RE: it's all about timing (wasn't that a John Denver song?)

[full-disclosure () lists netsys com (Gibby McCaleb)]

I think most everyone on this list will agree with your comments about how
things "should" be disclosed. However, I think those points are moot.

<snip>
i'll say V has all the rights in the
world to sue the crap out of H, and put him(her) in jail for one
thousand years, and i'll applaud that.
</snip>

A thousand year jail term?  Man, where do you live?  I think you are missing
the issue here.  I don't know the laws specific to where you live (although
they seem harsh.  Have you considered a coup?) but here in the US, I can sue
you because I'm offended by the color of your pants (to be honest, they're
damn ugly, but some Dockers please).  That is not to say I have a chance of
winning that suit, but I can still sue you.  And again, per my previous
post, I don't think winning a suit is necessarily the issue here either.

Using Snosoft/HP as an example, if HP sues and wins, a dangerous precedent
has been set.  If HP loses, Snosoft will still have spent enough cash and
time trying to defend themselves against a company with much deeper pockets
that it is quite possible that they may not be able to financially recover
from winning the suit, if they even get that far.

Either way, everyone in the security industry, especially security
companies, are going to think twice about publishing a vulnerability in the
future.  That is bad because the people who will know about future
vulnerabilities are the people who don't report them now. (i.e. some 12 year
old kid in Yemen with nothing better to do).  If HP wins, where does it
stop?  If ABC Inc. gets hacked out of existence, can ABC sue security focus
(Symantec) for archiving all the exploits used to compromise their system?
Don't laugh, it's not that far fetched.

<snip>
And the solution is so simple: DO NOT publish "zero-day exploits"
</snip>

Wow.  I never thought of that.  (sorry for the sarcasm)  You are preaching
to the choir.  I believe most of everyone on this list not only agrees with
that principle but practices it as well.  Why Snosoft/HP is so important is
that plenty of time was given to HP to correct the hole.  If HP moves
forward with litigation (win or lose), this may well open a flood gate of
similar actions that could dramatically change how we all do our jobs and
the effectiveness of the current exploit exposure scenario.

So yes, Florin, in a perfect world we'd all release vulnerabilities the
right way and there is a Santa Claus.  However, in the real world, there
will be responsible people and irresponsible people. There will be
responsible people who believe in zero day exposures.  There will be people
who don't own computers and collect cans from my recycling bins.  There is
no way to enforce any exposure rules so we all have to keep on doing what
we're doing and hope that the "bad" people don't screw it up for the rest of
us.

However, I do believe that we should explore ways to "pressure" HP into
backing off as a previous post mentioned.  Send a polite email.  If you are
at a company and have some purchasing power, tell your HP sales rep that you
are so concerned over this matter that you're flying to Austin to meet with
Dell (let me know when you're going.  I know some good bars on 6th street).

Open to suggestions.  I'd like to take this opportunity to apologize for my
annoying sense of humor.


Gibby McCaleb

_______________________________________________

"When the going gets weird, the weird turn pro."

Hunter S. Thompson
_______________________________________________