Re: Extreme Hacking

[Crispin Cowan <crispin () cse ogi edu>]

"Craig H. Rowland" wrote:

> I don't think this is totally true. While I routinely tell people it is
> always easier to break something than to create it. I also know that
> knowing how to break software makes it easier to design tools that are
> harder to wreck. The problem is the social reward structure on the
> Internet is established to give more credit to those who discover
> problems, not those trying to fix them. It's easy to see
> what option people tend to choose first when given a choice.

I don't buy that.  Breaking things gets you "greetz" and the respect of the
hacker community.  Developing secure things brings in $.  Depends on your
personal values :-)


> De Ja Vu! I was just having this discussion the other day (Hi Diana)! I
> think any security company releasing exploit information needs to really
> consider this as a possibility. IMHO, unless absolute gross negligence
> is proven on the part of the software development company with respect to
> the hole, I think most juries would hold the *security company*
> responsible for damages as a result of their actions. Before the comment
> comes up, no I don't think buffer overflows and other common problems are
> *gross* negligence. I consider them industry wide stupidity for relying on
> 1960's/1970's languages for 1990's software. We'll save that for another
> discussion though.

I don't buy that, either.  Buffer overflows are gross negligance, and people
announcing vulnerabilities (with or without exploits) are just doing a public
service.  If tort law misguidedly starts assigning liability to the practice
of announcing vulnerabilities, then it will just go underground and be
announced anonymously.  If that practice is broken, then vulnerabilities will
go even deeper underground and only the bad guys will know about it.


> The recent disclosure of the eEye IIS 4 hole is a perfect example of
> litigation waiting to happen against a security company.

eEye/IIS is a perfect example of a large company being whiny and blaming the
messenger:-) The only issue here is the pace at which eEye revealed the
vulnerability.  There is a well-established protocol here:

  1. Discoverer notifies the vulnerable product's author/vendor.
  2. Give them about a week to provide a satisfying response.
  3. If no response is forth-coming, then announce the sploit to force some
     action.

The only doubt in the eEye/IIS case is whether MS's response was
"satisfying."  Since I was not party to that conversation, I can't make an
informed comment.


> This gets back to the open disclosure discussion, that is another
> (off topic) subject altogether.

It sounds like precisely the open/full disclosure discussion, but I thought
that debate was settled long ago?  I'm shocked to find people still disputing
full disclosure.  Why not argue that the Earth is flat while you're at it?

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/