Bugtraq mailing list archives
Re: submission
From: rain forest puppy <rfp () WIRETRIP NET>
Date: Tue, 28 Nov 2000 18:17:09 -0600
Oh boy, here we go. First off, let's start with hellNback's post: - "There is nothing forcing Georgi or anyone for that matter to follow - RFPolicy, but the policy is a good idea and is very sound, so why not - follow it." I want to make it clear that RFPolicy is not a definitive way to interact with a vendor--it is only one suggested way. There are as many logically sound reasons to not use a policy as there are reasons to use it. Not to mention, someone may choose an alternative policy that better suites their ideals. So I hope the only person who would be ostracized for not following RFPolicy would be me. RFPolicy still has many shortcomings which do not make it perfect; it should be considered best effort. - "Georgi himself claimed to not be required to work with Microsoft for - free." And in various forms this is true. A vendor should be thankful that a researcher took the initiative and provided them with a chance to correct the problem. Granted, a researcher should definately be willing to help reproduce the problem (particularly after spending time in finding it in the first place), but seriously, who's helping who? I may find a bug, and I may feel like disclosing it to the vendor, but I may not have time to deal with it. So first thing to ask yourself: if a researcher doesn't have time to play 'support' to a vendor on a bug they wandered across (particularly if it was by accident), would they be better off not bothering telling the vendor in the first place? Where is it stated that you *must* assume responsibility for a bug if you report it to a vendor? Then ask yourself: given the fact that the vendor has the original source, wouldn't it suffice to review the suspect code for indications to the problem, rather than having to reliably reproduce it first? Why spend 20 hours trying to reproduce a problem verified with 15 minutes of code review? - "Could one assume that Georgi is only releasing his vulnerabilities in - this fashion because Microsoft is a competitor?" Your assuming Georgi can somehow pay the bills by taking time to support Microsoft in reproducing and fixing their problems. Last I checked Microsoft didn't offer a bounty on found bugs. And Georgi's AOL/Netscape contract now becomes apparently obvious--I'm sure there are a lot of people who would not take the choice of poverty just so they can continue vulnerability research. - "Why is Georgi only concentrating on Microsoft products?" There is an unfortunate reality that some people seem not to realize: if a researcher is interested in improving the security of a product, and the company is willing to contract/support/pay/whatever the researcher accordingly for their time, you enter the realm of a business relationship. In that sense, you may be under legal binding (read: NDA) to not disclose vulnerabilities found. Now, is that a conflict of interest? It depends...if your interest is purely full disclosure (which I see as a 'means'), then yes. However, if your interested in the overall security of the product (the 'end'), then no. And if the vendor is correctly using the researcher's findings to fix the vulnerabilities in their product, it could be a sign of the vendor becoming responsible and approaching security proactively. So it should be considered that Georgi's relationship with AOL/Netscape prevents him from posting vulnerabilities in Netscape. However, if instead those findings are going straight into the vendor for immediate fixing, then that is a good thing. - "It seems to me that people like Georgi Guninski while they claim to - support full disclosure obviously support it for reasons other than the - good of the security community." Given that disclosure brings the problem to light (albeit full light) so that it can get fixed, what would you prefer: Full disclosure or private exploitation? I like to think the former is the preferred route...so rather than targetting Georgi and others who do so, why not expand energy on the individuals who make the latter choice? Be happy that Georgi wears a white hat. - "A security professional has a responsibility to report issues to - vendors and to work with vendors to solve them." Funny, I thought vendors had a professional responsibility to not have those problems in the first place. - "Georgi, take this message for what it is worth, you are no longer doing - the security industry a service" I'm willing to bet you run either Netscape or Internet Explorer in some capacity--therefore, keep in mind, Georgi has done *you* a service by bringing issues in *your* browser to light, so they may be fixed. Or would you rather be vulnerable? Again, full disclosure or private exploitation? ............................. Moving along to comments by Ryan Russell: - "...Some Linux vendors jumped the gun" Another interesting example that I did not fully think about until after a recent get together with Mudge and Weld from @Stake. Given three vendors, each having the same vulnerability, what is the approriate action if two of the three have fixes, and the third is still months off? Do the two stall and wait for the third? Or do they release their patches anyway? By asking the first two vendors to wait for the third, you are asking those vendors to *knowingly keep their customers vulnerable*. That, in many legal circles, can be seen as a great liability. Is it responsible for the vendor to choose to keep it's customers vulnerable? Particularly if the bug is potentially being exploited? ............................. Looking at Georgi's reply: - "If I really concentrate on Microsoft's products I suppose I would find - much more vulnerabilities" At first, that's a scary thought. But then, who would be better qualified to give a thorough once-over so that, in the long run, IE would be more secure? And because Georgi has a talent at ferretting out those bugs, does that make him obligated to provide charity research? Let alone be publicly slammed because he does as much as he can with the time he can afford to give away? - "Would you prefer not to post anything to Bugtraq and on my web site? - Would you feel safer then?" Which, of course, is what *I'm* scared of. There have been many times I've felt like 'throwing in the towel' because people criticized me for taking time, finding vulnerabilities, and bringing them to light so they can be fixed. Imagine if I did just give it up. Imagine if Georgi does. Keep in mind, regardless of how they go about doing it, our actions do contribute to getting the problem fixed. Granted, there may be more efficient means to do so, but make no mistake, the bug is now on the path to being fixed. In short, don't blame the messenger. Or in this case, the researcher. Just be happy that the vendor has a chance to see the message, regardless of how it's delivered. - rain forest puppy
Current thread:
- Re: Submission, (continued)
- Re: Submission Georgi Guninski (Nov 29)
- Re: Submission Geo. (Nov 29)
- Re: Submission Gunther Birznieks (Nov 30)
- Re: Submission hellnbak (Nov 29)
- Re: Submission Georgi Guninski (Nov 30)
- Re: Submission Robert G. Ferrell (Nov 29)
- Re: Submission Scott Blake (Nov 30)
- Re: Submission aarhus (Nov 29)
- Re: Submission Rune Kristian Viken (Nov 30)
- Re: Submission Geoffrey Moon (Nov 30)
- Re: submission rain forest puppy (Nov 30)
- Re: Submission Elias Levy (Nov 30)