Penetration Testing mailing list archives
Re: Things to do before vulnerability disclosure
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Wed, 17 Jun 2009 21:29:47 -0400
Vulnerability disclosure is a powerful tool that hackers can use to force otherwise unwilling vendors to fix risks in their technology as opposed to just keeping the risks quiet and keeping customers ignorant. The truth is that without it software would still be very insecure and poorly written. The politics of it depend on the situation.
On Jun 17, 2009, at 4:36 PM, Aarón Mizrachi wrote:
On Martes 16 Junio 2009 16:54:36 Jeremy Brown escribió:That was an awfully strong "could", some (me) would even take as "actually". Maybe you should use words and write sentences with more character than FUD.Ok, I agree, It _could_ be a violation of EULA sometimes. But depending on what vulnerability are, the company could assume or not that was reversed.So whatever, the company are not in your computer, and without strong evidencethat you reversed it, a sue is very difficult and useless. ----------------------- Ethical issue:- You as an ethical hacker will have a conduct to follow on full disclosures. There is well documented. (Report the bug, wait for patches or wait some timeif aren't patched, and release, etc)- The company have also ethical responsibilities. The first one is attend the bug. This ethical responsibility are with their customers, i said ethical because most eula's says that patching responsibility are not obligatory in time. Another ethical responsibility that resides on the company is to respectand agree the disclosure process without doubts and sues.If the companies don't agree with disclosure process, the meaning of the disclosure process will be lost. Some people that choose to be ethical won't have benefits that ethical word imply, and also will be punished as a blackhat, but worst because they are exposing themselves trying to be ethical. The next step on the chain is that every bug found won't be reported and won't be fixed, and also more working zero days bugs could be sold on the "black market". That truly represents a huge risk. Specially when you consider that many countriesdon't have the infrastructure and the laws to prevent and catch it.I remember you. The blackhat hackers who sold bugs could appear on every part of this world, not only in civilizations and countries with strong laws onhacking matter. ---------------------------How can you report a bug by anonymous way and time ago claim your author rights on the bug? !!! I'm not sure if this technique are well documented yet!!!If you fear that the company could take actions against you, you can use something like tor and a pseudonym to report it. I know that it could be "dark", but it works and helps to the community. REMEMBER: BE ETHICAL. FOLLOWTHE PROCEDURE.When the time to publish a bug comes (after alerts and when the patch is public available), you may use a pseudonym and put a signature (variable). This signature could be: SHA-512(big seed number+your name). (check forhttp://jssha.sourceforge.net/ if you need to check it) By example, my name is Aarón Mizrachi, and i choose the number 2094857093485093478503897409573094875 (Randomy).The text to SHA-512'it will be: 2094857093485093478503897409573094875AarónMizrachi The signature will be: Bug disclosed by (SHA512(big seed number+my name)): 3513c40e68f33275cefe18a471bf6b851d4f141283e1911b9d4d6d2d212a0ec440fc3ee4d5bcd27f477d7bbe36ae58b7029948a93c5d3b5e9d03c98106578fecYour protection is that the hash could not be reversed, and also couldn't be faked (unless someone found a Collision on that). Then, you can prove that youare the author of this bug to who you want and when you want.On Tue, Jun 16, 2009 at 4:10 PM, Giuseppe Fuggiano<giuseppe.fuggiano () gmail com> wrote:2009/6/16 Jeremy Brown <0xjbrown41 () gmail com>:Is that the same principle as speaking implies you know what your talking about? There are many other ways to find bugs, even findingthem by accident. Reverse engineering is only one of them. To say thatfinding bugs in software implies the researcher disassembled the binary is ridiculous.You should read again and more carefully what I wrote. "Finding a bug _and_writing_an_exploit_ *could* imply disassembly/debugging proprietary code." There's NOTHING ridiculous in that statement.Try to understand the meaning of what you're reading more deeply thanyou actually do. Thanks for your reply. -- Giuseppe------------------------------------------------------------------------This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you canactually do a proper penetration test. IACRB CPT and CEPT certs require afull practical examination in order to become certified. http://www.iacertification.org -------------------------------------------------------------------------- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 15)
- Re: Things to do before vulnerability disclosure Geoffrey J Gowey (Jun 15)
- Re: Things to do before vulnerability disclosure Justin Ferguson (Jun 15)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 16)
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 16)
- Message not available
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 17)
- Re: Things to do before vulnerability disclosure Aarón Mizrachi (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 17)
- Re: Things to do before vulnerability disclosure Jeffrey Walton (Jun 18)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- RE: Things to do before vulnerability disclosure Nick Vaernhoej (Jun 18)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 20)
- Re: Things to do before vulnerability disclosure Geoffrey J Gowey (Jun 15)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 17)
- <Possible follow-ups>
- Re: Things to do before vulnerability disclosure noloader (Jun 17)
- Re: Things to do before vulnerability disclosure noloader (Jun 18)