Full Disclosure mailing list archives

Re: Announcing new security mailing list

From: full-disclosure () lists netsys com (Kurt Seifried)
Date: Thu, 11 Jul 2002 14:15:18 -0600

Perhaps someone can setup full-disclosure-discuss? I thought this list was
for announcements, not the tired/boring/painfully stale "am not" "are so"
arguments. Plus the anologies will start coming out and those really suck.
And then someone will get compared to Hitler and the thread will be closed,
so why not head it off at the pass instead?


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/


----- Original Message -----
From: "Simon Richter" <Simon.Richter () phobos fachschaften tu-muenchen de>
To: "John Cartwright" <johnc () grok org uk>
Cc: <len () netsys com>; <full-disclosure () lists netsys com>
Sent: Thursday, July 11, 2002 2:01 PM
Subject: [Full-disclosure] Re: Announcing new security mailing list

Hi,

To me, the term "full disclosure" does not mean "make it available as
fast
as possible", but rather "here is the information, expect it to leak in
the next two weeks, so go out and fix the bug". The current bugtraq
scheme
enforces that, and I believe they are doing a great job.

We are placing the responsibility with the individual, not with an
organisation here.


IMHO an organisation has a greater chance of doing things right than a
number of individuals. For example, I do not have a complete list of
Linux/BSD/Unix distributors' security contacts, and I believe many
others out there haven't either, however such a list is vital for vendor
notification.

 What we do not believe in is having a situation where
a select few are aware of a problem, but 99% of the internet populace
are
powerless to defend against it. We are not saying that the vendor
should not
be informed, we are saying, inform the people and the vendor
simultaneously.


What do you gain by informing the people? Many people running servers
are unable to disallow mail relaying on their boxes, why do you expect
them to understand how to recompile and reinstall a webserver? Even the
few competent admins who could understand an advisory and fix things by
themselves might like an official update from a distributor, packaged
and ready to install.

If we are lucky enough
that the vulnerability is spotted by a whitehat, we should not
jeopardize
the time advantage we have by announcing it publically.

This situation already occurs. If a researcher leaks information to a
few
'allies', if a technique is discovered 'in the wild', or if a vendor
silently
fixes unknown problems, then there are those who possess the knowledge
and
those that don't. We are simply providing a forum for those who wish to
try
and balance out this situation.


If some bug is being exploited "in the wild" there is no sense in
holding back information; I believe the bugtraq moderators understand
that (at least they approved postings stating that something was being
exploited already within a few minutes.

In short, I think this is a bad idea because it adds confusion for the
vulnerability spotters, risks early disclosure before fixes are
available
and thus harms the users.

Early disclosure is important, IMO, as was proved with the recent
Apache flaw.
I believe there were reports of Gobbles' exploit being active in the
wild long
before the patched packages were available,


Well, I believe this case was a matter of Gobbles' attitude -- they
simply didn't follow the rules by sharing their exploit with other
people before the official release date. There will always be people
like this (=> "instant fame"), and giving them a forum in which they can
publicize their exploits to an even wider audience will not make the
problem go away.

If that happens it is the same thing as with every other exploit being
actively used -- notify everyone instantly, as there is no point in
still holding back information. I believe the bugtraq moderators
understand this, and approve such postings right away.

    Simon

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure () lists netsys com
http://lists.netsys.com/mailman/listinfo/full-disclosure

Current thread:

Re: Announcing new security mailing list Simon Richter (Jul 11)
- Re: Announcing new security mailing list John Cartwright (Jul 11)
  - Re: Announcing new security mailing list Steve (Jul 11)
  - Re: Announcing new security mailing list Simon Richter (Jul 11)
    - Re: Announcing new security mailing list Kurt Seifried (Jul 11)
    - Re: Announcing new security mailing list Ron DuFresne (Jul 11)
- Re: Announcing new security mailing list Blue Boar (Jul 11)
  - Re: Announcing new security mailing list Marc Slemko (Jul 11)
    - Re: Announcing new security mailing list Ron DuFresne (Jul 11)
    - Re: Announcing new security mailing list Lupe Christoph (Jul 12)
    - Re: Announcing new security mailing list martin f krafft (Jul 13)
    - Re: Announcing new security mailing list V K (Jul 13)
    - Re:Flares and personal opinions Berend-Jan Wever (Jul 13)
    - Re:Flares and personal opinions Nick FitzGerald (Jul 13)
    - Re:Flares and personal opinions David Benfell (Jul 14)

(Thread continues...)