Post by bkfsecThere's a big difference between discussing disclosure etiquette and
demanding that one's terms of disclosure etiquette be followed. Those
on the "full disclosure sucks" end tend to do the latter.
I don't think anyone here is arguing the concept of "full disclosure". By
all means go for it. I've done so in the past myself. Point I'm making
here is, why issue a disclosure without suggesting any kind of patch
coupled with the fact that the vendor wasn't even notified.
What's the point of humanity? To me its helping each other out. Without
vendor notification and/or a suggested patch, what's the point of having a
disclosure that actually helps sysadmins protect their systems?
Granted this disclosure calls itself a low risk. But what if it were a
high risk that could sweep itself across the net bringing websites down,
causing people to lose time and sleep trying to figure out what a decent
patch is?
Moral fiber.
Post by bkfsecFrankly, Dave's right - it was never required to inform the vendor. Is
it a nice thing to do? Sure. (informing the vendor, that is...) Is it
the responsible thing to do? I tend to think so...
Its not about requirements. Its about doing the right thing. Lets
analyze what the OP released. If it contained a suggested patch then I
would not have replied nor had an issue with the release. We wouldn't
even be having this discussion.
Post by bkfsecBut, should one be compelled to do so? I don't think so. Frankly, I'd
hate to see what the world would be like if we had to pass our actions
through Acme XYZ company whenever we do anything... I mean, I suppose if
you like servitude, then having to get permission for everything would
make sense...
Last I checked slavery was abolished. The pros play nicely, and if
someone wants to get into the game, then be mature about it and place nice
too.
As above, I would have been fine if the OP posted a suggested patch. One
wasn't offered. If not, then contact the vendor. What was the reason to
release the disclosure so quickly? Was it about "losing credit"? phpbb
and other vendors I've worked with honor full credits.
Post by bkfsecIt comes down to this: when real people find out something or other
regarding a product, they should be allowed to share that information
without restriction. That's the organic nature of information: live
with it because it's not going to change. The alternative is a freeze
on information that would amount to the destruction of all information
freedom and, ultimately, the death of democracy (if it ever actually
existed)...
I see the point I'm trying to deliver is being missed.
Post by bkfsecNow, responsible disclosure is one thing, but there is no requirement to
be responsible. And that isn't to say that just disclosing a bug is
inherently irresponsible. If the vendor is not responsive or has not
been responsive in the past, then I say disclose away. At that point,
disclosure is the responsible thing to do.
That is perfectly fine in my book too. But the OP didn't state that in
his release now did he? Some vendors can't be bothered about disclosures.
So state that, and still offer a suggested patch. If you are incapable of
producing one, find someone who will.
Post by bkfsecNeither side bares a rosy picture: full disclosure can result in users
being harmed... but those who've spent any remote amount of time amongst
real hackers/crackers know that that is no different than the status
quo. (Most of them never end up as MS MVPs, btw) The "full disclosure
sucks" side of the table results in a concept which forwards the idea
that a freeze on information ultimately is a good thing and we should
all eat from the corporate trough.
Seems the whole MVP thing turns out to be a sticking point? I've replied
many times in these seclists and have never generated such a discussion
before.
Post by bkfsecI'd take my chances with the status quo, keep the flow of information
moving, and use that information to protect myself.
What is the status quo? Russ Cooper of NTBugtraq wrote today about the
NGS Software disclosure on Sybase and how Sybase was threatening them with
legal action if it were released (to be in 3 months after vendor
notification):
"NGS, a very responsible security company, informed Sybase of the
vulnerabilities and stated they would publish details in three months.
This is perfectly normal and acceptable practice in the security arena."
Post by bkfsecNo offense meant, but can't we all just get along on this little playground?
I thought that was the whole idea? Getting along and helping each other
out. Ergo why I replied in the first place to the OP.
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CastleCopsWiki .. http://wiki.castlecops.com
MS MVPS Blog .... http://msmvps.com/castlecops
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
part000.txt - is OK
http://castlecops.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/