Re: Valid disclosure analogy

[full-disclosure () lists netsys com (pooh pooh)]

> You are client of 'bank A'. You find out about a way to break in
> 'bank A' in a quite complicated and tricky manner, but yet possible.

bank 'A' has one 'copy' whereas a given piece of software has N. the
fact that you can attack/expoit it doesn't automatically give you
the ability to exploit all N copies whereas it does give you the
ability to compromise all accounts in bank 'A'. the fallacy of analogies
at its best. who did you say was the moron again? mind you, Guninski's
wasn't perfect either but at least he doesn't suffer from the attitude
problem you have.

> a) Dont do anything: all banks are vulnerable at some point. It's all
>   a matter of risk, and keeping it secret is the best way to keep
>   the risk at its lowest. Furthermore, the vulnerability does not
>   compromise the quality of the service itself;

you must be a 'blackhat', 'cos this one actually looks applicable to
both software and banks. congratulations for spreading the philosophy
of non-disclosure!

> b) Your money is at risk: remove it from 'bank A', put it in 'bank B';

what if there is no bank 'B'? am i supposed to create one? preferably in no 
time?

what if bank 'B' does not provide (some of) the services of bank 'A'
which are vital to my own business? am i supposed to create them
myself? will bank 'B' provide me with enough details of her own internal
systems so that i can do it in a reasonable timeframe? will they accept
my changes to their own system?

what if i can't afford switching banks right now? am i supposed to fix
bank 'A'? will they give me enough information to do it? will they
accept my changes?

what if it's not up to me to decide and i can't convince those who can
but don't want to? am i supposed to quit my job? am i supposed to make
the switch to bank 'B' 'behind the scenes' and hope noone will notice
or at least blame me later?

and finally, you still sure your analogy holds between the world of
banks and software? are you living on the moon or something? at least
you've never worked for a real bank if you think you could pull off the
above.

> c) Break in 'bank A' and steal other people's money, get plane ticket
>   for bermudas;

the worst part of your analogy as pointed out at the beginning.

> d) The evil 'bank A' put people at risk. Regardless of fact that you
>   are not the owner of the bank, nor that you represent the interest
>   of each and every of its clients, take the initiative to inform the
>   world of the vulnerability details, how to exploit it, and if
>   possible, make a point-and-click robot that breaks into the bank
>   and steal money for you, and give a free copy to everyone who wants
>   one;

wow, the second best shot, this time against full disclosure!

and while you failed to point out where 'responsible' disclosure would
fit in here, i'll guess that it would be the one that would minimize
the embarassment for the bank and keep the public in dark as long as
possible.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com