system compromised because of the
> > vulnerability information and/or code disclosure, on top of the jail
> > sentence.
> >
> > So instead for the future its not just a verbal contract for
> > responsible disclosure, its a legally binding contract as well meaning
> > if the Responsible Disclosure Act has been signed by the security
> > researcher and its affected vendors, then ass hats like HD Moore and
> > |)ruid are breaking the law.
> >
> > The details are a bit fuzzy right now, but i'm sure the big guys in
> > the industry can draw up proper rules for a Responsible Disclosure
> > Act.
> >
> > Its likely the Responsible Disclosure Act would only be used in
> > exceptional circumstances like this DNS caching vulnerability, and the
> > approval of the act per vulnerability case has to be decided on by a
> > judge in a court of law, so that the Responsible Disclosure Act can't
> > be over used and abused, to keep the use of the act fair and
> > proportional in relation to the level of the threat.
> >
> > That means, Full-Disclosure of vulnerability information and/or
> > wouldn't be illegal all the time, just in exceptional circumstances
> > that has to be OK'd by a judge.
> >
> > This safe guards the deployment of a patch or patches while telling
> > what the importance of patching is to the public, while disallowing
> > security researchers to release information and/or code before the
> > time line for responsible disclosure.
> >
> > So the scenario would be,
> >
> > jake: hey did you hear about the patches being deployed and the news
> > reports about the flaw and why the patch is critical?
> >
> > joe: yes, but the responsible disclosure act has been signed so we
> > need to wait until it expires before we can share info.
> >
> > jake: no way, whats the assigned disclosure date?
> >
> > joe: the standard 4 weeks, although with the responsible disclosure
> > act, after the 4 weeks, the security researcher and vendors can go
> > back to the judge to ask for an extra 4 week extension onto that, so
> > it could be eight weeks bro before we can become famous for five
> > minutes by releasing attack code.
> >
> > jake: ah, sucks for us, but yeah if the judge has approved the signing
> > there isn't alot we can do unless we want to be labeled criminals, and
> > hunted down by interpol.
> >
> > What has to be told to the community under the act:
> >
> > - The community must be told the Responsible Disclosure Act has been
> > signed and OK'd by a judge.
> >
> > - The community must be told the date the Responsible Disclosure Act
> > expires and disclosure can be made.
> >
> > - The community must be told that security researcher and vendor can
> > go back to the judge after 4 weeks and ask for extension of the act if
> > extra time is needed, this must be announced to the community again
> > with notice.
> >
> > All members of the community who break the Responsible Disclosure Act
> > are breaking the law and face charges.
> >
> > Obviously this is just an email I rattled up in five minutes during a
> > water machine break, so the big guys in the industry can take these
> > ideas and throw them into a properly put together act.
> >
> > I think Dan Kaminsky should lobby the industry and the government to
> > get something like this drawn up, since he is the one who has inspired
> > me to come up with the Responsible Disclosure Act.
> >
> > I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid
> > had to be dick heads about releasing code on purpose against his
> > request of Dan Kaminsky, the vendors and people who agree with
> > responsible disclosure, especially in exceptional circumstances like
> > the DNS flaw.
> >
> > Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan.
> >
> > All the best,
> >
> > n3td3v
> >
> >
> > ---------- Forwarded message ----------
> > From: <Valdis.Kletnieks@...edu>
> > Date: Thu, Jul 24, 2008 at 5:56 PM
> > Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in the
> > wild
> > To: n3td3v <xploitable@...il.com>
> > Cc: full-disclosure@...ts.grok.org.uk
> >
> >
> > On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said:
> >
> >> This whole HD Moore savior of info sec thing has gone on long enough,
> >> its time to see him for what he is and get him slammed up in jail
> >> along with his counterpart |)ruid.
> >
> > I'll point out that you happen to live in the country that invented the
> > concept of "habeus corpus". In other words, you cant slam him in jail
> > unless you actually *charge* him with something.
> >
> > Please tell us which countr(y|ies) you intend to have him charged, and
> > what
> > offense. Specific references to statutes would be appreciated (for
> > starters,
> > I'll help you out and point out that in the US, he probably could *not*
> be
> > charged under 17 USC 1201 (the DMCA anti-circumvention clause), nor under
> > 18
> > USC 1030 (the primary federal anti-hacking statute), unless you have
> > actual
> > evidence that HD personally hacked into a computer covered by 18 USC
> 1030.
> > You
> > run into similar issue with 18 USC 2701 (access to stored communication).
> >
> > You *might* be able to make a case under 18 USC 2512 (dealing in devices
> > for
> > intercepting communications), except that there's the nasty clause
> > "knowing or
> > having reason to know that the design of such device renders it primarily
> > useful for the purpose of the surreptitious interception of wire, oral,
> or
> > electronic communications;" - and you'd fail on the "primarily" because
> > there's
> > lots of *other* uses for Metasploit.
> >
> > He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC
> > 7523(a)(1),
> > however.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists