Re: No Subject (re: openssh exploit code?)

[mitch_hurrison () ziplip com]

Hi Jason,

First of all, thanks for taking the time to write a well thought
out response to my views and my statements. 

Now let's get to it.

> That having been said, your conclusions are wrong. In part this 
> is caused by a simple slip of logic and perhaps a flawed 
> understanding of statistics.

Slip of moral, perhaps. Slip of logic? No. I contend that
it is neither my obligation nor my duty to share my findings
with the public in general. Allthough I can appreciate your
views on being, in essence, the heroic whistleblower I believe
that information is not a public commodity. I realise this
is an unpopular view, but I also feel this is a view more
in line with our times. I am not anyone's saviour, nor
do I wish to be.

... <snip> ...
> We also know that it doesn't happen in practice, despite 
> your fear that it will and the exploit will be to blame. 
> Are we simply *lucky* that this has not happened to date 
> with a widely-successful worm? (recall the many varieties 
> of virii that do destroy the infected host, but which 
> do not spread and execute automatically)

You'll have to agree with me that taking the timeline of
the internet as a historical basis for the statistical
analysis of the events you describe is somewhat bogus. 
With the unrelentless growth of the internet it becomes
a subject that never has a comparitive state. As such
you get down to a level of comparing apples to pears.
You can't draw any valid definitive conclusions of what
will happen in the future of the internet based on what
has happened in the past. Ergo your argumentation is
fundamentally flawed.

> But what you're saying is that you will be one of those 
> people who come to my house carrying your pitch fork, your 
> hangman's noose, and your torch, chanting something dreadful 
> along with the rest of the mob, when the exploit code I 
> release gets picked up by somebody and incorporated into the
> malware that exposes the utterly insane and misguided reliance
> upon unprotected, unprotectable software-based programmable
> computers throughout the civilized world for elements of 
> critical infrastructure.

That's a bit of a hyperbole my friend. What I'm saying is I'm 
one of those people that will look at that mob, shake his head
and mutter "it didn't have to come to this". Actions have 
consequences and just as much you believe I'm responsible for
the results of not blowing the whistle, I believe you're responsible
for the results of blowing the whistle whilst holding up a sign
that says "here's some weaponry you can use to further destabilize
the world". 

> What you're saying is that you will blame me, not the company
> that refused to cut into their profits by installing redundant
> failsafes.
>
> What you're saying is that you will convict me and sentence me
> because my thoughts, disclosed publicly, were used by somebody
> else to create a tool that caused your pretty little house of
> cards to collapse around you

What I'm saying is that yes I will blame you. For providing the
murderweapon, I will call you an accomplice to that very murder.
There's an inherit difference between disclosing thoughts and
providing weaponry. And whilst I hesitate to follow you in a rather
irrelevant metaphore, if that house of cards was providing shelter
to alot of people. Then yes, I will hold you responsible and 
accountable.

> You *should* ... <snip> ...

Here's where you're mistaken. I should do these things based on
your ethics, morals or whatever name you wish to file your
info-sec commandments under. You are assuming I share your
views or atleast should share your views.

Bringing the entire argument down to the level of "I'm right and
you're wrong". I realise when I'm voicing my opinion on the matter
I'm doing the very same thing. But I support this opinion
with sound reasoning. My main point being there is simply no
need for the disclosure of exploits. 

This all comes back to the simple viewpoint of not looking at 
exploits and the research involved as a public commodity. Your
main grievance is that the information should be accessible? How
is it not accessible. I'm not particularly intelligent nor do
I have special powers that bestow me with super exploit writing
skills. Anyone can do similar research in an independent manner
if they wish to do so. Now you put forward that the uninformed
have a right to know? Bullshit I say. I put to you that the
uninformed have an obligation to get informed. Spoonfeeding people
exploits and research is creating a lax mentality in which 
people take exploit research for granted and creativity is 
smuthered. 

I am not your saviour, I am not your friend, I am not your fucking
exploit writing tool.

With regards,
Mitch










> -----Original Message-----
> From: Jason Coombs [mailto:jasonc () science org]
> Sent: Tuesday, October 21, 2003, 10:25 AM
> To: "mitch_hurrison () ziplip com" <mitch_hurrison () ziplip com>
> Cc: Paul Schmehl <pauls () utdallas edu>, full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] No Subject (re: openssh exploit code?)
>
> Aloha, Mitch.
>
> Your essay on the immorality of releasing exploit code was very well 
> thought out, and I commend you for it and for standing up for something 
> that you believe in -- particularly in a venue that is openly hostile to 
> your viewpoint.
>
> That having been said, your conclusions are wrong. In part this is 
> caused by a simple slip of logic and perhaps a flawed understanding of 
> statistics.
>
> We know beyond much doubt that virtually every computer in existence 
> today can be owned. We know that worms can spread quickly through 
> computer networks. We also know that a worm that immediately destroys 
> its host doesn't get a chance to replicate. We know that worms could be 
> designed to delay destruction of hosts, essentially dropping a Trojan 
> with a time bomb inside. We know that the release of exploit code for a 
> remote exploitable vulnerability in network service code makes it next 
> to trivial for most script kiddies to tool up precisely this sort of 
> hybrid attack. We also know that it doesn't happen in practice, despite 
> your fear that it will and the exploit will be to blame. Are we simply 
> *lucky* that this has not happened to date with a widely-successful 
> worm? (recall the many varieties of virii that do destroy the infected 
> host, but which do not spread and execute automatically)
>
> Perhaps we have been lucky. Perhaps you are correct that we will not 
> always be so. However, you must reconsider your assessment of the damage 
> that will be done in the real world when the killer worm Trojan time 
> bomb does get released because we know from past worms that nowhere near 
> every vulnerable box gets owned by the beast, and we know that not all 
> boxes that are thought to be vulnerable actually end up being vulnerable 
> for one reason or another. A loss, and I mean a complete and 
> unrecoverable data loss, of 10% to 20% of the world's computers would 
> just not be a very big deal. Some of the more irresponsible companies 
> would go out of business, sure. Some people may even die. But people 
> die. And companies go out of business. Life goes on for everyone else, 
> and the survivors change and adapt. Damage that could have and should 
> have been prevented in the first place gets investigated and those 
> responsible get sued and maybe, if we're lucky just a little more, they 
> get put in jail for a very long time.
>
> But what you're saying is that you will be one of those people who come 
> to my house carrying your pitch fork, your hangman's noose, and your 
> torch, chanting something dreadful along with the rest of the mob, when 
> the exploit code I release gets picked up by somebody and incorporated 
> into the malware that exposes the utterly insane and misguided reliance 
> upon unprotected, unprotectable software-based programmable computers 
> throughout the civilized world for elements of critical infrastructure.
>
> What you're saying is that you will blame me, not the company that 
> refused to cut into their profits by installing redundant failsafes.
>
> What you're saying is that you will convict me and sentence me because 
> my thoughts, disclosed publicly, were used by somebody else to create a 
> tool that caused your pretty little house of cards to collapse around you.
>
> You *should* blame yourself for building houses of cards and calling 
> them something that they are not.
>
> You *should* blame yourself for keeping quiet about the true causes of 
> the problems that lead to vulnerabilities, because you mistakenly and 
> arrogantly believe that your conclusion is the smarter one that results 
> in a safer world.
>
> You *should* let go of the burden you feel for keeping the world safe 
> from all of your hypothetical threats, because it's not your job and it 
> is misguided to believe that such a thing is even possible with you as a 
> single point of failure.
>
> You *should* recognize that those elite few who really care about 
> security can, will, and *do* pull the network cable out of the back of 
> boxes that are believed to be vulnerable to exploits *when* those 
> exploits get released. For obvious reasons of practical reality these 
> same people do not, in general, pull the plug on systems that they 
> *know* to be vulnerable *until* they see conclusive proof that there is 
> an immediate risk.
>
> You *should* feel responsible, personally, for every penetration that 
> occurs that would have been avoided if you had helped to communicate 
> full disclosure with proof of concept exploit code, since only that 
> communication has been prove to trigger widespread social response in a 
> preventative manner. Advisories that attempt to explain complex 
> hypothetical vulnerabilities and recommend an immediate patch just do 
> not do the job.
>
> You have an obligation to disclose information in detail that other 
> people can use to protect themselves immediately. Your failure to 
> disclose this information makes you nothing less than an accomplice 
> before the fact to every penetration that occurs in the future when 
> somebody else finds the hidden secret and exploits it.
>
> I will continue this discussion with you in greater detail if you wish. 
> There is much need for this conversation to recur, because many people 
> just like you are still confused about the proper role of an information 
> security professional in the security process. Many people are also 
> still confused about the obligations that go along with knowledge, 
> mistaking those obligations as the same ones that go along with skill 
> and ability to take decisive action to contain or prevent imminent 
> damage or risk exposure. Knowledge that other people are at risk must be 
> disclosed -- and it must be disclosed in full detail and publicly when 
> there is no other way to communicate with most (if not all) of those 
> people. This is the inherent value of the Public, and you diminish this 
> value and reduce its protective power when you presume to know better 
> than the Public does what it can and can't cope with being told.
>
> Sincerely,
>
> Jason Combs
> jasonc () science org
>
>
> mitch_hurrison () ziplip com wrote:
> > Hi Paul,
> >
> > Again, what is it about your personality that makes you incapable
> > of taking part in an adult discussion of responsible disclosure
> > issues? Is it that anyone who has a different opinion than yours
> > is automatically not worth your time? That sounds kind of nazi-like
> > to me mr. Schmehl. 
> >
> > It's quite saddening to see this list turn into a pack of hungry
> > saliving fools at even a hint of an exploit for this issue. You
> > seem to have more of a hardon for the "juarez" than any "kiddie"
> > I've ever met. Even when trying to debate some of the issues
> > surrounding the disclosure of such a potentially devastating
> > exploit all one gets is "yeah, yeah. Now make with the warez".
> >
> > As far as it being "easy" to exploit. No it isn't. You have to
> > abuse a lesser issue, a memory leak to be more precise, to get
> > a heap layout that will allow you to survive the initial memset
> > without landing in bad memory. Now without going into details
> > anyone who manages to survive the initial memset should be able
> > to debug the crash to the point of exploitation. This is managable
> > on atleast Linux IA32 systems. 
> >
> > Now I'll try and bring my original point forward one last time,
> > allthough I fear it will just call for more immature commentary
> > from the likes of Paul Schmehl.
> >
> > There is no need for anyone to release this exploit. It will change
> > nothing about the fact that you need to upgrade your daemons. It
> > will change nothing about the bugdetails already published. There
> > is no reasoning for it other than "but I want to learn how to do it".
> > And sorry but that's just not good enough to warrant the mayhem that
> > will ensue when an exploit like this is released. So if you in
> > your academic pursuits decide to tackle this problem. By all means
> > go right ahead. But I think anyone who's discovered the real impact
> > of this bug will realise that disclosing the exploit to the 
> > general public is highly irresponsible. 
> >
> > Now on a larger scale, I think it's rather foolish to cop an attitude
> > that assumes anything that doesn't exist in the public eye isn't
> > possible. It reeks of the same arrogance I'm accused off. Is it 
> > arrogant to step forward to try and explain why noone who managed
> > to exploit ossh is willing to step forward? Maybe it is. 
> >
> > Fact 
> > remains that exploiting this issue requires creativity beyond
> > the pre-chewed papers. And that's why you're not seeing the regular
> > array of mediocre "hackers" producing exploit code. I'd like to
> > think that anyone who was capable of writing this exploit also
> > recognises the potential impact of releasing it.
> >
> > So instead of trying to poke fun at me Paul, why don't you do your
> > duty as a knight of Full Disclosure and provide the good people
> > of this list with a definite analysis on the ossh 32k nul heap
> > munging? (buzzword quota filled).
> >
> > This is the year 2003. We aren't
> > the only ones reading these lists people. Do you really want to
> > be responsible for arming the more hostile elements in the world
> > with such a tool? I can't stress it enough. Noone should release
> > this exploit. And to be honoust in this day and age I think anyone
> > releasing exploits to the general public is losing sight of a
> > bigger picture that affects us all. Now I'm not talking about
> > the Nth trivial snosoft local stack overflow "exploit". I'm talking about
> the apaches, the openssh's and the ms rpc's. Time and time
> > again it's become apparent that full disclosure simply does not
> > function. And allthough I realise that there will always be people
> supporting 
> > full disclosure, I think even with the disclosure of vulnerability
> > information releasing exploits is something that's not justifiable
> > in any way.
> >
> > There is simply no need for exploits, especially not one that would
> > affect people and nations around the globe. You have to look beyond
> > your own little egocentric world of friendly exploit dev and "but it's fun",
> > and take a look at the bigger picture. 
> >
> > So to you Paul, and to the rest of this list. I say once again
> > if you can't write the exploit. You don't..need.. the exploit.
> >
> > With regards,
> > Mitch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html