Mailing List Archive

I agree with this. However, in the Snosoft case the facts has been smeared by
all the different stories going around. I will not get into it in detail but
we have been working with HP on this for 4+ months, bending over backwards
for them to keep everything out of the eyes of the public. All the time
putting up with threats of suit for nonsense issues. The bottom line is that
we went above and beyond what is reasonable for a research group to do
because we knew how serious the issue is, and after managing to do this for
so long something got leaked which was inevitable with the amount of people
working on the problem. I believe if instead of it being a leak we released
an advisory on the issue (we couldn't do this b/c of HP's legal department
strong-arming us) after 2 months nevermind 4 months it would have been more
than reasonable. Look for an official statement tonight on our website
www.snosoft.com with the exact details but I'm sick of going through the day
listening to the facts get smeared b/c of false reports.

-sert


On Wednesday 31 July 2002 09:26 pm, Florin Andrei wrote:
> (i'm going to go a little bit further from the HP/Snosoft case, so don't
> be surprised if some of the statements below do not fit 100% in that
> case)
>
> All these problems will vanish if people will choose to disclose
> vulnerabilities in a responsible way.
> Sure, HP's response has been harsh. But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a reasonable period of
> time to fix it; say, a few weeks or so.
>
> Only if the vendor does nothing in these weeks, only then the
> report/exploit/whatever should be made public.
>
> If hacker H writes a comment on Slashdot, making public an exploit
> against some software made by vendor V, and does not notify V in advance
> (say, 2...4 weeks in advance), and then V sues H, then who's right?
>
> H is right, because (s)he disclosed a vulnerability, and disclosing is
> good.
> V is right, because not being warned in advance, their customers are
> left to the mercy of script kiddies.
> H is wrong, because (s)he's obviously looking for cheap publicity (i
> published a zero-day exploit; mine is bigger), not for improving
> security.
> V is wrong, because they are filing a lawsuit against open disclosure,
> which is not a good thing.
>
> See?
>
> And the solution is so simple: DO NOT publish "zero-day exploits". Give
> the damn vendors an early warning. Only if they are lazy and do nothing
> within a reasonable time (2...4 weeks), only then you are entitled to go
> slashdot-happy.
>
> I'm a big fan of open disclosure, freedom of speech, etc. But people who
> look for cheap publicity are not my favourites. If H is going to publish
> the exploit without early warning, i'll say V has all the rights in the
> world to sue the crap out of H, and put him(her) in jail for one
> thousand years, and i'll applaud that.
> However, if there was an early warning, within a reasonable time, like
> one month or so (unlike some popular security companies did recently),
> and the vendor did nothing and didn't provide a good reason for the
> delay (because such reasons could exist, if you think of it), then H is
> 100% entitled to publish whatever exploit he likes.
>
> It's all about timing. It's all about being reasonable.

I agree with this. However, in the Snosoft case the facts has been smeared by
all the different stories going around. I will not get into it in detail but
we have been working with HP on this for 4+ months, bending over backwards
for them to keep everything out of the eyes of the public. All the time
putting up with threats of suit for nonsense issues. The bottom line is that
we went above and beyond what is reasonable for a research group to do
because we knew how serious the issue is, and after managing to do this for
so long something got leaked which was inevitable with the amount of people
working on the problem. I believe if instead of it being a leak we released
an advisory on the issue (we couldn't do this b/c of HP's legal department
strong-arming us) after 2 months nevermind 4 months it would have been more
than reasonable. Look for an official statement tonight on our website
www.snosoft.com with the exact details but I'm sick of going through the day
listening to the facts get smeared b/c of false reports.

-sert


On Wednesday 31 July 2002 09:26 pm, Florin Andrei wrote:
> (i'm going to go a little bit further from the HP/Snosoft case, so don't
> be surprised if some of the statements below do not fit 100% in that
> case)
>
> All these problems will vanish if people will choose to disclose
> vulnerabilities in a responsible way.
> Sure, HP's response has been harsh. But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a reasonable period of
> time to fix it; say, a few weeks or so.
>
> Only if the vendor does nothing in these weeks, only then the
> report/exploit/whatever should be made public.
>
> If hacker H writes a comment on Slashdot, making public an exploit
> against some software made by vendor V, and does not notify V in advance
> (say, 2...4 weeks in advance), and then V sues H, then who's right?
>
> H is right, because (s)he disclosed a vulnerability, and disclosing is
> good.
> V is right, because not being warned in advance, their customers are
> left to the mercy of script kiddies.
> H is wrong, because (s)he's obviously looking for cheap publicity (i
> published a zero-day exploit; mine is bigger), not for improving
> security.
> V is wrong, because they are filing a lawsuit against open disclosure,
> which is not a good thing.
>
> See?
>
> And the solution is so simple: DO NOT publish "zero-day exploits". Give
> the damn vendors an early warning. Only if they are lazy and do nothing
> within a reasonable time (2...4 weeks), only then you are entitled to go
> slashdot-happy.
>
> I'm a big fan of open disclosure, freedom of speech, etc. But people who
> look for cheap publicity are not my favourites. If H is going to publish
> the exploit without early warning, i'll say V has all the rights in the
> world to sue the crap out of H, and put him(her) in jail for one
> thousand years, and i'll applaud that.
> However, if there was an early warning, within a reasonable time, like
> one month or so (unlike some popular security companies did recently),
> and the vendor did nothing and didn't provide a good reason for the
> delay (because such reasons could exist, if you think of it), then H is
> 100% entitled to publish whatever exploit he likes.
>
> It's all about timing. It's all about being reasonable.

I agree with this. However, in the Snosoft case the facts has been smeared by
all the different stories going around. I will not get into it in detail but
we have been working with HP on this for 4+ months, bending over backwards
for them to keep everything out of the eyes of the public. All the time
putting up with threats of suit for nonsense issues. The bottom line is that
we went above and beyond what is reasonable for a research group to do
because we knew how serious the issue is, and after managing to do this for
so long something got leaked which was inevitable with the amount of people
working on the problem. I believe if instead of it being a leak we released
an advisory on the issue (we couldn't do this b/c of HP's legal department
strong-arming us) after 2 months nevermind 4 months it would have been more
than reasonable. Look for an official statement tonight on our website
www.snosoft.com with the exact details but I'm sick of going through the day
listening to the facts get smeared b/c of false reports.

-sert


On Wednesday 31 July 2002 09:26 pm, Florin Andrei wrote:
> (i'm going to go a little bit further from the HP/Snosoft case, so don't
> be surprised if some of the statements below do not fit 100% in that
> case)
>
> All these problems will vanish if people will choose to disclose
> vulnerabilities in a responsible way.
> Sure, HP's response has been harsh. But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a reasonable period of
> time to fix it; say, a few weeks or so.
>
> Only if the vendor does nothing in these weeks, only then the
> report/exploit/whatever should be made public.
>
> If hacker H writes a comment on Slashdot, making public an exploit
> against some software made by vendor V, and does not notify V in advance
> (say, 2...4 weeks in advance), and then V sues H, then who's right?
>
> H is right, because (s)he disclosed a vulnerability, and disclosing is
> good.
> V is right, because not being warned in advance, their customers are
> left to the mercy of script kiddies.
> H is wrong, because (s)he's obviously looking for cheap publicity (i
> published a zero-day exploit; mine is bigger), not for improving
> security.
> V is wrong, because they are filing a lawsuit against open disclosure,
> which is not a good thing.
>
> See?
>
> And the solution is so simple: DO NOT publish "zero-day exploits". Give
> the damn vendors an early warning. Only if they are lazy and do nothing
> within a reasonable time (2...4 weeks), only then you are entitled to go
> slashdot-happy.
>
> I'm a big fan of open disclosure, freedom of speech, etc. But people who
> look for cheap publicity are not my favourites. If H is going to publish
> the exploit without early warning, i'll say V has all the rights in the
> world to sue the crap out of H, and put him(her) in jail for one
> thousand years, and i'll applaud that.
> However, if there was an early warning, within a reasonable time, like
> one month or so (unlike some popular security companies did recently),
> and the vendor did nothing and didn't provide a good reason for the
> delay (because such reasons could exist, if you think of it), then H is
> 100% entitled to publish whatever exploit he likes.
>
> It's all about timing. It's all about being reasonable.

Ask yourself this question.....how many weeks of advance notice to the
vendors will it take to make you lawsuit-proof?

If you're at all intelligent, you'll realize there's no right answer to
that question. It depends on how pissed the vendor is, how much cash
they have laying around, how much work their lawyers have, how much the
publicity hurts, etc., etc., etc.

It would be nice, in a perfect world, to have everyone adapt rfp's
disclosure guidelines, but it ain't gonna happen. Not in this world.
And do you really think a hacker in, say the Netherlands, gives a rats
ass about a lawsuit in America? (Or vice versa?)

Paul Schmehl (pauls@utdallas.edu)
Supervisor of Support Services
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/


> -----Original Message-----
> From: Florin Andrei [mailto:florin@sgi.com]
> Sent: Wednesday, July 31, 2002 4:27 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] it's all about timing
>
>
> (i'm going to go a little bit further from the HP/Snosoft
> case, so don't be surprised if some of the statements below
> do not fit 100% in that
> case)

Florin,

I agree with you completely. From what I understand this vulnerability is
about a year old, although I'm not knowledgeable enough to say that with
authority. If it's true, then I believe the 2-4 week requirement has been
satisfied.

-Dave

*************************** NOTICE **************************
Opinions expressed in this email are solely my own, and do
not reflect the attitudes, policy, or opinion of my employer.
*************************************************************


-----Original Message-----
From: Florin Andrei [mailto:florin@sgi.com]
Sent: Wednesday, July 31, 2002 2:27 PM
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] it's all about timing


(i'm going to go a little bit further from the HP/Snosoft case, so don't be
surprised if some of the statements below do not fit 100% in that
case)

All these problems will vanish if people will choose to disclose
vulnerabilities in a responsible way. Sure, HP's response has been harsh.
But every security problem (especially when it's accompanied by an exploit)
should be reported first to the vendor! There should be no exception from
this rule. The person doing the reporting should give the vendor a
reasonable period of time to fix it; say, a few weeks or so.

Only if the vendor does nothing in these weeks, only then the
report/exploit/whatever should be made public.

If hacker H writes a comment on Slashdot, making public an exploit against
some software made by vendor V, and does not notify V in advance (say, 2...4
weeks in advance), and then V sues H, then who's right?

H is right, because (s)he disclosed a vulnerability, and disclosing is good.
V is right, because not being warned in advance, their customers are left to
the mercy of script kiddies. H is wrong, because (s)he's obviously looking
for cheap publicity (i published a zero-day exploit; mine is bigger), not
for improving security. V is wrong, because they are filing a lawsuit
against open disclosure, which is not a good thing.

See?

And the solution is so simple: DO NOT publish "zero-day exploits". Give the
damn vendors an early warning. Only if they are lazy and do nothing within a
reasonable time (2...4 weeks), only then you are entitled to go
slashdot-happy.

I'm a big fan of open disclosure, freedom of speech, etc. But people who
look for cheap publicity are not my favourites. If H is going to publish the
exploit without early warning, i'll say V has all the rights in the world to
sue the crap out of H, and put him(her) in jail for one thousand years, and
i'll applaud that. However, if there was an early warning, within a
reasonable time, like one month or so (unlike some popular security
companies did recently), and the vendor did nothing and didn't provide a
good reason for the delay (because such reasons could exist, if you think of
it), then H is 100% entitled to publish whatever exploit he likes.

It's all about timing. It's all about being reasonable.

--
Florin Andrei

"Some times are fuzzier than others." - Dan Farmer & Wietse Venema

_______________________________________________
Full-Disclosure - We believe in it. Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure

Comments inline. cc: to that "other" list deleted.

> Sure, HP's response has been harsh. But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a
> reasonable period of
> time to fix it; say, a few weeks or so.
>
> Only if the vendor does nothing in these weeks, only then the
> report/exploit/whatever should be made public.

Riiight.... Great. But according to the (now-yanked) CNet article, Snosoft
started talked to HP *this spring*, and HP sat on their hands. So, if the
vendor gets several months notice, does exactly jack squat, and then the
vuln. leaks somehow, who do you blame? As Paul S. pointed out, nothing is
black and white, it's all just shades of grey. Me, I blame the vendor. For
fsck's sake, this thing works with a no-exec stack! How sad is that? And
these dorks wanted months and months to fix it? Who do they think they are,
ISC? [ ^_^ ] Sure, it shouldn't have leaked, but exactly how long *were*
they going to let every OSF/1 box out there be a sitting duck? At least now
I know to chmod 750 /bin/su and chown it root:wheel (a good practice
anyway).



--shawn

>>>>> On Wed, 31 Jul 2002 17:53:08 -0500, "Moyer, Shawn" <SMoyer@rgare.com> said:

MS> ISC? [ ^_^ ] Sure, it shouldn't have leaked, but exactly how long *were*
MS> they going to let every OSF/1 box out there be a sitting duck? At least now
MS> I know to chmod 750 /bin/su and chown it root:wheel (a good practice
MS> anyway).

Hmmmm, looks like a suit against the vendor for "reckless endagerment"
:-) might be in order. Sometimes I wish I was an ambulance-chasing
lawyer (as opposed to the good kind).

(Yes, I know that "endangerment" requires possibility of harm to a
person. But I can wish, and there must be some liability here...)

--tep

It hasn't been yanked:

http://news.com.com/2100-1023-947325.html

Corey M. Snow- csnow@deltadentalwa.com
I don't speak for my employer.


> -----Original Message-----
> From: Moyer, Shawn [mailto:SMoyer@rgare.com]
> Sent: Wednesday, July 31, 2002 3:53 PM
> To: 'full-disclosure@lists.netsys.com'
> Subject: RE: [Full-Disclosure] it's all about timing

> Riiight.... Great. But according to the (now-yanked) CNet
> article,

<snick>


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################

I think many if not most of us on this list who have produced
advisories/exploits have experienced the fustration associated with the
response from some vendors. I had to explain how serious a buffer overflow
was to the author of mIRC, after several emails the vendor agreeded to fix
the problem in the next version. At this time my exploit writing skills were
in their infancy, I did not have a working exploit so I accepted this.

Two months later (I had got distracted by real work et al) I produced a
working exploit and informed the vendor. It was another two months before
the vendor provided a fix, I waitted until they released it before I
released my exploit code. The new release was a major version upgrade, as
you can imagine this felt like they had played me to keep their existing
development schedule. Of course I cannot accuse them of this, but it
certainly felt like they had. To this day they have not publically
acknowledged the existance of the hole in all versions prior to 6.00.

However Dalnet, IRCNet and many other networks all have warnings advising
users to upgrade. Also it was covered by news.bbc.co.uk, newsbytes.com, cnet
and many other news sites. I cannot understand their reasons for this, they
obviously feel publically admitting their mistake and giving there users a
strong warning to upgrade is not good PR.

I estimate still nealry 50% of mirc users are running v5.91 and lower. This
figure was attained from a CTCP version of #chatzone on dal.net. This is
after 3 versions being released sequentially since the disclosure. I
personally don't feel the vendor has made an appropriate effort to protect
its userbase.

On top of this, I was astonished at how so many people assumed that because
my proof of concept code only lauched calc.exe, this wasn't a dangerous
hole! I'm seriously considering making my next do "command /c deltree /Y
c:\program files" (joke) :P, you have highlight the seriousness of the hole.
Its amazing how blatent it seems you need to be. I can't imagine releasing
an advisory without working exploit code.

In summary, I don't know the full circumstances with this Tru64 exploit but
it seems the hole should have been fixed by HP and they are just trying to
stifle efforts to get them to fix it. I wonder how long it will take for a
fix to arrive now? (or has it already?). I'd much prefer working exploit
code, and an opertunity to fix any system under my control which would be
effected, than secrecy a with the chance that someone else has wirtten an
exploit which is circulating in the underground.

Regards
James




----- Original Message -----
From: "Dave Killion" <Dkillion@netscreen.com>
To: <full-disclosure@lists.netsys.com>
Sent: Wednesday, July 31, 2002 10:59 PM
Subject: RE: [Full-Disclosure] it's all about timing


> Florin,
>
> I agree with you completely. From what I understand this vulnerability is
> about a year old, although I'm not knowledgeable enough to say that with
> authority. If it's true, then I believe the 2-4 week requirement has been
> satisfied.
>
> -Dave
>
> *************************** NOTICE **************************
> Opinions expressed in this email are solely my own, and do
> not reflect the attitudes, policy, or opinion of my employer.
> *************************************************************
>

I believe, depending on severity of the vulnerability, that one week should
be sufficient for at least vendor response prior to publically leaking
information about said vulnerability. This does not mean releasing exploit
code, only general information about the vuln so that educated readers can
understand what's going on.

If no vendor responses occur, then release of information should occur. If
there is vendor response indicating an attempt to work the issue, then more
time should of course be given (again, depending on severity of the issue).

Holes in this would include exactly *how* the vendor was contacted
(midnight messages left in the general company voicemail don't count, etc.)
and whether any follow-up attempts were made. Also, a vanilla vendor
response to the effect of "Thank you for the information. We'll look into
it. Don't call us, we'll call you" is an effective NOOP.

Are we enough of an ad-hoc "authority" to attempt to determine a proper
course of action for these instances? Codifying this (even if it's just a
"gentlemen's agreement") would most definitely be A Good Thing.
--
Eric N. Valor
ericv@cruzio.com
PGP Key 2048/1024 227B04CB
Key Fingerprint = 766C CA15 0FFF E54B 2FEE C7D7 0F87 3AFB 227B 04CB

: This Space Intentionally Left Blank :

On Wed, 31 Jul 2002, Eric N. Valor wrote:

> Are we enough of an ad-hoc "authority" to attempt to determine a proper
> course of action for these instances? Codifying this (even if it's just a
> "gentlemen's agreement") would most definitely be A Good Thing.

RFPolicy always seemed reasonable to me.

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nobody needs to do a damn thing. If I am sitting watching my monitor and it blows up in my face, do you really think I am going to tip toe and around and quietly tell the manufacturer that his product is flawed, allow him to ::secretly:: fix it. Or the software vendor who's junk database deletes everything on the 1st of every 6 month due to some sloppy programming on their part? Why pussy-foot around, you're paying hundreds of thousands of dollars for over priced product. The vendors aren't ::giving:: it away for free to you. Money from your pocket goes into theirs for an exchange of goods. You're buying something they are selling. And they had better make damn sure what they are selling works as advertised.

The time is to sure the vendors. Demand a refund. Get your money back if it's broken. What the hell is this paying them, then creeping around in the shadows fixing the shit they just sold you, for them.

Grow some backbone. Expose all the flaws at once. No mercy. Full-Disclosure - believe in it.

Fuck Hewlett Packard take the Digital Millennium Copyright Act and shove it up your ass Kent Ferson, your stocks are going to go down down down down. Your going to get fired over this you lame fuck.



- ----- Original Message -----
From: Eric N. Valor
To: full-disclosure@lists.netsys.com
Sent: Wednesday, July 31, 2002 11:06 PM
Subject: RE: [Full-Disclosure] it's all about timing



I believe, depending on severity of the vulnerability, that one week should
be sufficient for at least vendor response prior to publically leaking
information about said vulnerability. This does not mean releasing exploit
code, only general information about the vuln so that educated readers can
understand what's going on.

If no vendor responses occur, then release of information should occur. If
there is vendor response indicating an attempt to work the issue, then more
time should of course be given (again, depending on severity of the issue).

Holes in this would include exactly *how* the vendor was contacted
(midnight messages left in the general company voicemail don't count, etc.)
and whether any follow-up attempts were made. Also, a vanilla vendor
response to the effect of "Thank you for the information. We'll look into
it. Don't call us, we'll call you" is an effective NOOP.

Are we enough of an ad-hoc "authority" to attempt to determine a proper
course of action for these instances? Codifying this (even if it's just a
"gentlemen's agreement") would most definitely be A Good Thing.
- --
Eric N. Valor
ericv@cruzio.com
PGP Key 2048/1024 227B04CB
Key Fingerprint = 766C CA15 0FFF E54B 2FEE C7D7 0F87 3AFB 227B 04CB

: This Space Intentionally Left Blank :

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmYEARECACYFAj1IsZAfHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT
5JkCl0iMkPFiAKCFxeGWL5ypYFWinmQuBybxI1lUVgCfXWbjCLR42KDgaetDzrR5FvjA
UP4=
=SwZl
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

The Responsible Disclosure Process draft specifically allows for
researchers to release vulnerability information if the vendor is not
sufficiently responsive. Some people may disagree with the delay of
30 days between initial notification and release, but I don't think
there are good stats on how long it really takes vendors to fully
address vulnerability reports - open or closed source, freeware or
commercial. Let's take a recent example - how much coordination had
to happen for the zlib vulnerability? It seems reasonable to assume
that it took more than a day. And the controversial "grace period"
has the interesting distinction of being used by both Microsoft and
Theo de Raadt.

Researchers can help to shed light in this area by publishing
disclosure histories along with their advisories. (By the way, vendor
advisories rarely include such information.)

While the response to the proposal focused almost exclusively on how
it impacts researchers, it lays out a number of requirements for
vendors, primarily that they (a) make it easy for people to file
vulnerability reports, (b) be responsive to incoming vulnerability
reports, and (c) address the issues within a reasonable amount of
time.

IMHO, it makes a stronger impression when someone releases a security
advisory with an extensive disclosure history that says how much they
tried to resolve the issue with the vendor, before they released.

Those who are interested in the legal aspects of "responsible
disclosure" are encouraged to read the article by Mark Rasch at
http://online.securityfocus.com/columnists/66. The article basically
says that the adoption of community standards could protect
researchers who disclose issues responsibly, while it could also help
vendors who seek legal recourse against researchers who are not
responsible (for some definition of "responsible"). The former could
happen with a community standard. The latter may already be happening
without one.

This email is my personal opinion, not my employer's.

- Steve
(co-author of the aforementioned Responsible Disclosure proposal,
which is presently quiet but not dead, but will always be subject to
public feedback)

The Responsible Disclosure Process draft specifically allows for
researchers to release vulnerability information if the vendor is not
sufficiently responsive. Some people may disagree with the delay of
30 days between initial notification and release, but I don't think
there are good stats on how long it really takes vendors to fully
address vulnerability reports - open or closed source, freeware or
commercial. Let's take a recent example - how much coordination had
to happen for the zlib vulnerability? It seems reasonable to assume
that it took more than a day. And the controversial "grace period"
has the interesting distinction of being used by both Microsoft and
Theo de Raadt.

Researchers can help to shed light in this area by publishing
disclosure histories along with their advisories. (By the way, vendor
advisories rarely include such information.)

While the response to the proposal focused almost exclusively on how
it impacts researchers, it lays out a number of requirements for
vendors, primarily that they (a) make it easy for people to file
vulnerability reports, (b) be responsive to incoming vulnerability
reports, and (c) address the issues within a reasonable amount of
time.

IMHO, it makes a stronger impression when someone releases a security
advisory with an extensive disclosure history that says how much they
tried to resolve the issue with the vendor, before they released.

Those who are interested in the legal aspects of "responsible
disclosure" are encouraged to read the article by Mark Rasch at
http://online.securityfocus.com/columnists/66. The article basically
says that the adoption of community standards could protect
researchers who disclose issues responsibly, while it could also help
vendors who seek legal recourse against researchers who are not
responsible (for some definition of "responsible"). The former could
happen with a community standard. The latter may already be happening
without one.

This email is my personal opinion, not my employer's.

- Steve
(co-author of the aforementioned Responsible Disclosure proposal,
which is presently quiet but not dead, but will always be subject to
public feedback)

The Responsible Disclosure Process draft specifically allows for
researchers to release vulnerability information if the vendor is not
sufficiently responsive. Some people may disagree with the delay of
30 days between initial notification and release, but I don't think
there are good stats on how long it really takes vendors to fully
address vulnerability reports - open or closed source, freeware or
commercial. Let's take a recent example - how much coordination had
to happen for the zlib vulnerability? It seems reasonable to assume
that it took more than a day. And the controversial "grace period"
has the interesting distinction of being used by both Microsoft and
Theo de Raadt.

Researchers can help to shed light in this area by publishing
disclosure histories along with their advisories. (By the way, vendor
advisories rarely include such information.)

While the response to the proposal focused almost exclusively on how
it impacts researchers, it lays out a number of requirements for
vendors, primarily that they (a) make it easy for people to file
vulnerability reports, (b) be responsive to incoming vulnerability
reports, and (c) address the issues within a reasonable amount of
time.

IMHO, it makes a stronger impression when someone releases a security
advisory with an extensive disclosure history that says how much they
tried to resolve the issue with the vendor, before they released.

Those who are interested in the legal aspects of "responsible
disclosure" are encouraged to read the article by Mark Rasch at
http://online.securityfocus.com/columnists/66. The article basically
says that the adoption of community standards could protect
researchers who disclose issues responsibly, while it could also help
vendors who seek legal recourse against researchers who are not
responsible (for some definition of "responsible"). The former could
happen with a community standard. The latter may already be happening
without one.

This email is my personal opinion, not my employer's.

- Steve
(co-author of the aforementioned Responsible Disclosure proposal,
which is presently quiet but not dead, but will always be subject to
public feedback)

Florin Andrei <florin@sgi.com> writes:
> V is right, because not being warned in advance, their customers are
> left to the mercy of script kiddies.

The resasonable conclusion here is that V should be suing the script
kiddies, not H.


> If H is going to publish the exploit without early warning, i'll say
> V has all the rights in the world to sue the crap out of H, and put
> him(her) in jail for one thousand years, and i'll applaud that.

Outlawing the distribution of knowledge is a slippery slope. I don't
want to go back to the bad old days when "terorrists might use it to
coordinate attacks" was a valid excuse for not letting me use/export
pgp and ssh.

Premature disclosure is bad in the same way that cheating on one's
spouse is bad -- it's undoubtedly a horrible, evil thing to do, but
it's not something that the government should be in the business of
locking people up for.

- a


--
Sick of HTML user interfaces?
www.xwt.org

IMHO the threats against Snosoft are FUD, even more FUD than the Sklyarov FUD. I
personally don't expect any court.

What scares me is that the "Responsible Disclosure" FUD continues.
On bugtraq people write that CERT and SecurtyFocus are "established parties" and
everyone who does not give them their 0days is irresponsible (at least CERT is
known to sell 0days). I personally won't give them my 0days early.

The "Responsible Disclosure" draft continues to get advertised, though it was
not approved by IETF.

Why people think about giving away the right of free speech just because of some
FUD?

Even in the unlikely case if this bad rfc pass, does it mean that that people
are safer when they disclose problems - definitely don't think so.

So the facts are that some companies can't write secure code and it is more
expensive to write secure code.

Just check "Help -> About" on Windows before using the word "responsibility".

The easiest solution is to shoot the messenger and to outlaw saying the emperor
has no clothes. But this won't fix the problem in the real world. IMHO such
regulations will only alienate a lot of people and will make things worse.

----
When I answered where I wanted to go today, they just hung up (Unknown Author)


Steven M. Christey wrote:
> The Responsible Disclosure Process draft specifically allows for
> researchers to release vulnerability information if the vendor is not
> sufficiently responsive. Some people may disagree with the delay of
> 30 days between initial notification and release, but I don't think
> there are good stats on how long it really takes vendors to fully
> address vulnerability reports - open or closed source, freeware or
> commercial. Let's take a recent example - how much coordination had
> to happen for the zlib vulnerability? It seems reasonable to assume
> that it took more than a day. And the controversial "grace period"
> has the interesting distinction of being used by both Microsoft and
> Theo de Raadt.
>
> Researchers can help to shed light in this area by publishing
> disclosure histories along with their advisories. (By the way, vendor
> advisories rarely include such information.)
>
> While the response to the proposal focused almost exclusively on how
> it impacts researchers, it lays out a number of requirements for
> vendors, primarily that they (a) make it easy for people to file
> vulnerability reports, (b) be responsive to incoming vulnerability
> reports, and (c) address the issues within a reasonable amount of
> time.
>
> IMHO, it makes a stronger impression when someone releases a security
> advisory with an extensive disclosure history that says how much they
> tried to resolve the issue with the vendor, before they released.
>
> Those who are interested in the legal aspects of "responsible
> disclosure" are encouraged to read the article by Mark Rasch at
> http://online.securityfocus.com/columnists/66. The article basically
> says that the adoption of community standards could protect
> researchers who disclose issues responsibly, while it could also help
> vendors who seek legal recourse against researchers who are not
> responsible (for some definition of "responsible"). The former could
> happen with a community standard. The latter may already be happening
> without one.
>
> This email is my personal opinion, not my employer's.
>
> - Steve
> (co-author of the aforementioned Responsible Disclosure proposal,
> which is presently quiet but not dead, but will always be subject to
> public feedback)
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>

<snip>
Only if the vendor does nothing in these weeks, only then the
report/exploit/whatever should be made public.
<snip>

[RS] For those on the FULL DISCLOSURE list you can read the full thread on
Bugtraq. The exploit is not the problem, it is truly related to the fact
that vendors must notify clients directly if a vulnerability is found.
Just because a security hole has been discovered does not mean other factors
can not be used to mitigate risk.

<snip>
If hacker H writes a comment on Slashdot, making public an exploit
against some software made by vendor V, and does not notify V in advance
(say, 2...4 weeks in advance), and then V sues H, then who's right?
<snip>

[RS] If the vendor was aware for 2-4 weeks and failed to notify it's
clients, yes.


Richard Scott
INFORMATION SECURITY
Tel: (001) -952-324-0697
Fax: (001) -952-996-4830
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries

Georgi,

Maybe I missed something, but CERT sells 0-days?

skj

-----Original Message-----
From: Georgi Guninski [mailto:guninski@guninski.com]
Sent: Thursday, August 01, 2002 9:04 AM
To: full-disclosure@lists.netsys.com; Bugtraq
Subject: Re: [Full-Disclosure] Re: it's all about timing


IMHO the threats against Snosoft are FUD, even more FUD than the Sklyarov
FUD. I
personally don't expect any court.

What scares me is that the "Responsible Disclosure" FUD continues.
On bugtraq people write that CERT and SecurtyFocus are "established parties"
and
everyone who does not give them their 0days is irresponsible (at least CERT
is
known to sell 0days). I personally won't give them my 0days early.

The "Responsible Disclosure" draft continues to get advertised, though it
was
not approved by IETF.

Why people think about giving away the right of free speech just because of
some
FUD?

Even in the unlikely case if this bad rfc pass, does it mean that that
people
are safer when they disclose problems - definitely don't think so.

So the facts are that some companies can't write secure code and it is more
expensive to write secure code.

Just check "Help -> About" on Windows before using the word
"responsibility".

The easiest solution is to shoot the messenger and to outlaw saying the
emperor
has no clothes. But this won't fix the problem in the real world. IMHO such
regulations will only alienate a lot of people and will make things worse.

----
When I answered where I wanted to go today, they just hung up (Unknown
Author)


Steven M. Christey wrote:
> The Responsible Disclosure Process draft specifically allows for
> researchers to release vulnerability information if the vendor is not
> sufficiently responsive. Some people may disagree with the delay of
> 30 days between initial notification and release, but I don't think
> there are good stats on how long it really takes vendors to fully
> address vulnerability reports - open or closed source, freeware or
> commercial. Let's take a recent example - how much coordination had
> to happen for the zlib vulnerability? It seems reasonable to assume
> that it took more than a day. And the controversial "grace period"
> has the interesting distinction of being used by both Microsoft and
> Theo de Raadt.
>
> Researchers can help to shed light in this area by publishing
> disclosure histories along with their advisories. (By the way, vendor
> advisories rarely include such information.)
>
> While the response to the proposal focused almost exclusively on how
> it impacts researchers, it lays out a number of requirements for
> vendors, primarily that they (a) make it easy for people to file
> vulnerability reports, (b) be responsive to incoming vulnerability
> reports, and (c) address the issues within a reasonable amount of
> time.
>
> IMHO, it makes a stronger impression when someone releases a security
> advisory with an extensive disclosure history that says how much they
> tried to resolve the issue with the vendor, before they released.
>
> Those who are interested in the legal aspects of "responsible
> disclosure" are encouraged to read the article by Mark Rasch at
> http://online.securityfocus.com/columnists/66. The article basically
> says that the adoption of community standards could protect
> researchers who disclose issues responsibly, while it could also help
> vendors who seek legal recourse against researchers who are not
> responsible (for some definition of "responsible"). The former could
> happen with a community standard. The latter may already be happening
> without one.
>
> This email is my personal opinion, not my employer's.
>
> - Steve
> (co-author of the aforementioned Responsible Disclosure proposal,
> which is presently quiet but not dead, but will always be subject to
> public feedback)
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure

On Wednesday, July 31, 2002, at 04:26 PM, Florin Andrei wrote:

> But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a reasonable period of
> time to fix it; say, a few weeks or so.

I can't agree. In my day job I maintain systems for a defense agency,
and I *have* to know what my exposures are *at all times*, whether a fix
exists or not, since lives can be dependent (directly or indirectly) on
the availability and integrity of my systems.

Without this information, I can't mitigate my risk. Leaving *my* risk
in the hands of a vendor-- who has a vested interest in *not* letting me
know-- is wrong.

-- Cerebus

I think most everyone on this list will agree with your comments about how
things "should" be disclosed. However, I think those points are moot.

<snip>
i'll say V has all the rights in the
world to sue the crap out of H, and put him(her) in jail for one
thousand years, and i'll applaud that.
</snip>

A thousand year jail term? Man, where do you live? I think you are missing
the issue here. I don't know the laws specific to where you live (although
they seem harsh. Have you considered a coup?) but here in the US, I can sue
you because I'm offended by the color of your pants (to be honest, they're
damn ugly, but some Dockers please). That is not to say I have a chance of
winning that suit, but I can still sue you. And again, per my previous
post, I don't think winning a suit is necessarily the issue here either.

Using Snosoft/HP as an example, if HP sues and wins, a dangerous precedent
has been set. If HP loses, Snosoft will still have spent enough cash and
time trying to defend themselves against a company with much deeper pockets
that it is quite possible that they may not be able to financially recover
from winning the suit, if they even get that far.

Either way, everyone in the security industry, especially security
companies, are going to think twice about publishing a vulnerability in the
future. That is bad because the people who will know about future
vulnerabilities are the people who don't report them now. (i.e. some 12 year
old kid in Yemen with nothing better to do). If HP wins, where does it
stop? If ABC Inc. gets hacked out of existence, can ABC sue security focus
(Symantec) for archiving all the exploits used to compromise their system?
Don't laugh, it's not that far fetched.

<snip>
And the solution is so simple: DO NOT publish "zero-day exploits"
</snip>

Wow. I never thought of that. (sorry for the sarcasm) You are preaching
to the choir. I believe most of everyone on this list not only agrees with
that principle but practices it as well. Why Snosoft/HP is so important is
that plenty of time was given to HP to correct the hole. If HP moves
forward with litigation (win or lose), this may well open a flood gate of
similar actions that could dramatically change how we all do our jobs and
the effectiveness of the current exploit exposure scenario.

So yes, Florin, in a perfect world we'd all release vulnerabilities the
right way and there is a Santa Claus. However, in the real world, there
will be responsible people and irresponsible people. There will be
responsible people who believe in zero day exposures. There will be people
who don't own computers and collect cans from my recycling bins. There is
no way to enforce any exposure rules so we all have to keep on doing what
we're doing and hope that the "bad" people don't screw it up for the rest of
us.

However, I do believe that we should explore ways to "pressure" HP into
backing off as a previous post mentioned. Send a polite email. If you are
at a company and have some purchasing power, tell your HP sales rep that you
are so concerned over this matter that you're flying to Austin to meet with
Dell (let me know when you're going. I know some good bars on 6th street).

Open to suggestions. I'd like to take this opportunity to apologize for my
annoying sense of humor.


Gibby McCaleb

_______________________________________________

"When the going gets weird, the weird turn pro."

Hunter S. Thompson
_______________________________________________

>>>>> On Thu, 01 Aug 2002 16:03:33 +0300, Georgi Guninski <guninski@guninski.com> said:

GG> What scares me is that the "Responsible Disclosure" FUD continues.
GG> On bugtraq people write that CERT and SecurtyFocus are "established parties" and
GG> everyone who does not give them their 0days is irresponsible (at least CERT is
GG> known to sell 0days). I personally won't give them my 0days early.

I would like to see evidence that CERT "sells 0days". Pretty
significant claim. Although, I probably wouldn't disclose the actual
exploits to CERT, just to the vendor.

GG> The "Responsible Disclosure" draft continues to get advertised, though it was
GG> not approved by IETF.

This is the problem. IETF had a chance to put a stake in the ground,
and didn't.

--
Tom E. Perrine <tep@SDSC.EDU> | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/ |

Timothy J.Miller [cerebus@sackheads.org] wrote:
> I can't agree. In my day job I maintain systems for a defense agency,

> and I *have* to know what my exposures are *at all times*, whether a
fix
> exists or not, since lives can be dependent (directly or indirectly)
on
> the availability and integrity of my systems.
>
> Without this information, I can't mitigate my risk. Leaving *my* risk

> in the hands of a vendor-- who has a vested interest in *not* letting
me
> know-- is wrong.

If one person can discover a vulnerability, so can another person. When
you discover a previously unpublished vulnerability you should assume
that either (1) someone else has also discovered it and is keeping it
secret for future use; or (2) someone like that will discover it soon.
The vendor must not be permitted to sweep it under the rug, or to put it
on the back burner. If they do, a day of reckoning will come to them
and to all their customers.

Some naive people think the visible blackhat hackers are the real enemy.
These people break into sites, deface them, maybe even steal some files
or install Trojans... IMO that's NOT the main problem. Maybe that kind
of thing is not nice, not legal, maybe it causes monetary losses to
victims... but it's not nearly the worst problem. A major terrorist
organization or enemy country would do far worse. Undoubtedly there are
others out there, with greater resources, and much more serious in their
intent to do harm. They are busy discovering vulnerabilities, and
building an inventory of individual exploits and compound exploits which
would make everything we've seen to date look like child's play.

In this kind of world, the public needs to know immediately of the
vulnerability. We need to be able to determine unambiguously whether we
are vulnerable. We need to be able to implement countermeasures, and
then we need to be able to test those countermeasures. This means we
need a proof of concept exploit, and we need it immediately. And we
need source code for that exploit so we can verify that this code itself
is not an enemy.

Now, that proof of concept exploit should not do any actual damage. And
it should not be easily converted into a damaging tool by
pseudo-technical script-kiddie types. That is where ethics and good
judgment are required. There will probably be differing opinions on
what should be released. I lean toward more disclosure rather than less,
but the rules of the game must protect the publisher of the
vulnerability, because he provides a critical service. We cannot afford
to squelch those who expose these problems.

Unfortunately some companies have shown themselves to be unwilling to
correct vulnerabilities without a threat of harm. I don't know whether
that justifies the blackhat vandals. But in the absence of legal
recourse (e.g. vendor liability lawsuits) it may be the one thing that
forces vendors to close the holes.

Publicly disclose the vulnerability immediately, along with
recommendations for temporary countermeasures until a fix is available,
and provide a way to test those countermeasures. That's about the best
we can do IMO.

Ok that's my rant. I feel better.

Richard Clarke, Bush's computer security advisor, seems to reflect sentiment
that's been covered here.

From VAR News:
(http://www.varbusiness.com/sections/news/dailyarchives.asp?ArticleID=36677)

>>>SNIP
*
<<<SNIP
(oops guess you have to follow the link - I don't need AP suing me.)

* Copyright © 2002 The Associated Press. All rights reserved. The
information contained in the AP News report may not be published, broadcast,
rewritten or redistributed without the prior written authority of The
Associated Press.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com