Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Castles and Security (fwd)

From: "daN." <dan () nesmail com>
Date: Wed, 03 Jan 2001 11:11:52 -0800
Right now, we're working in an environment where it's nearly impossible to tell 
a "good guy" from a "bad guy".  In fact, a bad guy could probably mount a
credible defense for a while by merely claiming to be a good guy. That's not
possible if the target definition is a bit crisper.
And since we are dealing with an international issue here, whos job is it to decide what is munitions and what is defence? Who is going to enforce it? Its a very idealistic view..unfortunately it wont work
It's like the whole full disclosure argument..You have several valid points towards not supporting full disclosure, but the most important point is being overlooked. There is no point in making a rule if you cannot punish those who break it. If full disclosure where illegal, lists like bugtrack would become closed and secret (or moved to a country where the law was not enforceable). What would happen if we did not publish exploits in a open medium. We should examine this from three points of view "whitehat" ,"blackhat", and "Greyhat" (I don't like these terms but I cannot come up with anything more suitable so <shrug>). I feel that if full disclosure where clamped down on a lot of "upstanding citizens" who are currently being applauded for publish security issues would overnight turn into criminals in the public eye. There is a great movement towards full disclosure, and as much as you would like to label these people black and white, it's not always so easy to categorize such things. Anyway the following is what would end up happening...
1. "Whitehat" finds an exploit in software X, they contact the vendor, and maybe mention the issue to a couple friends. The vendor can take that information, promptly turn out a patch give credit to the "Whitehat" for exposing the security issue and everyone is happy, or they can take their time, or worse do nothing at all, if the "whitehat" describes to issue even in it's most general form on any public forum, a "grey/blackhat" can generally recreate the problem and write their own exploit in hours to days and have it circulating around the massive underground you have created. So the "whitehat" must remain silent, while a potential root exploit sits on hundreds or thousands of machines. What's the solutions? Surly not to sue every Small/Medium company out there that has bugs in their software, you mentioned you yourself found bugs in your code, and I'm sure you being a 
security specialist are more cautious than most.
2. "Blackhat" finds an exploit in software X, they will exploit the hell out of it like they always have until either a "whitehat" or "greyhat" find out about it, then goto 1 or 3. We cannot do anything about this.
3. "Greyhat" finds an exploit in software X, they contact the vendor and share their information, they then report the issue to a security list, the security list is now underground so only other "Greyhats" and "Blackhats" will be informed of the exploit. This means that "Whitehats" and joe blow will not know that they are running exploitable services, while the bad guys will...how can this be a good thing?
People know that if they just use a flimsy door handle lock their door is not secure, but still some people decide not to purchase dead bolts, and home alarms. They may only have a door handle lock, but at least they where informed, and where given a chance to mitigate their own risks. People must be given a chance to defend their own system, anything but full disclosure just doesn't work. The only other solution is have some kind of central worldwide authority to report bugs to, who would run it? who would decide who could/couldn't work there? what would stop it from becoming "blackhat" central? You would find that the central authority just wouldn't be used. While things arn't perfect they are as good as they are going to get with full disclosure, after all in a perfect world there would be no crime at 
 all.  And vendors cannot always be trusted to turnaround a fast patch.

 mutated.
 /mutated () guyofyourdreams com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: