Firewall Wizards mailing list archives
Re: Extreme Hacking
From: Crispin Cowan <crispin () cse ogi edu>
Date: Tue, 06 Jul 1999 20:36:29 -0700
"Craig H. Rowland" wrote:
I don't think this is totally true. While I routinely tell people it is always easier to break something than to create it. I also know that knowing how to break software makes it easier to design tools that are harder to wreck. The problem is the social reward structure on the Internet is established to give more credit to those who discover problems, not those trying to fix them. It's easy to see what option people tend to choose first when given a choice.
I don't buy that. Breaking things gets you "greetz" and the respect of the hacker community. Developing secure things brings in $. Depends on your personal values :-)
De Ja Vu! I was just having this discussion the other day (Hi Diana)! I think any security company releasing exploit information needs to really consider this as a possibility. IMHO, unless absolute gross negligence is proven on the part of the software development company with respect to the hole, I think most juries would hold the *security company* responsible for damages as a result of their actions. Before the comment comes up, no I don't think buffer overflows and other common problems are *gross* negligence. I consider them industry wide stupidity for relying on 1960's/1970's languages for 1990's software. We'll save that for another discussion though.
I don't buy that, either. Buffer overflows are gross negligance, and people announcing vulnerabilities (with or without exploits) are just doing a public service. If tort law misguidedly starts assigning liability to the practice of announcing vulnerabilities, then it will just go underground and be announced anonymously. If that practice is broken, then vulnerabilities will go even deeper underground and only the bad guys will know about it.
The recent disclosure of the eEye IIS 4 hole is a perfect example of litigation waiting to happen against a security company.
eEye/IIS is a perfect example of a large company being whiny and blaming the messenger:-) The only issue here is the pace at which eEye revealed the vulnerability. There is a well-established protocol here: 1. Discoverer notifies the vulnerable product's author/vendor. 2. Give them about a week to provide a satisfying response. 3. If no response is forth-coming, then announce the sploit to force some action. The only doubt in the eEye/IIS case is whether MS's response was "satisfying." Since I was not party to that conversation, I can't make an informed comment.
This gets back to the open disclosure discussion, that is another (off topic) subject altogether.
It sounds like precisely the open/full disclosure discussion, but I thought that debate was settled long ago? I'm shocked to find people still disputing full disclosure. Why not argue that the Earth is flat while you're at it? Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Current thread:
- Re: Extreme Hacking, (continued)
- Re: Extreme Hacking Aleph One (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 06)
- Re: Extreme Hacking Ge' Weijers (Jul 06)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)
- Re: Extreme Hacking Ge' Weijers (Jul 12)
- Re: Extreme Hacking Darren Reed (Jul 12)
- Re: Extreme Hacking Crispin Cowan (Jul 13)
- Re: Extreme Hacking Aleph One (Jul 06)
- Re: Extreme Hacking deab (Jul 06)
- Re: Extreme Hacking Paul Woodie (Jul 06)
- Re: Extreme Hacking Craig H. Rowland (Jul 06)
- Re: Extreme Hacking Crispin Cowan (Jul 08)
- Re: Extreme Hacking Craig H. Rowland (Jul 09)
- Vulnerability Escrow (was: Extreme Hacking) Crispin Cowan (Jul 09)
- Re: Extreme Hacking Joseph S D Yao (Jul 12)
- Re: Extreme Hacking Craig H. Rowland (Jul 12)
- Re: Extreme Hacking Vanja Hrustic (Jul 09)
- Re: Extreme Hacking Marcus J. Ranum (Jul 12)