Re: Valid disclosure analogy

[full-disclosure () lists netsys com (Defender Defender)]

> yup. maybe as a hacker you should really pay attention to the details 
> please! to quote my own words: "...it doesn't automatically give you the 
> ability to exploit...". do you see the difference between
> 'exploitability' and 'having the ability to exploit'? no?

Maybe I speak english like shit. Still, I see 'ability' in 'exploitability'. 
Don't you?

And yes, before you go there (you have this tendency of going at funny 
places), 'ability' being mentioned implies someone 'have' it.

Therefore, 'exploitability' implies someone 'having ability to exploit'

> ever heard of closed networks (having a piece of those N copies)? >places 
> you don't get your foot inside unless you work for them? of course, i must 
> be kidding on this one!

Feeww, I hoped so. For a moment I thought you were saying that hackers dont 
work. ;)

> > Blackhat?! Where did I talk of hacking here?
>
> ah, not again these silly definition wars. hackers hack, period, as
> someone else put it already. if you write exploits and compromise
> systems, you hack (if you get busted, you'll go on CNN as a 'hacker'). and 
> keeping secret a discovered vulnerability is exactly what blackhats 
> (self-defined or not, i don't care) promote. if you don't understand it, 
> read the earlier mails on this list.

So you basically say that people who do not release vulnerability 
information in order not to raise the risk are criminals and do this because 
they want to hack?

> > Then the fact that there is "no bank 'B'" available is the real
> > problem, not the fact that bank 'A' is vulnerable.
>
> says who (besides you)? what if bank 'A' happens to be your country's 
> 'national bank'? by definition, there can be only one. and yes, it is a 
> real problem when someone figures out that they're vulnerable.

Then report to your government. If the government doesnt want to act, switch 
your vote.

You live in a democracy. You cannot take decision on behalf of everyone 
else. Same as for free market: freedom of others is defined by the limits of 
your own. It sucks to know that your voice is not heard, that you have no 
impact, that you are not alone. But that's how society works.

And yes, government not only have banks, but also use software. And same 
path should be followed for a software vulnerability.

> > 1) You do have time (thankfully) given the vulnerability(ies) have not yet 
> > been disclosed. Obviously, this solution path would imply that 
> > non-disclosure not only is voluntary, but also enforced (through
> > law, for exemple).
>
> you must be kidding. do you know what it takes to create a bank? well, ok, 
> i don't blame you, there're no banks on the moon, so why would you know 
> better. here on earth, it takes a bit more than 'time'. especially when 
> it's something like a 'national bank' or 'world bank'.
>
> besides, why would i have the time? what would make me feel sure about
> that noone else has discovered the same problem (or will, while i'm
> working on establishing my little pet bank, donations are being accepted 
> btw, i'm a bit short on cash these days)?

I repeat: "Obviously, this solution path would imply that non-disclosure not 
only is voluntary, but also enforced (through law, for exemple)."

Please read what I write or dont make me waste my time.

> > 2) Yes, starting your own service is the legitimate way of solving the 
> > problem (not putting gun on most popular bank CEO head so he fixes the 
> > problems in his bank security).
>
> great, now we're getting down to black&white solutions. so telling the bank 
> without the gun episode is no longer an option (let alone
> legitimate)?

"You are client of 'bank A'. You find out about a way to break in 'bank A' 
in a quite complicated and tricky manner, but yet possible. You inform 'bank 
A', but no answer! What to do?"

Again, please read what I write...

> and you seriously believe that there's a place for a new bank/service each 
> time someone finds a problem in bank 'A'? something tells me that your 
> suggestion is not scalable, at least here >in the real world.

You have no other right. This is the limit of your freedom. Its called free 
market. If you are unable to do it because you lack the skills, capital, or 
other, then welcome to the real world. Tons of other similar problems exist, 
on their way to being fixed. Fact that a vendor does not offer a product 
with the security level you want does not allow you to put everyone at risk 
of being hacked.

A good way to fixing this would be to make capital more easily accessible 
(or better, make it free). And that would not only fix security problems, by 
the way.

> > This is most likely to be the case. Security comes at a cost. Welcome to 
> > the real world! Maybe you understand now why microsoft >>software is 
> > "full" of bugs.
>
> i'm not sure that *you* understand why software has bugs and why MS is so 
> 'full' of them. if it was a matter of paying that 'cost', MS would 
> definitely have the money or whatever else it takes. the problem is that 
> 'security' as a human concept appears as 'chaotic' or of 'fractal' nature 
> when it is mapped onto the digital world. simply put, we don't have a way 
> to *define* security. we can give examples of situations at most and they 
> all come with the exceptions - something similar to when you try to cover 
> the mandelbrot set with a finite number of circles or squares, there's just 
> no perfect coverage, you either cover too much or miss something here and 
> there (this holds >true for many other concepts, not only security of 
> course). this is not to say that MS cannot do better, but they (or anyone 
> else) cannot >do a perfect job, regardless of 'cost'.

Once again, you divert the discussion from its real topic. We dont talk of 
doing a 'perfect job' here, which is, very true, impossible. And that is 
even a better reason of not doing it. We talk of doing a job that would cost 
more and return less than developing new software, promoting it, paying back 
dividends to shareholders, etc.

Security doesnt pay enough yet. People prefer features, availability and 
support to security, and you have IN NO WAY the right to force them to 
change their priorities by 'forcing them'. If they get hacked, they will 
change. Otherwise, dont push things.

> > Once again, the only legitimate way you can intervene is by starting your 
> > own service or product line. You cannot force a vendor to do anything 
> > against his will (regarding quality of his product), >>even if you are his 
> > client. That's why its called a *free* market.
>
> bullshit. first, it's not a free market in many situations (MS has been
> declared a monopoly, maybe the news hasn't hit the moon yet).

Still free market. You dont have linux on earth?

> second, ever heard of organizations that oversee a given market (for 
> > compliance with various regulations, including safety/quality/whatnot)? 
> you think they are not legitimate?

First, such organizations are put in place by your govt., whose authority 
has been given by your people, same authority that allows it to define with 
is 'legitimate' and what is not. It is not your own initiative to force 
vendor X or Y to fix their product. It is the initiative of the state. True, 
it is an exception to free market, but triggered by the will of your people, 
not yours only.

Also, I do not believe such organizations use methods such as provoking 
incidents to dissuade consumers from buying unsafe products.

Quite the opposite. A regulating body is a good way of prohibiting insecure 
products without exposing clients to useless risk, like you do when 
disclosing a bug.

Why dont you tell your reprentent about it?

> also, even when it's a free market, the cost of entry is often prohibitive 
> (how much is it in the US to establish a bank?).

Very expensive. Read what I said previously regarding the true problem is 
freedom of capital.

Fortunately starting your own secure open source operating system is not as 
hard (but hey, I wont contest my own analogy, and I stand by your argument 
on that fact).

> > If the bank wants to. Again, free market. Vendor is free to define its
> > offer, you are free to define your demands!
>
> bullshit. a bank will *never* provide you with such info. don't trust me on 
> this, go call yours and ask them.

Why you say bullshit? You mean its not up to them?

> > will they accept my changes to their own system?
> > Why would they? I dunno, ask them! ;)
>
> exactly, they would probably never take an outsider's advice at face
> value. which is absolutely different from the software world where you can 
> even fix a bug and distribute it yourself. i'm afraid, your banking analogy 
> still stinks.

No. I doubt you can 'fix a bug' in oracle or windows and distribute it 
without breaking law. As for making a binary patch, I have yet to see any 
poster on this mailing list do it ;)

And microsoft rarely take outsider advice at face value. Thus why so many 
ppl disclose their bugs in order to 'force them to fix'.

Exactly same as bank, again.

> > Then switch later. This would be a good reason not to disclose now,
> > given it would put you at risk between the moment of the disclosure, and 
> > the moment the vendor (or bank) fixes its vulnerability.
>
> right, we're back to non-disclosure. and since no bug hunter can ever know 
> if there might be *other* clients/users in this situation, >this would mean 
> that no bug should ever be disclosed.

Maybe you misunderstand me. Option (b) was option of non-disclosure, that 
was the very point.

> which happens to be what 'blackhats' have also been saying all the time.

Back with your blackhats? Hrrrmmm...

> > Send them your resume, they might want to hire you for it. Otherwise, I 
> > dont see how you could (and should) fix their product.
>
> i'm sorry to disappoint you, but this is not how banks work. especially
> not their security staff. which i'm not sure is true for the software world 
> (how did ISS/NAI/etc hire their people?).

Who cares if the bank would hire you or not. I say its up to them. You still 
dont understand that? You still dont understand other people have freedom 
and rights also?

And guess what... same goes for software vendors.

> also, the fact that one cannot/should not fix a bank's security >problem is 
> in stark contrast to what he can do in the software world, you've just 
> proved your banking analogy again incomplete.

Read what I previously said regarding right to change software code and 
current availability of binary patches upon disclosure of a bug. It would be 
funny to see any bugtraqer actually *fix* bugs instead of disclosing them.

> > Probably not, for good reasons ;)
> > At least I hope for their own security they do not accept changes from 
> > external people...
>
> me too, for that matter. which is not how the software world works where 
> you can often fix the problem at the source yourself. again, the banking 
> world is the wrong analogy.

Not that much. Software packages have *often* been backdoored because of lax 
access control to source. Banking people are just more intelligent and 
understand that you cannot just let anyone temper with your product.

> > am i supposed to quit my job?
> > Why? They pay you bad?
>
> no, but i can no longer do it *and* be responsible (since i know that bank 
> 'A' has a problem waiting to be exploited and i did not manage to save our 
> assets in time).

You are no more responsible. You did your job.

> > If not your job, then no.
>
> that's a great advice thanks. next time we have our money in the same bank 
> and someone gets all of it by abusing a security problem, i'm sure you will 
> thank me a thousand times that i kept silent all that time.

If you open your mouth and someone gets it by abusing the security problem, 
it will not be thanks that you will get from me.

> > If your job, then do it 'on the scene', and take promotion when
> > bank 'B' is hacked.
>
> you mean bank 'A'. and no, i cannot do it, as the preposition said that i'd 
> failed to convince those who could have decided. i don't see what else what 
> one could besides resigning.

You did your job, you are well paid, its not your responsability, and you 
want to resign? funny.

> > Well, I did answer, haven't I?
> > And yes, I would have answered the same if we had been talking of a 
> > software vendor.
>
> yes, you did answer and pretty much every argument of yours has been
> shown to support to exact opposite, that is the banking world is the
> wrong analogy. if you still think it's not, prove it.

Only think you get to show is your stupidity

> > Revisit analogy: autohack all openssh vX.X and mass-own the world
> > thanks to duke and his ISS sponsor. Yes, the bug was (somehow)
> > reproduced in all the copies, what a coincidence. ;)
>
> not all the copies. i know of a dozen at least that have never been
> exploited. not too surprising as the machines have never been attached to 
> public networks, but i'm sure many more copies on the internet have been 
> left alone too. let me guess, next time you will revisit the definition of 
> 'all' to fit your purposes.

I did not say all were compromised. I said all could be compromised.
I think you are intelligent enough to understand that.

> > Disclosure is disclosure. It fits in my toilet, that where it fits.
>
> then what was the point of attacking Guninski's analogy?

I cannot see what more I can do at this point to make you understand what I 
write.






_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx