Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabil

from [Ernst Lopes Cardozo] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities
Date: Fri, 8 Oct 2004 22:06:23 +0200 
Argh! What next, if "long and detailed explanations" are held against us by
someone signing with "science.org"? If someone's conscience requires him to
deny his fellows vacation nor sleep, requires them to be ready to catch any
ball so craftfuly thrown out of his pit?

Let me -briefly- rationalize, if that's still permitted:

- we want to plug the holes before the bad guys exploit them
- so we need the time to apply patches in a responsible way
   - even the guys tending 10.000 machines
   - even the innocent home users, since their lapses hurt us all
- so we need the patches and the patching vehicles
- so the vendors need time to create and test these
- since patches are hard to distributed without disclosing something about
the vulnerability, there WILL be partial disclosure at that time; but there
is really, really no need to be too specific at that point; there still is a
lot of work to do.

It makes perfect sense to:
1. disclose to the vendor and monitor his progress 2. if the vendor responds
positively, disclose your claim when the patches come out 3. disclose the
details (which may advance the science) by the time the immunization has
progressed sufficiently to preclude major damage.
4. if and only if an exploit surfaces, full disclosure is warranted to allow
each of us a fair chance to fend it off. At that point it is every man for
himself.

I won't claim to present science, but please do forward your arguments, as
long and detailed as you see fit.

Ernst Lopes Cardozo


Jason Coombs of PivX Solutions wrote:
(...)
That such long and detailed explanations rationalizing, defending, and
disputing disclosure policies, and correcting innacurate allegations
concerning one's disclosure practices of the past, are necessary at all is
proof that there are only two options: black or white.
(...)
If somebody of technical skill who has chosen disclosure decides that the
circumstances warrant immediate full disclosure with proof of concept, then
that is the action that must be taken. To do otherwise would be to go
against one's own conscience, the core of which is already proved 'good' by
the fact of the decision to disclose.
(...)
Jason Coombs
jasonc@science.org

--
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Disclosure Debate - yet again, Russ
Next by Date:  Win XP SP 2 update operations update, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities, David Kennedy CISSP
Next by Thread:  Re: ASP.Net vulnerability, Russ
Indexes:  [Date] [Thread] [Top] [All Lists]