Re: Valid disclosure analogy

[full-disclosure () lists netsys com (pooh pooh)]

foreword: i'm going to reply only to stuff that's got something to do
with your (failed) analogy of the banking/software world. at various
places you're going off on a tangent about assuming my view on
disclosure and other stuff - that's irrelevant and besides you could
not possibly know.

> Maybe I speak english like shit. Still, I see 'ability' in
> 'exploitability'. Don't you?

sure i do. and? 'ability' as in 'your ability to exploit' and
'exploitability' as in 'the given bug in the given running instance
of the software can be exploited'? see the difference? it's the subject
that's different. and one 'ability' does not imply the other.

> And yes, before you go there (you have this tendency of going at funny 
> places), 'ability' being mentioned implies someone 'have' it.

maybe, maybe not, i won't think too hard for now to refute that above.
just say that the two abilities were referring to different subjects.

> Therefore, 'exploitability' implies someone 'having ability to exploit'

ok, i admit of being a non-native english speaker so let me explain it
slowly. the fact that you have an exploit in your hands does not mean
that you can exploit all running instances of the given piece of
software. this is because you may not have (and as a matter of fact,
you most certainly do not) access to all of them. capito? but hey,
we can stop this silly game and you can prove me wrong right here and
now: there is this little machine in the corner running a vulnerable
version of whatever you want - without public network access. leave me
a message there (if you 'have the ability' that is) and i'll bow to your
language skills (not to mention the hacking one).

> So you basically say that people who do not release vulnerability 
> information in order not to raise the risk are criminals and do this 
> > because they want to hack?

i'm not saying anything pro or contra, just referring to what others
have said before. besides i don't see how you drew the above conclusion
from what i said. in particular, where did i say hacker (who compromises
systems) = criminal? tell that to the spooks of .au and they will have
a good laugh. as would many others (internal pentesters of a company,
more spooks, etc). they all can have their 0-day and use them to
compromise systems and be called hackers and not be criminals.

> Then report to your government. If the government doesnt want to act,
> switch your vote.

great advices except i don't see the analogy in the software world
(which is the whole point of your exercise of course, or so i thought).
who is my 'software government'? since when do i get to vote for them?
oh, and where is the 'country'?

> You live in a democracy. You cannot take decision on behalf of
> everyone else. Same as for free market: freedom of others is defined
> by the limits of your own. It sucks to know that your voice is not
> heard, that you have no impact, that you are not alone. But that's
> how society works.

and this has what to do with your analogy between the banking world
and the software one? besides, what do elected leaders do in a
democracy? i thought they took decisions on behalf of everyone else.

> And yes, government not only have banks, but also use software. And
> same path should be followed for a software vulnerability.

which is? your post listed options, it didn't say which one you
preferred.

> I repeat: "Obviously, this solution path would imply that non->disclosure 
> not only is voluntary, but also enforced (through law, for
> exemple)."
> Please read what I write or dont make me waste my time.

and? why would the enforcement of non-disclosure ensure that others who
have also discovered the problem are not going to actually exploit it
(or had done so already)? you still haven't shown why i would have all
the time to take action (to found a bank).

> "You are client of 'bank A'. You find out about a way to break
> in 'bank A' in a quite complicated and tricky manner, but yet
> possible. You inform 'bank A', but no answer! What to do?"

> Again, please read what I write...

i did. you also said: "starting your own service is the legitimate way of 
solving the problem" implying that the others are not. do you
understand the difference between the various articles ('the' vs 'a')?

<>bullshit. a bank will *never* provide you with such info. don't trust
<> me on this, go call yours and ask them.

> Why you say bullshit? You mean its not up to them?

it's not only not up to them, it's what i said: they will never give you
that info (there are regulations they have to follow). and your freedom
here, freedom there argument was bullshit 'cos you can't possibly not
be aware of this. if you seriously believe that in this case there is
freedom (in what info the bank can offer about its own internal
security system), then you are living on the moon or are just naive.

> No. I doubt you can 'fix a bug' in oracle or windows and distribute it 
> without breaking law. As for making a binary patch, I have yet to see >any 
> poster on this mailing list do it ;)

did i say that one could fix *all* bugs? i just stated that you could
even fix them, as the case may be. and whether you doubt it or not,
there are bugs fixed in binaries, i think a few weeks ago someone posted
one on bugtraq, impatch.zip or something like that, against IMail 7.11.
and i doubt you can generalize about 'breaking the law', every country
is different, a patch is at most against the license which may or may
not be legal/enforcable in a given country.

> And microsoft rarely take outsider advice at face value. Thus why so
> many ppl disclose their bugs in order to 'force them to fix'.
> Exactly same as bank, again.

wrong, MS is not the sole software company on the planet, and definitely
not the only one having bugs in their software. maybe read through some
posts about bugs in 'open source' software and see if some of them came
with patches from the discoverer. you might be surprised. so yes, in the
software world patches from 'outsiders' do happen totally unlike in the
bank world.

> Maybe you misunderstand me. Option (b) was option of non-disclosure,
> that was the very point.

i understand the points, but i don't understand which one you're
promoting yourself. remember that the whole 'debate' started when you
attacked Guninski's analogy and wanted to provide your own - supposedly
to support the responsible disclosure argument as he was attacking it.
if i'm misunderstanding something then it's because i failed to figure
out the whole point behind your posts. maybe time to establish it?

> Who cares if the bank would hire you or not. I say its up to them. You 
> > still dont understand that? You still dont understand other people
> have freedom and rights also?
> And guess what... same goes for software vendors.

no, you don't understand what i said. banks would never hire you (the
bug hunter) to fix their security problem, there is exactly 0 freedom
of choice for them (if you don't believe me, just call up your bank
and ask around). now software companies are a completely different
matter in that they do have the choice and they do hire people like
that.

> Read what I previously said regarding right to change software code
> and current availability of binary patches upon disclosure of a bug.
> It would be funny to see any bugtraqer actually *fix* bugs instead of
> disclosing them.

http://archives.neohapsis.com/archives/bugtraq/2002-07/0326.html

boy, do i have that smile on my face ;-).

> If you open your mouth and someone gets it by abusing the security
> problem, it will not be thanks that you will get from me.

and if i don't (notice what i wrote: "that i kept silent all that
time")? looks like your non-disclosure argument didn't quite work out,
did it ;-).

> You did your job, you are well paid, its not your responsability, and
> you want to resign? funny.

ok, you lost me somewhere on this thread, in that example i was
supposedly in the position to ensure that the company assets were in
'good hands' - if i can no longer guarantee that, i can no longer do
my job.

> I did not say all were compromised. I said all could be compromised.
> I think you are intelligent enough to understand that.

you did? where can i find the words 'could' or 'can' in:

> > Revisit analogy: autohack all openssh vX.X and mass-own the world
> > thanks to duke and his ISS sponsor. Yes, the bug was (somehow)
> > reproduced in all the copies, what a coincidence. ;)

to me 'mass-own' and 'was reproduced' imply not ability but actual
actions. but hey, i speak shit english too not to mention the lack of
intelligence.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com