Full Disclosure mailing list archives
Shiver me timbers.
From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Mon, 19 Aug 2002 06:30:03 -0700
On Mon, 19 Aug 2002, Timothy J.Miller wrote:
On the other hand, if your new car spontaneously bursts into flame while idling at a stop light, don't you have an obligation to tell the manufacturer *and* as many people with the same model as possible?
Perhaps. However, the analogy may not be apt. First of all a car
that burst into flames idling at a stop light could very likely cause you
to lose your life. I'm not saying that a software vulnerability might not
indirectly cause an injury or death. However, it's not nearly as likely to
as an exploding gas tank. Also, an exploding gas tank is a spontaneous
event which isn't triggered by a premeditated act by another individual
(as exploiting a bug is). The only direct parallel is that the car
manufacturer (ie.. vendor) might have been negligent when engineering and
constructing the tank.
Secondly, in your analogy the person who points out that the gas
tank tends to explode is a person who found that out from a coincidental
experience, and without any effort or foreknowledge of his own. Ask
yourself if this parallels our situation. Vulnerabilities are not
something that often manifest themselves to people with no technical
knowledge who aren't looking for them. A person with experience and
specific ability is almost always the one to find them. That person, or
someone like him must use that knowledge to create an exploit, and that's
not something that just anyone can do. It takes both skill, and effort.
I think your analogy would be better if it was adjusted. For
example maybe something like this would be better. Does a mechanic
(hacker) who finds that a gas tank can be easily rigged to explode have an
obligation to report this finding to a corrupt car company (vendors)?
Should he give an insurance company (whitehats or ARIS) the results of a
painstaking analysis of the tank, and how to rig it to explode? Is he
obligated to give all his research on any related finds away no matter how
much of his time or energy it took? Would it be right if he rigged a
serial killer's tank to explode?
aliver
Current thread:
- (no subject), (continued)
- (no subject) Schmehl, Paul L (Aug 18)
- (no subject) sockz loves you (Aug 18)
- (no subject) M L Lynch [ SotG ] (Aug 18)
- (no subject) M L Lynch [ SotG ] (Aug 18)
- (no subject) sockz loves you (Aug 19)
- (no subject) Fred (Aug 19)
- (no subject) 5uddenly g0n3 in73l (Aug 19)
- (no subject) sockz loves you (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. Peter van den Heuvel (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 20)