lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 25 Jul 2008 16:00:22 -0700
From: Adam Chesnutt <icetre@...aristocrats.org>
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Kaminsky's Law

That's retarded and I can only hope that this idea never turns into a law.

We shouldn't be afraid of information. If the ideas are never decimated
it doesn't matter the vulnerabilities still exist.

Your essentially making it illegal to talk about the purple elephant in
the living room, and that in an of itself is CRAZY. Not to mention, this
could be considered free speech and therefor protected by the constitution.

Who did the wrong thing? The security researcher by finding and
publishing the error.

Or the manufacturer by producing the error in the first place, and then
covering up; hiding; lying; and generally not taking care of business in
a timely manner.

Needless to say, talk about it or not, there remains a purple elephant
in the living room.

*blindly hits send*

"You can't take away people's right to be assholes..." - Simon Phoenix

n3td3v wrote:
> So what you're saying is HD Moore and |)ruid are exploiting a loop
> hole in the law to do what they do... looks like we need to get the
> law tightened.
>
> I say a "Responsible Disclosure Act" is drawn up, and anyone who
> breaks it goes to jail.
>
> That will mean:
>
> - People will think twice before hitting send on blog entries,
>
> - People will think twice about releasing code early,
>
> - That the decided time line for disclosure can be enforced,
>
> - That the people who release information and/or code early, they get
> fined for every computer system compromised because of the
> vulnerability information and/or code disclosure, on top of the jail
> sentence.
>
> So instead for the future its not just a verbal contract for
> responsible disclosure, its a legally binding contract as well meaning
> if the Responsible Disclosure Act has been signed by the security
> researcher and its affected vendors, then ass hats like HD Moore and
> |)ruid are breaking the law.
>
> The details are a bit fuzzy right now, but i'm sure the big guys in
> the industry can draw up proper rules for a Responsible Disclosure
> Act.
>
> Its likely the Responsible Disclosure Act would only be used in
> exceptional circumstances like this DNS caching vulnerability, and the
> approval of the act per vulnerability case has to be decided on by a
> judge in a court of law, so that the Responsible Disclosure Act can't
> be over used and abused, to keep the use of the act fair and
> proportional in relation to the level of the threat.
>
> That means, Full-Disclosure of vulnerability information and/or
> wouldn't be illegal all the time, just in exceptional circumstances
> that has to be OK'd by a judge.
>
> This safe guards the deployment of a patch or patches while telling
> what the importance of patching is to the public, while disallowing
> security researchers to release information and/or code before the
> time line for responsible disclosure.
>
> So the scenario would be,
>
> jake: hey did you hear about the patches being deployed and the news
> reports about the flaw and why the patch is critical?
>
> joe: yes, but the responsible disclosure act has been signed so we
> need to wait until it expires before we can share info.
>
> jake: no way, whats the assigned disclosure date?
>
> joe: the standard 4 weeks, although with the responsible disclosure
> act, after the 4 weeks, the security researcher and vendors can go
> back to the judge to ask for an extra 4 week extension onto that, so
> it could be eight weeks bro before we can become famous for five
> minutes by releasing attack code.
>
> jake: ah, sucks for us, but yeah if the judge has approved the signing
> there isn't alot we can do unless we want to be labeled criminals, and
> hunted down by interpol.
>
> What has to be told to the community under the act:
>
> - The community must be told the Responsible Disclosure Act has been
> signed and OK'd by a judge.
>
> - The community must be told the date the Responsible Disclosure Act
> expires and disclosure can be made.
>
> - The community must be told that security researcher and vendor can
> go back to the judge after 4 weeks and ask for extension of the act if
> extra time is needed, this must be announced to the community again
> with notice.
>
> All members of the community who break the Responsible Disclosure Act
> are breaking the law and face charges.
>
> Obviously this is just an email I rattled up in five minutes during a
> water machine break, so the big guys in the industry can take these
> ideas and throw them into a properly put together act.
>
> I think Dan Kaminsky should lobby the industry and the government to
> get something like this drawn up, since he is the one who has inspired
> me to come up with the Responsible Disclosure Act.
>
> I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid
> had to be dick heads about releasing code on purpose against his
> request of Dan Kaminsky, the vendors and people who agree with
> responsible disclosure, especially in exceptional circumstances like
> the DNS flaw.
>
> Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan.
>
> All the best,
>
> n3td3v
>
>
> ---------- Forwarded message ----------
> From:  <Valdis.Kletnieks@...edu>
> Date: Thu, Jul 24, 2008 at 5:56 PM
> Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in the wild
> To: n3td3v <xploitable@...il.com>
> Cc: full-disclosure@...ts.grok.org.uk
>
>
> On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said:
>
>   
>> This whole HD Moore savior of info sec thing has gone on long enough,
>> its time to see him for what he is and get him slammed up in jail
>> along with his counterpart |)ruid.
>>     
>
> I'll point out that you happen to live in the country that invented the
> concept of "habeus corpus".  In other words, you cant slam him in jail
> unless you actually *charge* him with something.
>
> Please tell us which countr(y|ies) you intend to have him charged, and what
> offense.  Specific references to statutes would be appreciated (for starters,
> I'll help you out and point out that in the US, he probably could *not* be
> charged under 17 USC 1201 (the DMCA anti-circumvention clause), nor under 18
> USC 1030 (the primary federal anti-hacking statute), unless you have actual
> evidence that HD personally hacked into a computer covered by 18 USC 1030. You
> run into similar issue with 18 USC 2701 (access to stored communication).
>
> You *might* be able to make a case under 18 USC 2512 (dealing in devices for
> intercepting communications), except that there's the nasty clause "knowing or
> having reason to know that the design of such device renders it primarily
> useful for the purpose of the surreptitious interception of wire, oral, or
> electronic communications;" - and you'd fail on the "primarily" because there's
> lots of *other* uses for Metasploit.
>
> He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC 7523(a)(1),
> however.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ