Mailing List Archive

Georgi Guninski said:

>What scares me is that the "Responsible Disclosure" FUD continues. On
>bugtraq people write that CERT and SecurtyFocus are "established
>parties" and everyone who does not give them their 0days is
>irresponsible... I personally won't give them my 0days early.

A number of people thought that the disclosure process draft placed
too much of an emphasis on using third parties. That will be weakened
to a suggestion in the next version.

The Coordinator role, as described in the process draft, does not need
to be restricted to parties such as SecurityFocus and CERT/CC. For
example, just this year, w00w00 has taken on the Coordinator role in
the disclosure of an AIM vulnerability and an IE/Office vulnerability.

http://marc.theaimsgroup.com/?l=bugtraq&m=101897994314015&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=102071080509955&w=2

>The "Responsible Disclosure" draft continues to get advertised, though
>it was not approved by IETF.

A minor clarification: while it was the subject of lively debate on
the IETF Security Area Advisory Group (SAAG) mailing list, the SAAG
did not think it was appropriate to pursue a document that dealt with
procedures as opposed to networking protocols. So, it was not
approved because the topic was outside the scope of the IETF.

Other organizations have expressed support for developing the
responsible disclosure concept (with some changes to the current
draft), but they aren't set up for public feedback and/or document
ownership like the IETF is.


- Steve

Further, I don't trust that any part of the disclosure process is going to
be safe in the future until more specific and defined legal definitions are
in place, even a law. IETF, CERT, a community standard and any rfc aren't
going to protect against some company feeling they were made to look bad and
then decide to sue you or come after you with DMCA.

I heard an interview with the White House "Cyber" Security head on NPR this
morning and listened to his encouragement of "hackers" to keep hacking, but
don't disclose until it's "appropriate", with no mention of what that meant.
He also mentioned that it's ok only for "security professionals" to hunt for
and report security problems in software, but it's not ok for the common guy
to do it because then the law sees them as malicious. What is the criteria
for a "security professional"? If the government/white house is going to
push policy that is this abigious in nature, then I need a clearer
definition from our government as to what is ok and what isn't. Because it's
certainly not worth risking your ass so some company can feel better about
protecting their shitty code.

The scope of this disclosure problem goes beyond "when it's appropriate" to
disclose information, in my eyes it's becoming and will become, an issue of
what protections do you get if you find a security flaw and report it to the
company? How about if and when you disclose it? Currently, there are reports
of threats of legal action against people who simply went to a company and
said "here I found this problem, you should fix it". You can follow all the
process and commonly agreed upon "standards" for disclosure you want, but
until there is a clear legal definition and protection, there will continue
to be scare tactics and threats from companies who feel you were being
malicious instead of trying to help.

If there's going to be legal ramifications for finding a security flaw in
company X's software (or for example HP's :-) then I say screw them. If the
cost of my *free* analysis and my time is that I might get fined and thrown
in jail, or least have to hire a lawyer to protect myself, then I'll stop
helping them. I'm willing to guess this might be other's reactions as well
if things progress to the point where some companies are going after people
finding flaws in their software. I don't owe any company anything. I like to
do security analysis and find these problems I want to help, but not at the
cost of losing my freedom or money.

I know HP was trying to protect the security of their systems by threating
legal action should the problem be disclosed before they can react to it.
But really, those tactics serve no one and in end alienate an entire *free*
security anaylysis community who was doing *free* work for them.

I know there are many other aspects to this issue, but that's my $0.02,

-cs

-----Original Message-----
From: Georgi Guninski [mailto:guninski@guninski.com]
Sent: Thursday, August 01, 2002 6:04 AM
To: full-disclosure@lists.netsys.com; Bugtraq
Subject: Re: [Full-Disclosure] Re: it's all about timing


IMHO the threats against Snosoft are FUD, even more FUD than the Sklyarov
FUD. I
personally don't expect any court.

What scares me is that the "Responsible Disclosure" FUD continues. On
bugtraq people write that CERT and SecurtyFocus are "established parties"
and
everyone who does not give them their 0days is irresponsible (at least CERT
is
known to sell 0days). I personally won't give them my 0days early.

The "Responsible Disclosure" draft continues to get advertised, though it
was
not approved by IETF.

Why people think about giving away the right of free speech just because of
some
FUD?

Even in the unlikely case if this bad rfc pass, does it mean that that
people
are safer when they disclose problems - definitely don't think so.

So the facts are that some companies can't write secure code and it is more
expensive to write secure code.

Just check "Help -> About" on Windows before using the word
"responsibility".

The easiest solution is to shoot the messenger and to outlaw saying the
emperor
has no clothes. But this won't fix the problem in the real world. IMHO such
regulations will only alienate a lot of people and will make things worse.

----
When I answered where I wanted to go today, they just hung up (Unknown
Author)


Steven M. Christey wrote:
> The Responsible Disclosure Process draft specifically allows for
> researchers to release vulnerability information if the vendor is not
> sufficiently responsive. Some people may disagree with the delay of
> 30 days between initial notification and release, but I don't think
> there are good stats on how long it really takes vendors to fully
> address vulnerability reports - open or closed source, freeware or
> commercial. Let's take a recent example - how much coordination had
> to happen for the zlib vulnerability? It seems reasonable to assume
> that it took more than a day. And the controversial "grace period"
> has the interesting distinction of being used by both Microsoft and
> Theo de Raadt.
>
> Researchers can help to shed light in this area by publishing
> disclosure histories along with their advisories. (By the way, vendor
> advisories rarely include such information.)
>
> While the response to the proposal focused almost exclusively on how
> it impacts researchers, it lays out a number of requirements for
> vendors, primarily that they (a) make it easy for people to file
> vulnerability reports, (b) be responsive to incoming vulnerability
> reports, and (c) address the issues within a reasonable amount of
> time.
>
> IMHO, it makes a stronger impression when someone releases a security
> advisory with an extensive disclosure history that says how much they
> tried to resolve the issue with the vendor, before they released.
>
> Those who are interested in the legal aspects of "responsible
> disclosure" are encouraged to read the article by Mark Rasch at
> http://online.securityfocus.com/columnists/66. The article basically
> says that the adoption of community standards could protect
> researchers who disclose issues responsibly, while it could also help
> vendors who seek legal recourse against researchers who are not
> responsible (for some definition of "responsible"). The former could
> happen with a community standard. The latter may already be happening
> without one.
>
> This email is my personal opinion, not my employer's.
>
> - Steve
> (co-author of the aforementioned Responsible Disclosure proposal,
> which is presently quiet but not dead, but will always be subject to
> public feedback) _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>

well, by your own admission, HP legal department was strong arming you,
which is just plain wrong, it seems to me, from what i have read around here
and other lists, story is not smeared at all, my understanding of the story
was and still is, HP thinks they are too big and have good lawyers, and thus
think they have a right threaten you and the public. and according to you,
that is exactly the way it is, no smearing involved.

and btw, that is quite honorable and admirable that you and your team worked
for so long and so hard to help HP, too bad they havent showed the same type
of attitude towards you as well. high five to You on that. I find it
dispicable that HP would even suggest any legal actions upon you in this
matter. and as a result, I find myself looking at other Manufacturers
printers, any HP product will be the last on my lists to be considered.

good job HP, another happy customer. please note the sarcasm in that
statement.

Don

> >-----Original Message-----
> >From: John Scimone [mailto:sert@snosoft.com]
> >Sent: Wednesday, July 31, 2002 12:57 PM
> >To: full-disclosure@lists.netsys.com; Florin Andrei;
> >bugtraq@securityfocus.com
> >Subject: Re: [Full-Disclosure] it's all about timing
> >
> >
> >I agree with this. However, in the Snosoft case the facts has
> >been smeared by
> >all the different stories going around. I will not get into it
> >in detail but
> >we have been working with HP on this for 4+ months, bending over
> >backwards
> >for them to keep everything out of the eyes of the public. All the time
> >putting up with threats of suit for nonsense issues. The bottom
> >line is that
> >we went above and beyond what is reasonable for a research group to do
> >because we knew how serious the issue is, and after managing to
> >do this for
> >so long something got leaked which was inevitable with the
> >amount of people
> >working on the problem. I believe if instead of it being a leak
> >we released
> >an advisory on the issue (we couldn't do this b/c of HP's legal
> >department
> >strong-arming us) after 2 months nevermind 4 months it would
> >have been more
> >than reasonable. Look for an official statement tonight on our website
> >www.snosoft.com with the exact details but I'm sick of going
> >through the day
> >listening to the facts get smeared b/c of false reports.
> >
> >-sert
> >
> >
> >On Wednesday 31 July 2002 09:26 pm, Florin Andrei wrote:
> >> (i'm going to go a little bit further from the HP/Snosoft
> >case, so don't
> >> be surprised if some of the statements below do not fit 100% in that
> >> case)
> >>
> >> All these problems will vanish if people will choose to disclose
> >> vulnerabilities in a responsible way.
> >> Sure, HP's response has been harsh. But every security problem
> >> (especially when it's accompanied by an exploit) should be reported
> >> first to the vendor! There should be no exception from this rule. The
> >> person doing the reporting should give the vendor a reasonable
> >period of
> >> time to fix it; say, a few weeks or so.
> >>
> >> Only if the vendor does nothing in these weeks, only then the
> >> report/exploit/whatever should be made public.
> >>
> >> If hacker H writes a comment on Slashdot, making public an exploit
> >> against some software made by vendor V, and does not notify V
> >in advance
> >> (say, 2...4 weeks in advance), and then V sues H, then who's right?
> >>
> >> H is right, because (s)he disclosed a vulnerability, and disclosing is
> >> good.
> >> V is right, because not being warned in advance, their customers are
> >> left to the mercy of script kiddies.
> >> H is wrong, because (s)he's obviously looking for cheap publicity (i
> >> published a zero-day exploit; mine is bigger), not for improving
> >> security.
> >> V is wrong, because they are filing a lawsuit against open disclosure,
> >> which is not a good thing.
> >>
> >> See?
> >>
> >> And the solution is so simple: DO NOT publish "zero-day exploits". Give
> >> the damn vendors an early warning. Only if they are lazy and do nothing
> >> within a reasonable time (2...4 weeks), only then you are
> >entitled to go
> >> slashdot-happy.
> >>
> >> I'm a big fan of open disclosure, freedom of speech, etc. But
> >people who
> >> look for cheap publicity are not my favourites. If H is going
> >to publish
> >> the exploit without early warning, i'll say V has all the rights in the
> >> world to sue the crap out of H, and put him(her) in jail for one
> >> thousand years, and i'll applaud that.
> >> However, if there was an early warning, within a reasonable time, like
> >> one month or so (unlike some popular security companies did recently),
> >> and the vendor did nothing and didn't provide a good reason for the
> >> delay (because such reasons could exist, if you think of it), then H is
> >> 100% entitled to publish whatever exploit he likes.
> >>
> >> It's all about timing. It's all about being reasonable.
> >
> >

<snip>
Clarke says the hackers should be responsible about reporting the
programming mistakes. A hacker should contact the software maker first, he
says, then go to the government if the software maker doesn't respond soon.
<snip>

Ok, right up to the point where Mr. Clarke mentions to raise the issue up to
the 'government'.

government = software police = special interest = campaign funds

Does this guy have a D or R after his name.

-----Original Message-----
From: Rohny Jotton [mailto:rohnyjotton@hotmail.com]
Sent: Thursday, August 01, 2002 2:15 PM
To: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] it's all about timing


Richard Clarke, Bush's computer security advisor, seems to reflect sentiment

that's been covered here.

From VAR News:
(http://www.varbusiness.com/sections/news/dailyarchives.asp?ArticleID=36677)

>>>SNIP
*
<<<SNIP
(oops guess you have to follow the link - I don't need AP suing me.)

* Copyright © 2002 The Associated Press. All rights reserved. The
information contained in the AP News report may not be published, broadcast,

rewritten or redistributed without the prior written authority of The
Associated Press.

_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure
*****This information may be confidential and/or privileged. Use of this
information by anyone other than the intended recipient is prohibited. If
you received this in error, please inform the sender and remove any record
of this message.*****

> I. Discoverer reports the problem to the vendor via
> quiet channels;
> A. Vendor responds within three business days[2]
> and dialogue on vulnerability is opened, or;

As a point of comparison, this is shorter than RFPolicy 2.0's
recommendations ("5 working days") and the Responsible Disclosure
draft ("7 calendar days" - which covers any 5 working days, which vary
depending on what country you're in, and allows for holidays. We
would have chosen "5 business days," except it varies so much across
different countries.)

What happens if you think you've given the vendor 3 business days, but
2 of them was their country's "weekend," and the other day was a
national holiday?

> B. Vendor does not respond within three business
> days and full disclosure occurs immediately, or;

The responsible disclosure draft allows for disclosure if the
researcher can't find the appropriate contact point, or if a human
does not respond (though it recommends involving a coordinator).

It also explicitly says that vendors should respond to the initial
report within 7 calendar days.

> II. If vendor responds per conditions as outlined in Section I,
> Item A, then Discoverer and Vendor are at liberty to
> set a timeline considered reasonable by both parties
> (factoring in severity of vulnerability and likelihood
> that vulnerability is already being actively exploited).

It seems that often, there is either (a) disagreement between
Discoverer and Vendor, or (b) they each have different expectations,
and those expectations are not part of the communication. Also,
keeping open communication channels seems to be important; both
RFPolicy 2.0 and the RDVP draft both recommend that all parties
maintain regular communication.

>All bets are off if the vulnerability is discovered via a HoneyPot.
>Such a situation means that the exploit is in the wild and attackers
>already have full knowledge of attack methodology.

There seems to be general agreement in this area, although the RDVP
draft did not address this (an oversight).

- Steve

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thou spake:
>On Wed, 31 Jul 2002, Eric N. Valor wrote:
>> Are we enough of an ad-hoc "authority" to attempt to determine a proper
>> course of action for these instances? Codifying this (even if it's just a
>> "gentlemen's agreement") would most definitely be A Good Thing.
>
>RFPolicy always seemed reasonable to me.

Got a URL for that?

- --

Joey Kelly
< Minister of the Gospel | Computer Networking Consultant >
http://joeykelly.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9SaLSTACso8v35Y4RAqiPAJ9CH0CmMuXXS5Ga3pBab3z8leUIJgCfY8Aj
j1WIut13t29/9JIly7+PEUU=
=mIrZ
-----END PGP SIGNATURE-----

http://www.wiretrip.net/rfp/policy.html


Thanks,

Ron DuFresne

On Thu, 1 Aug 2002, Joey Kelly wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thou spake:
> >On Wed, 31 Jul 2002, Eric N. Valor wrote:
> >> Are we enough of an ad-hoc "authority" to attempt to determine a proper
> >> course of action for these instances? Codifying this (even if it's just a
> >> "gentlemen's agreement") would most definitely be A Good Thing.
> >
> >RFPolicy always seemed reasonable to me.
>
> Got a URL for that?
>
> - --
>
> Joey Kelly
> < Minister of the Gospel | Computer Networking Consultant >
> http://joeykelly.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE9SaLSTACso8v35Y4RAqiPAJ9CH0CmMuXXS5Ga3pBab3z8leUIJgCfY8Aj
> j1WIut13t29/9JIly7+PEUU=
> =mIrZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

> = Jay D. Dyson

>I don't hold much empathy [for vendors who take more than 3 days to
>respond], quite honestly...especially since history shows that the
>greatest volume of attacks occur during holidays and off-hours (hence
>they shouldn't have skeleton crews during those times).
>
>Also for consideration is that every critical role in an
>organization should have a designated alternate who handles such reports
>when the canonical Big Cheese is off at the beach.

That may be an expectation of many in the security community, but I
don't think many vendors currently have this level of coverage. And
for commercial vendors, a solid business case probably needs to be
made before they can commit to this type of response. The customers
(or the "marketplace") may ultimately decide how quickly a vendor must
respond, but the security community is only a small portion (and
sometimes vendors say just that). I don't think that the typical
customer thinks about disclosure issues, or at least it's not a factor
in purchasing decisions. (And the only real data there seems to be on
disclosure opinions - the study by the Hurwitz Group - was based on a
survey of security professionals.)

>> The responsible disclosure draft allows for disclosure if the
>> researcher can't find the appropriate contact point, or if a human
>> does not respond (though it recommends involving a coordinator).
>
> Myself and a couple of colleagues talked about an RFC of
>security@domain.tld. I was under the impression that such had been
>submitted by another party, but I haven't seen anything come to pass.

One concern with the "security" alias was that it was already
overloaded. For example, it's already recommended in RFC2142 for
incident handling, and the alias could be in use for physical
security. We proposed "secalert" because it's not overloaded, as
*nobody* is actually using it, which would mean that a vendor who uses
it, is probably interested in following community standards; but the
alias is not obvious, which is also a limitation.

One thing that's been suggested a number of times - in the feedback to
the RVDP draft, on this list, and elsewhere - is that vendors should
prominently display contact points for handling security issues. If
that happens, then it wouldn't really matter which alias is used by a
particular vendor, and maybe standardizing on a single alias doesn't
become necessary.

>> >All bets are off if the vulnerability is discovered via a HoneyPot.
>> >Such a situation means that the exploit is in the wild and attackers
>> >already have full knowledge of attack methodology.
>>
>> There seems to be general agreement in this area, although the RDVP
>> draft did not address this (an oversight).
>
> *nod* Any chance that could be added, just to cover all the
>bases?

That's my intention, although it will likely be subjected to some form
of scrutiny and debate, just like almost every item in the original
draft ;-)

- Steve

On Wed, 31 Jul 2002, Eric N. Valor wrote:
>>RFPolicy always seemed reasonable to me.

Joey Kelly asked:
>Got a URL for that?

http://www.wiretrip.net/rfp/policy.html

RFPolicy is an excellent document, which much of the responsible
disclosure draft is based on. However, it focuses on the researcher.
The responsible disclosure draft also includes recommendations for
vendors that would make it easier on researchers who want to follow
RFPolicy. Where RFPolicy says "give the vendors X working days to
respond," the RVDP has recommendations for researchers to give vendors
X days, and complementary guidelines for vendors to respond within X
days. (X = 5 for RFPolicy and X=7 for RVDP, as discussed in a
previous email).

- Steve

I know the majority of Linux vendors (including "major" guys) have less then
half a dozen full time "security" staff (people rebuilding packages with
security patches, verifying problems, etc.). In many cases it's 1-2 (for
"large" vendors that would surprise you).

Having two people for each "position" is pretty trick in this case. One
reason none of them really get any vacation time =).


Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

Hi,

I really don't understand why we'r discussing RFPolicy. It's not the
main subject of HP/Snosoft DMCA topic. Here is why:

My knowledge says that there are two major things in engineering: Laws &
Ethical Issues.

First of all observe the following case:

- Assume that a window of a grocery is broken.
- Anyone can get something inside without paying at midnight since there
is no glass over there. Normally one would call the police and say to
police that the window is broken and ask for taking precaution otherwise
somebody may take all the banana's and run away.
- Laws says that: u'r guilty if u steal something.
- Laws also says that : u'r not guilty if u don't call police after
realizing that window is broken.

Let's look what ethic says:

- U'r not ethical if u steal something.
- U'r not ethical if u don't call the police.

See? The second line is not ethical but legal.

In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues.
We must consider these ethical issues later like RFPolicy because HP
already sued SnoSoft according to laws not ethics.

Here is my thoughts about the topic:

There are no laws that states "If it is done at 7 oclock it is legal and
if u do it on 11 o'clock u'll be punished with a ten thousand years in
prison."

This law can't be applied to the real world sorry. We can't prove that
we've already talked with hp at 7 oclock, they didn't answered until 11
clock so I published the exploit code. Unless all vendors are
govermental no legal proof can be stated to court about these
conversations between Vendors and Hackers. Remember they'v got lots of
bucks to give advocates. We'r alone.

I propose two ways to get around:

i. Publish zero-day exploits. Forget about vendor. Since hacking is
illegal, assume police will catch the hacker since he/she's doing
illegal. This is why there are cybercops am I right? Nobody can be
punished if he/she didn't call police in case of a broken window.
ii. Hackers are unallowed to publish any exploits. They just can send
the exploit code/bug report to vendor. Vendor publishes proof of
concept code to public with the fix when available if they want of
course. I think, DMCA will grant this since Vendor's hold the copyright
about the product. Also, we know that no vendor wants to publish that
their product is insecure.

Another topic that i want to discuss is i'm living in Turkiye and here
we don't have any DMCA super duper laws. We have a simple copyright law
which do not include DMCA. Who's gonna stop me publishing 0 day
exploits? Obviously No-One. Right? USA may cancel Turkiye's connection
to USA but i don't think that this is impossible for now. Also, they may
prevent me entering the US frontiers but i really don't care about it.

As a result, only US programmers will suffer from this law not me. They
are going to think it twice before publishing anything. This is of
course unfair. US goverment just makes their own programmers suffer from
this law by saying "We are protecting the vendors". They are just
missing the statement that "Hackers make their product more secure-more
reliable". I think that they are assuming every vendor has enough
skilled "Hacker" employee to check their products. Heh:-)) As Kurt
said, they don't have.

In the future, i think, only vendors can publish such exploits, fixes
and proof of concepts in USA. Hackers gonna just take small credit at
the end of the message. For the rest of the world, game is not over and
ppl will continue to publish exploits. Besides, Vendor's will make money
using the works of hackers. This is what we call capitalism in fact and
it is coming over us again. Beware:-))

PS: Heh maybe we should buy a small island and found our "Country of
Secure Systems" and publish exploits from there. Any island suggestions?

King regards,
--
Evrim ULU
evrim@envy.com.tr / evrim@core.gen.tr
sysadm
http://www.core.gen.tr

Steven M. Christey wrote:
>
> A number of people thought that the disclosure process draft placed
> too much of an emphasis on using third parties. That will be weakened
> to a suggestion in the next version.
>
>

I disagree with 3.6.2 Reporter Responsibilities from the draft.
My concerns are at: http://www.guninski.com/rfcsec.html

I believe a lot of people won't like some RFC to forcefully put responsibilities
on them.

Who benefits from keeping reporters quiet for as long as possible - only big
corps who can't code in my opinion.

A recent study showed that a lot of professionals want information about
vulnerabilities as soon as possible.

Georgi Guninski
http://www.guninski.com

I propose an exercise:

Why do people look for vulnerabilities?
Why do people publish vulnerabilities?

If you take the broken window example Evrim Ulu has proposed, it is
clear that most of us do not walk around the streets carefully examining
windows to see if they are broken. Sometimes we spot a broken window,
but we don't actively look for them. Unless, of course, we are the shop
owner. Or a burglar.

People look for vulnerabilities for the following reasons:

- They want to stress the code they are running on their systems to make
sure it is safe (shop owner)
- They are looking for possible ways to abuse a system they do not own
(would-be burglar)
- They feel that they have a moral "duty" to use their skills and time
for other's good (concerned citizen)
- They have nothing else to do and think this is fun (vulnerability
hobbyist)
- They look for vulnerabilities because they are responsible for the
vulnerable product (vendors)
- They look for vulns with the express intention of publishing them and
make themselves noticed (karma whores)

On the other hand, people publish vulnerability information for the
following reasons:

- They publish vuln info to make themselves noticed (karma whores)
- They publish vuln info because they have customers that pay (or
otherwise produce revenue) for that service (watch dog)
- They publish vuln info because they are responsible for the vulnerable
code (vendors)
- They feel that they have a moral "duty" to publish this information
once they have it, since it may be a global risk (concerned citizen)
- They have nothing else to do and think this is fun (why nots)

Professional security staff and vulnerability seekers are a special case
of the karma-whore/watch-dog combination. You find vulnerabilities in
order to have them published and have your name metioned, bacause that
is the basis for your revenue model. In turn, you have paying customers
that profit by either having early access to the vuln info or premium
access to patches and/or related security services.

The whole DMCA vs. Full Disclosure issue must take into account the
deeper reasons I have mentioned. Why do people search for vulns, and why
do they publish them?

Shop-owners:
Shop-owners that look for vulns on the products they use already have
the "right" attitude about this issue. They either contact vendors or
create their own patches and submit them to the vendors. Shop-owners are
not interested in early disclosure, since it might further expose their
systems. Enforcing any kind of n-day disclosure or no-disclosure law
would have no impact on their behavior. Except, of course, in the event
that the vendor does not fix their product and the shop-owner has to
create a patch to protect himself, and only them will he be willing do
publicly disclose the vuln.

Would-be Burglars:
Burglars don't disclose vulnerabilities, just like in the real world
they don't go around telling other burglars about this nice broken
window they found. Burglars actively exploit vulns and will continue to
do so, regardless of any law on the subject.

Vulnerability Hobbyists:
Hobbyists look for vulns because it's a challenge, and they would
probably continue to do so. But any challenge must have a reward, and
peer-recognition is part of that reward. If disclosure is banned, part
of the reward is gone and hobbyists will be less inclined to seek vulns,
directing their efforts to other things. Hobbyists thrive in recognition
from the established security industry, so they are likely to be
responsible in their disclosure procedure. Having an n-day policy would
not change the way they act. Having a no-disclosure policy would
probably lead them to diclose vulns in private forums, where it might
easily leak to would-be burglars before it reaches the white-hat
community and the affected system owners.

Concerned Citizens:
Concerned Citizens (aka the white hat community) would be severely
affected by any restrictions of full disclosure. Most citizens already
report vulns primarily to the vendor, in the hope that the vendor will
solve the issue. If the vendor fails to comply, they look for a forum
where to advise their peers about the problem, the failure to comply,
and a possible fix. If such forums are outlawed, the citizens will still
feel the moral need to search for flaws and to warn others. Remember
that it is the concerned citizen attitude that is in the origin of every
neighbourhood watch and popular militia group in the world. If the means
to perform this "duty" in a responsible manner are banned, the citizens
will be pressured into finding other ways of spreading this information.
What is not volunteer work, white hat work, done for the global
community, may turn into commercial activities, if the citizen is so
pressured in his need to be "responsible" that he finds it in himself to
affiliate with a professional security company. It may turn into an
underground activity, if the citizen is forced to create an
"underground", "illegal" list in order to publish what he has found. Or
it may turn into an activity known to few, inside a members-only mailing
list for a small group of like.minded people that the citizens
personally know. Either way, any disclosure control law other than what
is now current practice (vendor first, CERT if you want to, back off 30
days, then all hell breaks loose) will limit the activity of concerned
citizens and diminish global security.

Karma Whores:
The karma whores are in it for the glitz. They look for vulns in order
to publish them, and publish them in order to get peer recognition.
Vulns are like hunting trophies. They will eventually report to the
vendor, if and only if the vendor will acknowledge what they report and
give them appropriate credit when it finally discloses the vuln, along
with the patch. If it is not like this, they will disclose the
information independently. The damage done by karma whores can only be
mitigated with better vendor responsiveness. And that is something that
no law can achieve. If any law requires vendors to be notified ahead of
time, the karma whores will still publish the vuln if the vendor does
not respond in appropriate time. And the next time a vuln comes along in
another product by the same vendor, karma whores are likely to disclose
on day 0, "just to show them".
Having a law will not change this. This is human nature at work. Today,
karma whores disclose on the public lists, and everyone benefits from
that. If <n-day is banned, or if disclosure is banned, the karma whores
will move into the black hat lists, into private forums, into the irc
networks. The effort required by the white hat community in order to
track all disclosed vulnerabilities will be greatly increased.

Vendors:
Many vendors only disclose if they have to, if they are forced to
disclosure by full or partial disclosure by third parties. Increasing
the non-disclosure timeout period only gives vendors more time to react.
But the time already given is more than enough. Any vulnerability that
cannot be fixed in 30 days is not likely to be fixed in 45 or in 60
days. And if the vendor contacts the vuln finder and asks for more time
before disclosure, most finder will gladly comply.
The problem is that many vendors don't respond when they are contacted.
And no law is going to fix that. The vendors that only respond after the
vuln is public, and after an exploit is in the wild, their customers are
not going to benefit from a delayed non-disclosure period.
Furthermore, the longer one waits after reporting to a vendor and before
full disclosure, the more chances that a separate, independent
researcher will fin the same vuln and disclose it into a black hat
forum, making all customers vulnerable. Vendors will not benefit from a
further delayed disclosure law. And customers will be hurt.

Defense is very different from offense.
Defense must cover all the fronts, offense needs to concern with only one.
Black hats will continue to thrive if the public, general forums are
outlawed. No blackhat ever needs all the information about all the
products. He just needs one flaw in one product that he can exploit in
order to get into wherever he wants. If disclosure is harmed, they won't
suffer. The private forums and mailing lists and irc and icq and instant
messenger black-hat clubs will continue to exist and information will
continue to flow there. If anything, the law will help them, by moving
what would otherwise be responsible disclosure by citizens and hobbyists
into the blackhat zones.
White hats, on the other hand, will be forced to roam the blackhat zones
looking for information. They will need to pay much more attention to
their IDS systems. They will need much more people in their departments
to help with auditing and identifying potential attack attempts. If they
do not know about the vulnerabilities, they cannot protect themselves.

I do not wish to propose full 0-day disclosure as a rule. 30-days is
appropriate. Even if it was 20 days, it would still be appropriate. But
any effort to delay the timeout period, or to limit the amout of
information that can be disclosed, is bad for the industry, bad for the
users, bad for the system administrators.
And, in fact, good for the burglars.

Julião Duartenn

Hey bro,
Jump on irc.homelien.no #snosoft ;o)


On Mon, 2002-08-05 at 15:34, KF wrote:
> nicely spoken
> -KF
>
> ----- Original Message -----
> From: "Evrim ULU" <evrim@core.gen.tr>
> To: <full-disclosure@lists.netsys.com>
> Sent: Friday, August 02, 2002 5:19 AM
> Subject: Re: [Full-Disclosure] it's all about timing
>
>
> > Hi,
> >
> > I really don't understand why we'r discussing RFPolicy. It's not the
> > main subject of HP/Snosoft DMCA topic. Here is why:
> >
> > My knowledge says that there are two major things in engineering: Laws &
> > Ethical Issues.
> >
> > First of all observe the following case:
> >
> > - Assume that a window of a grocery is broken.
> > - Anyone can get something inside without paying at midnight since there
> > is no glass over there. Normally one would call the police and say to
> > police that the window is broken and ask for taking precaution otherwise
> > somebody may take all the banana's and run away.
> > - Laws says that: u'r guilty if u steal something.
> > - Laws also says that : u'r not guilty if u don't call police after
> > realizing that window is broken.
> >
> > Let's look what ethic says:
> >
> > - U'r not ethical if u steal something.
> > - U'r not ethical if u don't call the police.
> >
> > See? The second line is not ethical but legal.
> >
> > In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues.
> > We must consider these ethical issues later like RFPolicy because HP
> > already sued SnoSoft according to laws not ethics.
> >
> > Here is my thoughts about the topic:
> >
> > There are no laws that states "If it is done at 7 oclock it is legal and
> > if u do it on 11 o'clock u'll be punished with a ten thousand years in
> > prison."
> >
> > This law can't be applied to the real world sorry. We can't prove that
> > we've already talked with hp at 7 oclock, they didn't answered until 11
> > clock so I published the exploit code. Unless all vendors are
> > govermental no legal proof can be stated to court about these
> > conversations between Vendors and Hackers. Remember they'v got lots of
> > bucks to give advocates. We'r alone.
> >
> > I propose two ways to get around:
> >
> > i. Publish zero-day exploits. Forget about vendor. Since hacking is
> > illegal, assume police will catch the hacker since he/she's doing
> > illegal. This is why there are cybercops am I right? Nobody can be
> > punished if he/she didn't call police in case of a broken window.
> > ii. Hackers are unallowed to publish any exploits. They just can send
> > the exploit code/bug report to vendor. Vendor publishes proof of
> > concept code to public with the fix when available if they want of
> > course. I think, DMCA will grant this since Vendor's hold the copyright
> > about the product. Also, we know that no vendor wants to publish that
> > their product is insecure.
> >
> > Another topic that i want to discuss is i'm living in Turkiye and here
> > we don't have any DMCA super duper laws. We have a simple copyright law
> > which do not include DMCA. Who's gonna stop me publishing 0 day
> > exploits? Obviously No-One. Right? USA may cancel Turkiye's connection
> > to USA but i don't think that this is impossible for now. Also, they may
> > prevent me entering the US frontiers but i really don't care about it.
> >
> > As a result, only US programmers will suffer from this law not me. They
> > are going to think it twice before publishing anything. This is of
> > course unfair. US goverment just makes their own programmers suffer from
> > this law by saying "We are protecting the vendors". They are just
> > missing the statement that "Hackers make their product more secure-more
> > reliable". I think that they are assuming every vendor has enough
> > skilled "Hacker" employee to check their products. Heh:-)) As Kurt
> > said, they don't have.
> >
> > In the future, i think, only vendors can publish such exploits, fixes
> > and proof of concepts in USA. Hackers gonna just take small credit at
> > the end of the message. For the rest of the world, game is not over and
> > ppl will continue to publish exploits. Besides, Vendor's will make money
> > using the works of hackers. This is what we call capitalism in fact and
> > it is coming over us again. Beware:-))
> >
> > PS: Heh maybe we should buy a small island and found our "Country of
> > Secure Systems" and publish exploits from there. Any island suggestions?
> >
> > King regards,
> > --
> > Evrim ULU
> > evrim@envy.com.tr / evrim@core.gen.tr
> > sysadm
> > http://www.core.gen.tr
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure@lists.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
--

-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project | cerebrum@snosoft.com
Strategic Reconnaissance Team | recon@snosoft.com
-------------------------------------------------------

yeah... these reply-to things.... arg...


On Mon, 2002-08-05 at 12:40, ATD wrote:
> Hey bro,
> Jump on irc.homelien.no #snosoft ;o)
>
>
> On Mon, 2002-08-05 at 15:34, KF wrote:
> > nicely spoken
> > -KF
> >
> > ----- Original Message -----
> > From: "Evrim ULU" <evrim@core.gen.tr>
> > To: <full-disclosure@lists.netsys.com>
> > Sent: Friday, August 02, 2002 5:19 AM
> > Subject: Re: [Full-Disclosure] it's all about timing
> >
> >
> > > Hi,
> > >
> > > I really don't understand why we'r discussing RFPolicy. It's not the
> > > main subject of HP/Snosoft DMCA topic. Here is why:
> > >
> > > My knowledge says that there are two major things in engineering: Laws &
> > > Ethical Issues.
> > >
> > > First of all observe the following case:
> > >
> > > - Assume that a window of a grocery is broken.
> > > - Anyone can get something inside without paying at midnight since there
> > > is no glass over there. Normally one would call the police and say to
> > > police that the window is broken and ask for taking precaution otherwise
> > > somebody may take all the banana's and run away.
> > > - Laws says that: u'r guilty if u steal something.
> > > - Laws also says that : u'r not guilty if u don't call police after
> > > realizing that window is broken.
> > >
> > > Let's look what ethic says:
> > >
> > > - U'r not ethical if u steal something.
> > > - U'r not ethical if u don't call the police.
> > >
> > > See? The second line is not ethical but legal.
> > >
> > > In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues.
> > > We must consider these ethical issues later like RFPolicy because HP
> > > already sued SnoSoft according to laws not ethics.
> > >
> > > Here is my thoughts about the topic:
> > >
> > > There are no laws that states "If it is done at 7 oclock it is legal and
> > > if u do it on 11 o'clock u'll be punished with a ten thousand years in
> > > prison."
> > >
> > > This law can't be applied to the real world sorry. We can't prove that
> > > we've already talked with hp at 7 oclock, they didn't answered until 11
> > > clock so I published the exploit code. Unless all vendors are
> > > govermental no legal proof can be stated to court about these
> > > conversations between Vendors and Hackers. Remember they'v got lots of
> > > bucks to give advocates. We'r alone.
> > >
> > > I propose two ways to get around:
> > >
> > > i. Publish zero-day exploits. Forget about vendor. Since hacking is
> > > illegal, assume police will catch the hacker since he/she's doing
> > > illegal. This is why there are cybercops am I right? Nobody can be
> > > punished if he/she didn't call police in case of a broken window.
> > > ii. Hackers are unallowed to publish any exploits. They just can send
> > > the exploit code/bug report to vendor. Vendor publishes proof of
> > > concept code to public with the fix when available if they want of
> > > course. I think, DMCA will grant this since Vendor's hold the copyright
> > > about the product. Also, we know that no vendor wants to publish that
> > > their product is insecure.
> > >
> > > Another topic that i want to discuss is i'm living in Turkiye and here
> > > we don't have any DMCA super duper laws. We have a simple copyright law
> > > which do not include DMCA. Who's gonna stop me publishing 0 day
> > > exploits? Obviously No-One. Right? USA may cancel Turkiye's connection
> > > to USA but i don't think that this is impossible for now. Also, they may
> > > prevent me entering the US frontiers but i really don't care about it.
> > >
> > > As a result, only US programmers will suffer from this law not me. They
> > > are going to think it twice before publishing anything. This is of
> > > course unfair. US goverment just makes their own programmers suffer from
> > > this law by saying "We are protecting the vendors". They are just
> > > missing the statement that "Hackers make their product more secure-more
> > > reliable". I think that they are assuming every vendor has enough
> > > skilled "Hacker" employee to check their products. Heh:-)) As Kurt
> > > said, they don't have.
> > >
> > > In the future, i think, only vendors can publish such exploits, fixes
> > > and proof of concepts in USA. Hackers gonna just take small credit at
> > > the end of the message. For the rest of the world, game is not over and
> > > ppl will continue to publish exploits. Besides, Vendor's will make money
> > > using the works of hackers. This is what we call capitalism in fact and
> > > it is coming over us again. Beware:-))
> > >
> > > PS: Heh maybe we should buy a small island and found our "Country of
> > > Secure Systems" and publish exploits from there. Any island suggestions?
> > >
> > > King regards,
> > > --
> > > Evrim ULU
> > > evrim@envy.com.tr / evrim@core.gen.tr
> > > sysadm
> > > http://www.core.gen.tr
> > >
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Full-Disclosure@lists.netsys.com
> > > http://lists.netsys.com/mailman/listinfo/full-disclosure
> > >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure@lists.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> >
> --
>
> -------------------------------------------------------
> Secure Network Operations, Inc.| http://www.snosoft.com
> Cerebrum Project | cerebrum@snosoft.com
> Strategic Reconnaissance Team | recon@snosoft.com
> -------------------------------------------------------
>
>
--

-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project | cerebrum@snosoft.com
Strategic Reconnaissance Team | recon@snosoft.com
-------------------------------------------------------

nicely spoken
-KF

----- Original Message -----
From: "Evrim ULU" <evrim@core.gen.tr>
To: <full-disclosure@lists.netsys.com>
Sent: Friday, August 02, 2002 5:19 AM
Subject: Re: [Full-Disclosure] it's all about timing


> Hi,
>
> I really don't understand why we'r discussing RFPolicy. It's not the
> main subject of HP/Snosoft DMCA topic. Here is why:
>
> My knowledge says that there are two major things in engineering: Laws &
> Ethical Issues.
>
> First of all observe the following case:
>
> - Assume that a window of a grocery is broken.
> - Anyone can get something inside without paying at midnight since there
> is no glass over there. Normally one would call the police and say to
> police that the window is broken and ask for taking precaution otherwise
> somebody may take all the banana's and run away.
> - Laws says that: u'r guilty if u steal something.
> - Laws also says that : u'r not guilty if u don't call police after
> realizing that window is broken.
>
> Let's look what ethic says:
>
> - U'r not ethical if u steal something.
> - U'r not ethical if u don't call the police.
>
> See? The second line is not ethical but legal.
>
> In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues.
> We must consider these ethical issues later like RFPolicy because HP
> already sued SnoSoft according to laws not ethics.
>
> Here is my thoughts about the topic:
>
> There are no laws that states "If it is done at 7 oclock it is legal and
> if u do it on 11 o'clock u'll be punished with a ten thousand years in
> prison."
>
> This law can't be applied to the real world sorry. We can't prove that
> we've already talked with hp at 7 oclock, they didn't answered until 11
> clock so I published the exploit code. Unless all vendors are
> govermental no legal proof can be stated to court about these
> conversations between Vendors and Hackers. Remember they'v got lots of
> bucks to give advocates. We'r alone.
>
> I propose two ways to get around:
>
> i. Publish zero-day exploits. Forget about vendor. Since hacking is
> illegal, assume police will catch the hacker since he/she's doing
> illegal. This is why there are cybercops am I right? Nobody can be
> punished if he/she didn't call police in case of a broken window.
> ii. Hackers are unallowed to publish any exploits. They just can send
> the exploit code/bug report to vendor. Vendor publishes proof of
> concept code to public with the fix when available if they want of
> course. I think, DMCA will grant this since Vendor's hold the copyright
> about the product. Also, we know that no vendor wants to publish that
> their product is insecure.
>
> Another topic that i want to discuss is i'm living in Turkiye and here
> we don't have any DMCA super duper laws. We have a simple copyright law
> which do not include DMCA. Who's gonna stop me publishing 0 day
> exploits? Obviously No-One. Right? USA may cancel Turkiye's connection
> to USA but i don't think that this is impossible for now. Also, they may
> prevent me entering the US frontiers but i really don't care about it.
>
> As a result, only US programmers will suffer from this law not me. They
> are going to think it twice before publishing anything. This is of
> course unfair. US goverment just makes their own programmers suffer from
> this law by saying "We are protecting the vendors". They are just
> missing the statement that "Hackers make their product more secure-more
> reliable". I think that they are assuming every vendor has enough
> skilled "Hacker" employee to check their products. Heh:-)) As Kurt
> said, they don't have.
>
> In the future, i think, only vendors can publish such exploits, fixes
> and proof of concepts in USA. Hackers gonna just take small credit at
> the end of the message. For the rest of the world, game is not over and
> ppl will continue to publish exploits. Besides, Vendor's will make money
> using the works of hackers. This is what we call capitalism in fact and
> it is coming over us again. Beware:-))
>
> PS: Heh maybe we should buy a small island and found our "Country of
> Secure Systems" and publish exploits from there. Any island suggestions?
>
> King regards,
> --
> Evrim ULU
> evrim@envy.com.tr / evrim@core.gen.tr
> sysadm
> http://www.core.gen.tr
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

Breaking news... Snosoft team members are too stupid to use email. *wink*
-KF

----- Original Message -----
From: "ATD" <simon@snosoft.com>
To: <full-disclosure@lists.netsys.com>
Sent: Monday, August 05, 2002 9:46 AM
Subject: Re: [Full-Disclosure] it's all about timing