Call to arms - INFORMATION ANARCHY

[kris@koehntopp.de (Kristian Koehntopp)]

>Path: white.koehntopp.de!mail2news
>From: hellnbak@NMRC.ORG (hellNbak)
>Newsgroups: netuse.lists.ntbugtraq
>Subject: Re: Call to arms - INFORMATION ANARCHY
>Date: 3 Nov 2001 04:14:45 +0100
>Organization: mail2news at white.schulung.netuse.de
>Lines: 114
>Distribution: netuse
>Message-ID: <Fuck.666.6.66.0111021648120.14248-100000@www.nmrc.org>
>References: <E9A01F52DC939448BBDE44ED2E1C468F23C9D8@muskie.rc.on.ca>
>Reply-To: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
>NNTP-Posting-Host: localhost
>Mime-Version: 1.0
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>X-Trace: white.koehntopp.de 1004757285 31472 127.0.0.1 (3 Nov 2001 03:14:45 GMT)
>X-Complaints-To: news@koehntopp.de
>NNTP-Posting-Date: 3 Nov 2001 03:14:45 GMT
>Xref: white.koehntopp.de netuse.lists.ntbugtraq:4035

On Fri, 2 Nov 2001, Russ wrote:

> 1. Its one thing to prove to a Vendor they have a problem in their code. Its
> another to be the reason that the Vendor's customers are subjected to
> malicious attacks that take advantage of your disclosure. This is the heart
> of the issue, and its not resolved by keeping "Full Disclosure" alive.

Sure it is, the vendors have no motivation to fix their code, or improve
on their programming methodologies without full disclosure.  Vendors have
proved this in the past so there is no reason to believe that things will
be different.

> 2. Acknowledging that there is a majority of people in the world who choose
> to use software which they cannot modify themselves (to avoid a disclosed
> vulnerability) should translate into a responsibility on behalf of the
> discloser. *IT DOESN'T*. Its all too easy to lay the blame at the feet of
> the Vendor for a vulnerability without accepting responsibility for your
> proof-of-concept code or detailed description.

The vendor created the code, the vendor did not properly QA the code, the
vendor releases code before it is truly ready.  So how is that the fault
of the person doing the research.

A prime example of this is an advisory the world will see early next week,
a vendor was told about a couple buffer overflows in their code and was
strongly encouraged to perform a complete code review, the vendor made the
choice to ignore the information, and do a simple quick fix on the *KNOWN*
problems.  Not only that, they did not tell any of their customers.  This
was a year ago, the advisory coming early next week will contain the
details of at least 10 more overflows and a cross site scripting issue.

How is the vendor doing the right thing?  How is it our fault that the
vendor picks making even more money over securing their software?

> 3. A dramatic minority of people who use software pay any attention to
> vulnerability announcements. They find out about the attack, without ever
> hearing about the vulnerability (or even the patch/workaround). This must
> not be under-estimated, but it is frequently. People don't care much about
> what we say, they care about what the Vendor says. If the Vendor doesn't
> alert them (and Microsoft's Security Bulletins go to, maybe, 1% of their
> customers), customers will go merrily along without a care in the world.

This in my mind is also a vendor issue that only the vendor can fix.  But,
only full disclosure and continued research will force the vendor to do
so.


> Ergo, your disclosure leads to them being exploited rather than them being
> fixed, pretty much guaranteed.

So why don't vendors, instead of bashing disclosure, spend the money to
properly QA their sofware and properly train their "certified
professionals".  If done properly, a vendor could easily notify *ALL*
their customers, but to do it properly is expensive and there is no clear
return on investment for the vendors so they won't do it.

> a) The media has to do a better job of informing *the masses* of
> vulnerabilities. If the average person was more aware of how insecure their
> computers were, and why it mattered to them, it might trickle up the food
> chain and translate into purchasing decisions by OEM's and Corporations that
> feed the feature versus security mentality of many Vendors.

Why don't the vendors, instead of spending money on attacking full
disclosure, spend the required time and money to QA their software
properly.  This won't do away with all vulnerabilities but it would take
care of a good percentage of them.

> b) There needs to be a great emphasis placed on researchers doing things to
> prevent "script kiddiez". The average consumer doesn't need to be portscan'd
> daily, have a trojan dropped on their system, or have their machine's
> rendered unusable in order to convince Microsoft to provide better security.
> It doesn't work. It hasn't worked. It's not going to work. All it does is
> make everyone ticked off at security research in general.

You are right, and most proof of concept code needs considerable tweeking
before it is all that effective.  Yes, some do come to mind that didn't
and perhaps the research community can improve on that in the future.

> c) There needs to be far less talk in the press about vulnerabilities
> leading to privacy disclosures. Face it folks, the average person doesn't
> care about privacy disclosures unless it has to do with Health or Legal
> issues. The constant harping on privacy issues has led to an antipathy
> towards security issues in general for the public.

Well, everyone should care about their privacy and their personal
information.

> d) There needs to be some method of Vendors and Security Researchers to some
> sort of responsible expectations. An RFC isn't going to do that, and neither
> will massive disclosures of vulnerabilities. An independent party,
> Governmental or Private, acting in an oversight and authoritative focal
> point is the only way. Problem is that most of those researchers who've
> become quiet are trying to make money from their work (a Good Thing) and
> need to be seen as better than everyone else. So the Security Industry would
> be against any sort of governing body as that would make their Angel
> Investors lose interest...

An independent party can do nothing as there is nothing forcing the
vendors to comply or to listen.  In reality, there is nothing to force
researchers to listen either.  CERT is an outside independant
organziation, and I am pretty sure that they have had their own issues wit
various vendors.



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

-- 
http://www.amazon.de/exec/obidos/wishlist/18E5SVQ5HJZXG

-- 
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de