Re: Re: "responsible disclosure" explanation

["Daniel H. Renner" <dan () losangelescomputerhelp com>]

I have only one thing to say to you Jason:

Rock on!!!

(Or Rant and Grumble on - as you wish.)

No, explanations as to my opinions regarding Windows vulnerabilities
need be spouted here...

And I hope you are always successfull in teaching those that need it.


:-)
Dan


On Tue, 2005-08-09 at 07:43 +0100,
full-disclosure-request () lists grok org uk wrote:
> Date: Mon, 08 Aug 2005 17:51:18 -1000
> From: Jason Coombs <jasonc () science org>
> Subject: Re: [Full-disclosure] "responsible disclosure" explanation
> To: full-disclosure () lists grok org uk
> Message-ID: <42F82836.4030101 () science org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> "responsible disclosure" causes serious harm to people. It is no 
> different than being an accessory to the intentional destruction of 
> innocent lives.
>
> Anyone who believes that "responsible disclosure" is a good thing
> needs 
> to volunteer their time to teach law enforcement, judges,
> prosecutors, 
> and attorneys that the consequence of everyone communicating with 
> everyone else online is that some people use secret knowledge of 
> security vulnerabilities to ruin other people's lives or commit
> crimes 
> by hijacking innocent persons' vulnerable computers.
>
> Some of you may know that I work as an expert witness in civil and 
> criminal court cases that involve computer forensics, information 
> security, and electronic evidence.
>
> I just received a phone call from a member of the armed services in
> the 
> U.S. who is being court martialed for possession of computerized
> child 
> pornography.
>
> This happens every day in courtrooms throughout the world.
>
> On a regular basis somebody accused of this crime finds me and asks
> for 
> my help explaining that a third-party could have been responsible for 
> the crime. In every case the prosecution is alleging that the
> computer 
> forensics prove beyond a reasonable doubt that the defendant is
> guilty 
> of the crime because it was their Windows computer that was used to 
> commit it.
>
> Often, some incompetent computer forensics professional will have 
> already done work on behalf of the defense and authored a report of 
> their own. These reports read like those authored by the
> prosecution's 
> computer forensic examiners, they list the contents of the hard
> drive, 
> itemize entries from Internet Explorer history files and explain that 
> some "deleted" files were recovered that further incriminate.
>
> So you tell me, those of you who believe that "responsible
> disclosure" 
> is a good thing, how can you justify holding back any detail of the 
> security vulnerabilities that are being used against innocent
> victims, 
> when the court system that you refuse to learn anything about is 
> systematically chewing up and spitting out innocent people who are 
> accused of crimes solely because the prosecution, the judge, the 
> forensic examiners, investigators, and countless "computer people"
> think 
> it is unrealistic for a third-party to have been responsible for the 
> actions that a defendant's computer hard drive clearly convicts them
> of?
>
> You cannot withhold the details of security vulnerabilities or you 
> guarantee that victims of those vulnerabilities will suffer far worse 
> than the minor inconvenience that a few companies encounter when they 
> have no choice but to pull the plug on their computer network for the 
> day in order to patch vulnerabilities that they could otherwise
> ignore 
> for a while longer.
>
> "Responsible disclosure" is malicious. Plain and simple, it is wrong.
>
> "Responsible disclosure" ensures that ignorance persists, and there
> is 
> no doubt whatsoever that ignorance is the enemy.
>
> Therefore, supporters of "responsible disclosure" are the source of
> the 
> enemy and you must be destroyed. Hopefully some patriotic hacker will 
> break into your computers and plant evidence that proves you are
> guilty 
> of some horrific crime against children. Then you will see how nice
> it 
> is that all those "responsible" people kept hidden the details that
> you 
> needed to prevent your own conviction on the charges brought against
> you 
> by the prosecution.
>
> How can "responsible" people be so maliciously stupid and ignorant?
>
> Please, somebody tell me that I'm not the only one inviting judges to 
> phone me at 2am so that I can teach them a little about why a Windows 
> 2000 computer connected to broadband Internet and powered-on 24/7
> while 
> a member of the armed forces is at work defending the nation could in 
> fact have easily been compromised by an intruder and used to swap
> warez, 
> pirated films and music, and kiddie porn without the service member's 
> knowledge.
>
> How can trained "computer forensics" professionals from the DCFL and 
> private industry author reports that fail to explain information 
> security? The answer is that the people who teach computer forensics 
> don't understand information security. It is not "responsible" to 
> suppress knowledge of security vulnerabilities that impact ordinary 
> people. Suppress security vulnerability knowledge that impacts only 
> military computer systems, but don't suppress security vulnerability 
> knowledge that impacts computer systems owned and operated by
> ordinary 
> people; for doing so ruins lives and you, the suppressing agent, are
> to 
> blame for it moreso than anyone else.
>
> Grr. Rant. Rant. Grumble.
>
> Sincerely,
>
> Jason Coombs
> jasonc () science org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/