Full Disclosure mailing list archives
Re: No Subject (re: openssh exploit code?)
From: mitch_hurrison () ziplip com
Date: Tue, 21 Oct 2003 11:17:11 -0700 (PDT)
Hi Jason, First of all, thanks for taking the time to write a well thought out response to my views and my statements. Now let's get to it.
That having been said, your conclusions are wrong. In part this is caused by a simple slip of logic and perhaps a flawed understanding of statistics.
Slip of moral, perhaps. Slip of logic? No. I contend that it is neither my obligation nor my duty to share my findings with the public in general. Allthough I can appreciate your views on being, in essence, the heroic whistleblower I believe that information is not a public commodity. I realise this is an unpopular view, but I also feel this is a view more in line with our times. I am not anyone's saviour, nor do I wish to be. ... <snip> ...
We also know that it doesn't happen in practice, despite your fear that it will and the exploit will be to blame. Are we simply *lucky* that this has not happened to date with a widely-successful worm? (recall the many varieties of virii that do destroy the infected host, but which do not spread and execute automatically)
You'll have to agree with me that taking the timeline of the internet as a historical basis for the statistical analysis of the events you describe is somewhat bogus. With the unrelentless growth of the internet it becomes a subject that never has a comparitive state. As such you get down to a level of comparing apples to pears. You can't draw any valid definitive conclusions of what will happen in the future of the internet based on what has happened in the past. Ergo your argumentation is fundamentally flawed.
But what you're saying is that you will be one of those people who come to my house carrying your pitch fork, your hangman's noose, and your torch, chanting something dreadful along with the rest of the mob, when the exploit code I release gets picked up by somebody and incorporated into the malware that exposes the utterly insane and misguided reliance upon unprotected, unprotectable software-based programmable computers throughout the civilized world for elements of critical infrastructure.
That's a bit of a hyperbole my friend. What I'm saying is I'm one of those people that will look at that mob, shake his head and mutter "it didn't have to come to this". Actions have consequences and just as much you believe I'm responsible for the results of not blowing the whistle, I believe you're responsible for the results of blowing the whistle whilst holding up a sign that says "here's some weaponry you can use to further destabilize the world".
What you're saying is that you will blame me, not the company that refused to cut into their profits by installing redundant failsafes. What you're saying is that you will convict me and sentence me because my thoughts, disclosed publicly, were used by somebody else to create a tool that caused your pretty little house of cards to collapse around you
What I'm saying is that yes I will blame you. For providing the murderweapon, I will call you an accomplice to that very murder. There's an inherit difference between disclosing thoughts and providing weaponry. And whilst I hesitate to follow you in a rather irrelevant metaphore, if that house of cards was providing shelter to alot of people. Then yes, I will hold you responsible and accountable.
You *should* ... <snip> ...
Here's where you're mistaken. I should do these things based on your ethics, morals or whatever name you wish to file your info-sec commandments under. You are assuming I share your views or atleast should share your views. Bringing the entire argument down to the level of "I'm right and you're wrong". I realise when I'm voicing my opinion on the matter I'm doing the very same thing. But I support this opinion with sound reasoning. My main point being there is simply no need for the disclosure of exploits. This all comes back to the simple viewpoint of not looking at exploits and the research involved as a public commodity. Your main grievance is that the information should be accessible? How is it not accessible. I'm not particularly intelligent nor do I have special powers that bestow me with super exploit writing skills. Anyone can do similar research in an independent manner if they wish to do so. Now you put forward that the uninformed have a right to know? Bullshit I say. I put to you that the uninformed have an obligation to get informed. Spoonfeeding people exploits and research is creating a lax mentality in which people take exploit research for granted and creativity is smuthered. I am not your saviour, I am not your friend, I am not your fucking exploit writing tool. With regards, Mitch
-----Original Message----- From: Jason Coombs [mailto:jasonc () science org] Sent: Tuesday, October 21, 2003, 10:25 AM To: "mitch_hurrison () ziplip com" <mitch_hurrison () ziplip com> Cc: Paul Schmehl <pauls () utdallas edu>, full-disclosure () lists netsys com Subject: Re: [Full-disclosure] No Subject (re: openssh exploit code?) Aloha, Mitch. Your essay on the immorality of releasing exploit code was very well thought out, and I commend you for it and for standing up for something that you believe in -- particularly in a venue that is openly hostile to your viewpoint. That having been said, your conclusions are wrong. In part this is caused by a simple slip of logic and perhaps a flawed understanding of statistics. We know beyond much doubt that virtually every computer in existence today can be owned. We know that worms can spread quickly through computer networks. We also know that a worm that immediately destroys its host doesn't get a chance to replicate. We know that worms could be designed to delay destruction of hosts, essentially dropping a Trojan with a time bomb inside. We know that the release of exploit code for a remote exploitable vulnerability in network service code makes it next to trivial for most script kiddies to tool up precisely this sort of hybrid attack. We also know that it doesn't happen in practice, despite your fear that it will and the exploit will be to blame. Are we simply *lucky* that this has not happened to date with a widely-successful worm? (recall the many varieties of virii that do destroy the infected host, but which do not spread and execute automatically) Perhaps we have been lucky. Perhaps you are correct that we will not always be so. However, you must reconsider your assessment of the damage that will be done in the real world when the killer worm Trojan time bomb does get released because we know from past worms that nowhere near every vulnerable box gets owned by the beast, and we know that not all boxes that are thought to be vulnerable actually end up being vulnerable for one reason or another. A loss, and I mean a complete and unrecoverable data loss, of 10% to 20% of the world's computers would just not be a very big deal. Some of the more irresponsible companies would go out of business, sure. Some people may even die. But people die. And companies go out of business. Life goes on for everyone else, and the survivors change and adapt. Damage that could have and should have been prevented in the first place gets investigated and those responsible get sued and maybe, if we're lucky just a little more, they get put in jail for a very long time. But what you're saying is that you will be one of those people who come to my house carrying your pitch fork, your hangman's noose, and your torch, chanting something dreadful along with the rest of the mob, when the exploit code I release gets picked up by somebody and incorporated into the malware that exposes the utterly insane and misguided reliance upon unprotected, unprotectable software-based programmable computers throughout the civilized world for elements of critical infrastructure. What you're saying is that you will blame me, not the company that refused to cut into their profits by installing redundant failsafes. What you're saying is that you will convict me and sentence me because my thoughts, disclosed publicly, were used by somebody else to create a tool that caused your pretty little house of cards to collapse around you. You *should* blame yourself for building houses of cards and calling them something that they are not. You *should* blame yourself for keeping quiet about the true causes of the problems that lead to vulnerabilities, because you mistakenly and arrogantly believe that your conclusion is the smarter one that results in a safer world. You *should* let go of the burden you feel for keeping the world safe from all of your hypothetical threats, because it's not your job and it is misguided to believe that such a thing is even possible with you as a single point of failure. You *should* recognize that those elite few who really care about security can, will, and *do* pull the network cable out of the back of boxes that are believed to be vulnerable to exploits *when* those exploits get released. For obvious reasons of practical reality these same people do not, in general, pull the plug on systems that they *know* to be vulnerable *until* they see conclusive proof that there is an immediate risk. You *should* feel responsible, personally, for every penetration that occurs that would have been avoided if you had helped to communicate full disclosure with proof of concept exploit code, since only that communication has been prove to trigger widespread social response in a preventative manner. Advisories that attempt to explain complex hypothetical vulnerabilities and recommend an immediate patch just do not do the job. You have an obligation to disclose information in detail that other people can use to protect themselves immediately. Your failure to disclose this information makes you nothing less than an accomplice before the fact to every penetration that occurs in the future when somebody else finds the hidden secret and exploits it. I will continue this discussion with you in greater detail if you wish. There is much need for this conversation to recur, because many people just like you are still confused about the proper role of an information security professional in the security process. Many people are also still confused about the obligations that go along with knowledge, mistaking those obligations as the same ones that go along with skill and ability to take decisive action to contain or prevent imminent damage or risk exposure. Knowledge that other people are at risk must be disclosed -- and it must be disclosed in full detail and publicly when there is no other way to communicate with most (if not all) of those people. This is the inherent value of the Public, and you diminish this value and reduce its protective power when you presume to know better than the Public does what it can and can't cope with being told. Sincerely, Jason Combs jasonc () science org mitch_hurrison () ziplip com wrote:Hi Paul, Again, what is it about your personality that makes you incapable of taking part in an adult discussion of responsible disclosure issues? Is it that anyone who has a different opinion than yours is automatically not worth your time? That sounds kind of nazi-like to me mr. Schmehl. It's quite saddening to see this list turn into a pack of hungry saliving fools at even a hint of an exploit for this issue. You seem to have more of a hardon for the "juarez" than any "kiddie" I've ever met. Even when trying to debate some of the issues surrounding the disclosure of such a potentially devastating exploit all one gets is "yeah, yeah. Now make with the warez". As far as it being "easy" to exploit. No it isn't. You have to abuse a lesser issue, a memory leak to be more precise, to get a heap layout that will allow you to survive the initial memset without landing in bad memory. Now without going into details anyone who manages to survive the initial memset should be able to debug the crash to the point of exploitation. This is managable on atleast Linux IA32 systems. Now I'll try and bring my original point forward one last time, allthough I fear it will just call for more immature commentary from the likes of Paul Schmehl. There is no need for anyone to release this exploit. It will change nothing about the fact that you need to upgrade your daemons. It will change nothing about the bugdetails already published. There is no reasoning for it other than "but I want to learn how to do it". And sorry but that's just not good enough to warrant the mayhem that will ensue when an exploit like this is released. So if you in your academic pursuits decide to tackle this problem. By all means go right ahead. But I think anyone who's discovered the real impact of this bug will realise that disclosing the exploit to the general public is highly irresponsible. Now on a larger scale, I think it's rather foolish to cop an attitude that assumes anything that doesn't exist in the public eye isn't possible. It reeks of the same arrogance I'm accused off. Is it arrogant to step forward to try and explain why noone who managed to exploit ossh is willing to step forward? Maybe it is. Fact remains that exploiting this issue requires creativity beyond the pre-chewed papers. And that's why you're not seeing the regular array of mediocre "hackers" producing exploit code. I'd like to think that anyone who was capable of writing this exploit also recognises the potential impact of releasing it. So instead of trying to poke fun at me Paul, why don't you do your duty as a knight of Full Disclosure and provide the good people of this list with a definite analysis on the ossh 32k nul heap munging? (buzzword quota filled). This is the year 2003. We aren't the only ones reading these lists people. Do you really want to be responsible for arming the more hostile elements in the world with such a tool? I can't stress it enough. Noone should release this exploit. And to be honoust in this day and age I think anyone releasing exploits to the general public is losing sight of a bigger picture that affects us all. Now I'm not talking about the Nth trivial snosoft local stack overflow "exploit". I'm talking aboutthe apaches, the openssh's and the ms rpc's. Time and timeagain it's become apparent that full disclosure simply does not function. And allthough I realise that there will always be peoplesupportingfull disclosure, I think even with the disclosure of vulnerability information releasing exploits is something that's not justifiable in any way. There is simply no need for exploits, especially not one that would affect people and nations around the globe. You have to look beyond your own little egocentric world of friendly exploit dev and "but it's fun", and take a look at the bigger picture. So to you Paul, and to the rest of this list. I say once again if you can't write the exploit. You don't..need.. the exploit. With regards, Mitch
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: No Subject (re: openssh exploit code?), (continued)
- Re: No Subject (re: openssh exploit code?) Peter Busser (Oct 22)
- RE: No Subject (re: openssh exploit code?) Schmehl, Paul L (Oct 21)
- RE: No Subject (re: openssh exploit code?) Schmehl, Paul L (Oct 21)
- RE: No Subject (re: openssh exploit code?) Brent J. Nordquist (Oct 21)
- RE: No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- RE: No Subject (re: openssh exploit code?) Schmehl, Paul L (Oct 21)
- RE: No Subject (re: openssh exploit code?) Montana Tenor (Oct 21)
- RE: No Subject (re: openssh exploit code?) Ted Unangst (Oct 21)
- Re: No Subject (re: openssh exploit code?) Benjamin Krueger (Oct 21)
- Re: No Subject (re: openssh exploit code?) Shawn McMahon (Oct 22)
- RE: No Subject (re: openssh exploit code?) Montana Tenor (Oct 21)
- Re: No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- Re: No Subject (re: openssh exploit code?) Blue Boar (Oct 21)
- RE: No Subject (re: openssh exploit code?) Bassett, Mark (Oct 21)
- Re: No Subject (re: openssh exploit code?) Richard Massa (Oct 21)
- RE: No Subject (re: openssh exploit code?) Ron DuFresne (Oct 22)
- No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- Re: No Subject (re: openssh exploit code?) Dan Wilder (Oct 21)
- Re: No Subject (re: openssh exploit code?) Helmut Springer (Oct 23)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
(Thread continues...)