Re: "responsible disclosure" explanation

[Jason Coombs <jasonc () science org>]

"responsible disclosure" causes serious harm to people. It is no 
different than being an accessory to the intentional destruction of 
innocent lives.

Anyone who believes that "responsible disclosure" is a good thing needs 
to volunteer their time to teach law enforcement, judges, prosecutors, 
and attorneys that the consequence of everyone communicating with 
everyone else online is that some people use secret knowledge of 
security vulnerabilities to ruin other people's lives or commit crimes 
by hijacking innocent persons' vulnerable computers.

Some of you may know that I work as an expert witness in civil and 
criminal court cases that involve computer forensics, information 
security, and electronic evidence.

I just received a phone call from a member of the armed services in the 
U.S. who is being court martialed for possession of computerized child 
pornography.

This happens every day in courtrooms throughout the world.

On a regular basis somebody accused of this crime finds me and asks for 
my help explaining that a third-party could have been responsible for 
the crime. In every case the prosecution is alleging that the computer 
forensics prove beyond a reasonable doubt that the defendant is guilty 
of the crime because it was their Windows computer that was used to 
commit it.

Often, some incompetent computer forensics professional will have 
already done work on behalf of the defense and authored a report of 
their own. These reports read like those authored by the prosecution's 
computer forensic examiners, they list the contents of the hard drive, 
itemize entries from Internet Explorer history files and explain that 
some "deleted" files were recovered that further incriminate.

So you tell me, those of you who believe that "responsible disclosure" 
is a good thing, how can you justify holding back any detail of the 
security vulnerabilities that are being used against innocent victims, 
when the court system that you refuse to learn anything about is 
systematically chewing up and spitting out innocent people who are 
accused of crimes solely because the prosecution, the judge, the 
forensic examiners, investigators, and countless "computer people" think 
it is unrealistic for a third-party to have been responsible for the 
actions that a defendant's computer hard drive clearly convicts them of?

You cannot withhold the details of security vulnerabilities or you 
guarantee that victims of those vulnerabilities will suffer far worse 
than the minor inconvenience that a few companies encounter when they 
have no choice but to pull the plug on their computer network for the 
day in order to patch vulnerabilities that they could otherwise ignore 
for a while longer.

"Responsible disclosure" is malicious. Plain and simple, it is wrong.

"Responsible disclosure" ensures that ignorance persists, and there is 
no doubt whatsoever that ignorance is the enemy.

Therefore, supporters of "responsible disclosure" are the source of the 
enemy and you must be destroyed. Hopefully some patriotic hacker will 
break into your computers and plant evidence that proves you are guilty 
of some horrific crime against children. Then you will see how nice it 
is that all those "responsible" people kept hidden the details that you 
needed to prevent your own conviction on the charges brought against you 
by the prosecution.

How can "responsible" people be so maliciously stupid and ignorant?

Please, somebody tell me that I'm not the only one inviting judges to 
phone me at 2am so that I can teach them a little about why a Windows 
2000 computer connected to broadband Internet and powered-on 24/7 while 
a member of the armed forces is at work defending the nation could in 
fact have easily been compromised by an intruder and used to swap warez, 
pirated films and music, and kiddie porn without the service member's 
knowledge.

How can trained "computer forensics" professionals from the DCFL and 
private industry author reports that fail to explain information 
security? The answer is that the people who teach computer forensics 
don't understand information security. It is not "responsible" to 
suppress knowledge of security vulnerabilities that impact ordinary 
people. Suppress security vulnerability knowledge that impacts only 
military computer systems, but don't suppress security vulnerability 
knowledge that impacts computer systems owned and operated by ordinary 
people; for doing so ruins lives and you, the suppressing agent, are to 
blame for it moreso than anyone else.

Grr. Rant. Rant. Grumble.

Sincerely,

Jason Coombs
jasonc () science org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/