Re: Call to arms - INFORMATION ANARCHY

From: Livengood, Edward (Edward.Livengood@COMMERCEBANK.COM)
Date: 11/03/01 

Message-ID:  <AF927B375E36D5119C20001083FD3A3D032B8198@kcexc2.CBSH.com>
Date:         Fri, 2 Nov 2001 17:40:23 -0600
From: "Livengood, Edward" <Edward.Livengood@COMMERCEBANK.COM>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I partially agree with Russ' statements. I believe that it is possible to
explain many vulnerabilities without releasing code we enough to allow
system administrators to work around the situation, but I wonder how all
this effects IDS. The sooner we can get an IDS signature to detect an
attack the better, does this mean depending on the vendor to supply one?
That would mean at least the IDS vendors would need to be quickly notified
of new attacks so that they can quickly release a signature for it.

I am very dubious of the idea of allowing Black Hats to know more about
vulnerabilities then the rest of us. I understand that most system admins
do not pay attention to such things, but I think it might be better to help
them understand why they need to rather then take the opportunity away. You
don't have to understand how to perform every hack out there, but I learn
quite a bit when I see how a hack of a particular type can be executed and
it makes it easier for me to understand what I am dealing with. I worry
that to little disclosure will leave those of us who pay attention just as
defenseless as those who don't care. I do believe that disclosure should
always be done responsibly as it has been defined here before, but I doubt
that stamping it out will aid us.

I agree that a third party group with the power to push on vendors to do the
right thing, we all know they wouldn't do it out of the goodness of their
harts, could be very helpful. Something like the Consumer Reports of
security could allow us to see just how secure various vendors are when we
are making decisions. If this kind of information was released to the
general public it would push most vendors to try to look good on such a
report, especially if the media covered it well, The top 10 least secure
systems are....

I don't think it is possible to stop full disclosure. Some one will be
sharing the information weather or not it is us. The only question is do we
want to restrict the information to Black Hats and some group, which
probably has a Black Hat as a member, that is supposed to keep the
information from getting into the wrong hands, or should it just be
available to everyone? I have not been in the security field as long as
many of you have been, but I don't think hiding the information will prevent
people from finding it out. It may reduce the number of script kiddies who
have it, but what about those who write their scripts?

Edward Livengood
Information Security Analyst
Commerce Bank

Please note that this email does not represent the opinions of Commerce
Bank.

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate

Relevant Pages

  • Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
    ... response to your posting here, seem to be a point of taking potshots at ... the vendors products. ... > administrators of security issues. ... > security vulnerabilities, most of it is not valid. ...
    (Full-Disclosure)
  • Re: full disclosure
    ... > the problem isn't the security hole but our knowing about the security ... I'm not going to defend vendors that keep the information on ... Was it discovered b/c it's currently being used? ... This is true for a lot of vulnerabilities specific to MS...they are ...
    (comp.security.misc)
  • Re: full disclosure
    ... > the problem isn't the security hole but our knowing about the security ... I'm not going to defend vendors that keep the information on ... Was it discovered b/c it's currently being used? ... This is true for a lot of vulnerabilities specific to MS...they are ...
    (comp.security.misc)
  • Re: [Full-Disclosure] Comments on 5 IE vulnerabilities
    ... > Much ado has been made about those vulnerabilities and they have been ... That's probably exactly WHY people stop informing Microsoft and hoping ... > approach is to focus on proactive security measures that prevent ... > notify vendors of potential vulnerabilities and give them some time to ...
    (Full-Disclosure)
  • Re: Towards a responsible vulnerability process
    ... To believe that vendors all behave the ... Microsoft has run the train off the tracks many times in the past. ... Getting a fix is ... security vulnerabilities, vulnerabilities that can be widely exploited, and ...
    (NT-Bugtraq)