Re: Re: [Full-disclosure] "responsible disclosure" explanation

From: Daniel H. Renner (dan_at_losangelescomputerhelp.com)
Date: 08/09/05

  • Next message: Nick FitzGerald: "Re: [Full-disclosure] Plaxo?" 
    To: full-disclosure@lists.grok.org.uk
Date: Tue, 09 Aug 2005 01:22:04 -0700

    I have only one thing to say to you Jason:

    Rock on!!!

    (Or Rant and Grumble on - as you wish.)

    No, explanations as to my opinions regarding Windows vulnerabilities
    need be spouted here...

    And I hope you are always successfull in teaching those that need it.

    :-)
    Dan

    On Tue, 2005-08-09 at 07:43 +0100,
    full-disclosure-request@lists.grok.org.uk wrote:
    > Date: Mon, 08 Aug 2005 17:51:18 -1000
    > From: Jason Coombs <jasonc@science.org>
    > Subject: Re: [Full-disclosure] "responsible disclosure" explanation
    > To: full-disclosure@lists.grok.org.uk
    > Message-ID: <42F82836.4030101@science.org>
    > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    >
    > "responsible disclosure" causes serious harm to people. It is no
    > different than being an accessory to the intentional destruction of
    > innocent lives.
    >
    > Anyone who believes that "responsible disclosure" is a good thing
    > needs
    > to volunteer their time to teach law enforcement, judges,
    > prosecutors,
    > and attorneys that the consequence of everyone communicating with
    > everyone else online is that some people use secret knowledge of
    > security vulnerabilities to ruin other people's lives or commit
    > crimes
    > by hijacking innocent persons' vulnerable computers.
    >
    > Some of you may know that I work as an expert witness in civil and
    > criminal court cases that involve computer forensics, information
    > security, and electronic evidence.
    >
    > I just received a phone call from a member of the armed services in
    > the
    > U.S. who is being court martialed for possession of computerized
    > child
    > pornography.
    >
    > This happens every day in courtrooms throughout the world.
    >
    > On a regular basis somebody accused of this crime finds me and asks
    > for
    > my help explaining that a third-party could have been responsible for
    > the crime. In every case the prosecution is alleging that the
    > computer
    > forensics prove beyond a reasonable doubt that the defendant is
    > guilty
    > of the crime because it was their Windows computer that was used to
    > commit it.
    >
    > Often, some incompetent computer forensics professional will have
    > already done work on behalf of the defense and authored a report of
    > their own. These reports read like those authored by the
    > prosecution's
    > computer forensic examiners, they list the contents of the hard
    > drive,
    > itemize entries from Internet Explorer history files and explain that
    > some "deleted" files were recovered that further incriminate.
    >
    > So you tell me, those of you who believe that "responsible
    > disclosure"
    > is a good thing, how can you justify holding back any detail of the
    > security vulnerabilities that are being used against innocent
    > victims,
    > when the court system that you refuse to learn anything about is
    > systematically chewing up and spitting out innocent people who are
    > accused of crimes solely because the prosecution, the judge, the
    > forensic examiners, investigators, and countless "computer people"
    > think
    > it is unrealistic for a third-party to have been responsible for the
    > actions that a defendant's computer hard drive clearly convicts them
    > of?
    >
    > You cannot withhold the details of security vulnerabilities or you
    > guarantee that victims of those vulnerabilities will suffer far worse
    > than the minor inconvenience that a few companies encounter when they
    > have no choice but to pull the plug on their computer network for the
    > day in order to patch vulnerabilities that they could otherwise
    > ignore
    > for a while longer.
    >
    > "Responsible disclosure" is malicious. Plain and simple, it is wrong.
    >
    > "Responsible disclosure" ensures that ignorance persists, and there
    > is
    > no doubt whatsoever that ignorance is the enemy.
    >
    > Therefore, supporters of "responsible disclosure" are the source of
    > the
    > enemy and you must be destroyed. Hopefully some patriotic hacker will
    > break into your computers and plant evidence that proves you are
    > guilty
    > of some horrific crime against children. Then you will see how nice
    > it
    > is that all those "responsible" people kept hidden the details that
    > you
    > needed to prevent your own conviction on the charges brought against
    > you
    > by the prosecution.
    >
    > How can "responsible" people be so maliciously stupid and ignorant?
    >
    > Please, somebody tell me that I'm not the only one inviting judges to
    > phone me at 2am so that I can teach them a little about why a Windows
    > 2000 computer connected to broadband Internet and powered-on 24/7
    > while
    > a member of the armed forces is at work defending the nation could in
    > fact have easily been compromised by an intruder and used to swap
    > warez,
    > pirated films and music, and kiddie porn without the service member's
    > knowledge.
    >
    > How can trained "computer forensics" professionals from the DCFL and
    > private industry author reports that fail to explain information
    > security? The answer is that the people who teach computer forensics
    > don't understand information security. It is not "responsible" to
    > suppress knowledge of security vulnerabilities that impact ordinary
    > people. Suppress security vulnerability knowledge that impacts only
    > military computer systems, but don't suppress security vulnerability
    > knowledge that impacts computer systems owned and operated by
    > ordinary
    > people; for doing so ruins lives and you, the suppressing agent, are
    > to
    > blame for it moreso than anyone else.
    >
    > Grr. Rant. Rant. Grumble.
    >
    > Sincerely,
    >
    > Jason Coombs
    > jasonc@science.org

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Nick FitzGerald: "Re: [Full-disclosure] Plaxo?"
    • Quantcast