Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Kaminsky's Law

From: "TJ" <trejrco () gmail com>
Date: Wed, 6 Aug 2008 07:56:50 -0400
Again, irony abounds ... pushing for a "Responsible Disclosure Act" on a
forum named "Full Disclosure" ... makes me smile.
(Not saying either side is right/wrong, just throwing that out there)


Nits:
* Said laws would only apply within a given jurisdiction 
        ... so disclosures would simply come, or appear to come, from
outside said jurisdiction.

* Who gets to decide how many machines were comprimised?  
        Some sources never divulge, some drastically over-inflate.

* Who defines what "responsible" is?  
        Some argue that telling the vendor as hitting send/post counts, some
say 1 week, etc.
        In some cases, maybe a month isn't enough for patch deployment ...
is that still "responsible"?

* I think the "big guys" you reference could come up with answers, but
prefer things the way they are now.
        .... just supposition on my part there ...
        ... and given the govt's previous track record of "cyber" issues,
let's pause and reflect if we want them trying again.


/TJ


----- Original Message -----
From: "n3td3v" <xploitable () gmail com>
To: <full-disclosure () lists grok org uk>
Sent: Friday, July 25, 2008 6:56 AM
Subject: [Full-disclosure] Kaminsky's Law



So what you're saying is HD Moore and |)ruid are exploiting a loop
hole in the law to do what they do... looks like we need to get the
law tightened.

I say a "Responsible Disclosure Act" is drawn up, and anyone who
breaks it goes to jail.

That will mean:

- People will think twice before hitting send on blog entries,

- People will think twice about releasing code early,

- That the decided time line for disclosure can be enforced,

- That the people who release information and/or code early, they get
fined for every computer system compromised because of the
vulnerability information and/or code disclosure, on top of the jail
sentence.

So instead for the future its not just a verbal contract for
responsible disclosure, its a legally binding contract as well
meaning if the Responsible Disclosure Act has been signed by the
security researcher and its affected vendors, then ass hats like HD
Moore and
|)ruid are breaking the law.

The details are a bit fuzzy right now, but i'm sure the big guys in
the industry can draw up proper rules for a Responsible Disclosure
Act.

Its likely the Responsible Disclosure Act would only be used in
exceptional circumstances like this DNS caching vulnerability, and
the approval of the act per vulnerability case has to be decided on
by a judge in a court of law, so that the Responsible Disclosure Act
can't be over used and abused, to keep the use of the act fair and
proportional in relation to the level of the threat.

That means, Full-Disclosure of vulnerability information and/or
wouldn't be illegal all the time, just in exceptional circumstances
that has to be OK'd by a judge.

This safe guards the deployment of a patch or patches while telling
what the importance of patching is to the public, while disallowing
security researchers to release information and/or code before the
time line for responsible disclosure.

So the scenario would be,

jake: hey did you hear about the patches being deployed and the news
reports about the flaw and why the patch is critical?

joe: yes, but the responsible disclosure act has been signed so we
need to wait until it expires before we can share info.

jake: no way, whats the assigned disclosure date?

joe: the standard 4 weeks, although with the responsible disclosure
act, after the 4 weeks, the security researcher and vendors can go
back to the judge to ask for an extra 4 week extension onto that, so
it could be eight weeks bro before we can become famous for five
minutes by releasing attack code.

jake: ah, sucks for us, but yeah if the judge has approved the
signing there isn't alot we can do unless we want to be labeled
criminals, and hunted down by interpol.

What has to be told to the community under the act:

- The community must be told the Responsible Disclosure Act has been
signed and OK'd by a judge.

- The community must be told the date the Responsible Disclosure Act
expires and disclosure can be made.

- The community must be told that security researcher and vendor can
go back to the judge after 4 weeks and ask for extension of the act
if extra time is needed, this must be announced to the community
again with notice.

All members of the community who break the Responsible Disclosure Act
are breaking the law and face charges.

Obviously this is just an email I rattled up in five minutes during a
water machine break, so the big guys in the industry can take these
ideas and throw them into a properly put together act.

I think Dan Kaminsky should lobby the industry and the government to
get something like this drawn up, since he is the one who has
inspired me to come up with the Responsible Disclosure Act.

I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid
had to be dick heads about releasing code on purpose against his
request of Dan Kaminsky, the vendors and people who agree with
responsible disclosure, especially in exceptional circumstances like
the DNS flaw.

Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan.

All the best,

n3td3v


---------- Forwarded message ----------
From:  <Valdis.Kletnieks () vt edu>
Date: Thu, Jul 24, 2008 at 5:56 PM
Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in
the wild
To: n3td3v <xploitable () gmail com>
Cc: full-disclosure () lists grok org uk


On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said:


This whole HD Moore savior of info sec thing has gone on long
enough, its time to see him for what he is and get him slammed up in
jail along with his counterpart |)ruid.


I'll point out that you happen to live in the country that invented
the concept of "habeus corpus".  In other words, you cant slam him in
jail unless you actually *charge* him with something.

Please tell us which countr(y|ies) you intend to have him charged,
and what offense.  Specific references to statutes would be
appreciated (for starters, I'll help you out and point out that in
the US, he probably could *not* be charged under 17 USC 1201 (the
DMCA anti-circumvention clause), nor under
18
USC 1030 (the primary federal anti-hacking statute), unless you have
actual evidence that HD personally hacked into a computer covered by
18 USC 1030.
You
run into similar issue with 18 USC 2701 (access to stored

communication).


You *might* be able to make a case under 18 USC 2512 (dealing in
devices for intercepting communications), except that there's the
nasty clause "knowing or having reason to know that the design of
such device renders it primarily useful for the purpose of the
surreptitious interception of wire, oral, or electronic
communications;" - and you'd fail on the "primarily" because there's
lots of *other* uses for Metasploit.

He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC
7523(a)(1), however.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: