Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[VulnDiscuss] Please post this, I really think it needs to be said.
From: Troy Fletcher (troyalvaka.net)
Date: Mon Aug 23 2004 - 15:23:11 CDT
I've recently discovered a vulnerability in Windows XP SP2. I'm now faced with the decision to release it to the public via this security mailing list, or to go directly to the vendor.
I'm somehow already deeply disturbed with whichever decision I make...
I'm wrought with moral conflict.
I understand that there is a great importance in reporting these vulnerabilities to the vendor, however I find myself disillusioned with this particular vendor's response and responsibility to their end-users. But should this fact dictate that I bypass them entirely?
I respect the professionals on the security mailing list, I respect their drive to better their understanding of the software they've purchased, I respect that they only want what's best for their network, and I respect more than anything that they're making an effort. That is not to say that the vendors are not, but past instances lead me to believe that they are not taking these warnings as seriously as they should.
If I choose to follow the vendor path, the vendor could start their process on developing a fix to the exploit, work to discover the best method to fix, run tests against it, and release it to the public. However, past experiences remind me that it could be months before a fix is released. Months in which this exploit could be running rampant through the networks of our fellow administrators who remain innocent of any wrongdoing or apathy. To assume that no one else has discovered this exploit would be naïve at best, and it would only make sense to act as though someone was already developing an internet malady using this, which leads to the other choice.
If I choose to follow the mailing list path, I would educate the hardworking professionals, whom I respect so much, on what steps they can take and what signs they should look for to remain secure. The vendor will release a quick-fix (hopefully) on a shorter time frame and could suffer the repercussions of not fully testing the release. However, I know that not all the people on mailing lists of these kinds are professionals eager to secure their networks. Of course a release to the mailing list would make the vulnerability public knowledge and vastly increase the likelihood of the internet malady I mentioned earlier, not to mention general misuse of the knowledge I sought to impart.
The black hat in me wants to see this vendor squirm under a release deadline in the hopes that it will encourage them to create more secure systems in the future. And if some poorly educated internet users must crack to make my omelet, then grab a fork!
But the white hat in me wants what's best for the internet and its users, and wants (BADLY) to trust that the vendors will take these alerts seriously, and see that they are resolved expeditiously. Like it or not, without Microsoft, the internet and probably the world would not be the same place it is today. The white hat in me thinks we owe them the respect to give them fair warning.
I guess what I'm trying to say is, thanks Bill (two words I never thought would escape my fingertips without italicized sarcasm). Thanks for doing all that you've done to bring computers to our homes. Thanks for making computers easy enough for me to learn at an early age, and get where I am today. But, to make a cliché (my English teacher would have a fit), with great power come great responsibility, and that responsibility is NOT to the shareholders. It's to Jim and Joe user, who depend on you to know best and keep them safe. This might need some rethinking, but that's all up to you.
I would feel very personally if my actions lead to the instability or insecurity of the internet's freedom as a venue for the exchange of ideas or information, something that has happened fairly often. Political and independent powers have used attacks against these vulnerabilities to carry out their agendas against the internet and its users. That kind of censorship, or denial of anything is not why the internet exists and continues to do so. It is a freedom that we all have, the freedom to information, the freedom of knowledge, and the freedom of education. And I think that those of us with the privileged knowledge and education to discover these threats should do the right thing to preserve those freedoms. Whatever that decision may be.
I haven't made up my mind on what I'm going to do yet. I've got some thinking to do.
Thanks for reading.
rubber baby buggie bumpers!
Freelance Security Exploiteer