Re: Call to arms - INFORMATION ANARCHY

From: Kurt (kurtbuff@LIGHTMAIL.COM)
Date: 11/03/01 

Message-ID:  <99f9740b58692c00d085f88649f722333be34977@zetron.com>
Date:         Fri, 2 Nov 2001 17:37:20 -0800
From: Kurt <kurtbuff@LIGHTMAIL.COM>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Unfortunately, the black hats *do* know more than the white hats, and always have. They are the ones who most often come up with the exploits, although not always.

It's a matter of keeping the white hats informed, and allowing free and open discussion amongst the wider community.

Consider the following questions:

1) Have Microsoft ever been wrong about the severity of a security flaw in any of their OSes or applications?

2) Have Microsoft ever been wrong about the best way to handle a security flaw in their software?

3) Have Microsoft ever been wrong about the nature of the security flaw?

I think you can safely answer 'yes' to all of the above, and further, I think you can safely answer 'often' as well.

This is true of all vendors, commercial or open source or otherwise.

That being the case, open discussion should be the order of the day, because your knowledge of these flaws and how to deal with them is often better than the vendors, and denying you this knowledge makes you more vulnerable. The fact that full and open discussion serves as pressure on the vendor to deal with it expeditiously is merely a side benefit, in my view, albeit an important one. Releasing code is part of that full and open discussion.

| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of
| Livengood, Edward
| Sent: Friday, November 02, 2001 15:40
| To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
| Subject: Re: Call to arms - INFORMATION ANARCHY
|
|
| I partially agree with Russ' statements. I believe that it
| is possible to
| explain many vulnerabilities without releasing code we enough to allow
| system administrators to work around the situation, but I
| wonder how all
| this effects IDS. The sooner we can get an IDS signature to detect an
| attack the better, does this mean depending on the vendor to
| supply one?
| That would mean at least the IDS vendors would need to be
| quickly notified
| of new attacks so that they can quickly release a signature for it.
|
| I am very dubious of the idea of allowing Black Hats to know
| more about
| vulnerabilities then the rest of us. I understand that most
| system admins
| do not pay attention to such things, but I think it might be
| better to help
| them understand why they need to rather then take the
| opportunity away. You
| don't have to understand how to perform every hack out there,
| but I learn
| quite a bit when I see how a hack of a particular type can be
| executed and
| it makes it easier for me to understand what I am dealing
| with. I worry
| that to little disclosure will leave those of us who pay
| attention just as
| defenseless as those who don't care. I do believe that
| disclosure should
| always be done responsibly as it has been defined here
| before, but I doubt
| that stamping it out will aid us.
|
| I agree that a third party group with the power to push on
| vendors to do the
| right thing, we all know they wouldn't do it out of the
| goodness of their
| harts, could be very helpful. Something like the Consumer Reports of
| security could allow us to see just how secure various
| vendors are when we
| are making decisions. If this kind of information was released to the
| general public it would push most vendors to try to look good
| on such a
| report, especially if the media covered it well, The top 10
| least secure
| systems are....
|
| I don't think it is possible to stop full disclosure. Some
| one will be
| sharing the information weather or not it is us. The only
| question is do we
| want to restrict the information to Black Hats and some group, which
| probably has a Black Hat as a member, that is supposed to keep the
| information from getting into the wrong hands, or should it just be
| available to everyone? I have not been in the security field
| as long as
| many of you have been, but I don't think hiding the
| information will prevent
| people from finding it out. It may reduce the number of
| script kiddies who
| have it, but what about those who write their scripts?
|
| Edward Livengood
| Information Security Analyst
| Commerce Bank
|
| Please note that this email does not represent the opinions
| of Commerce
| Bank.

Relevant Pages

  • Re: Snape *did* hate Harry
    ... white hats and black hats. ... I think "good" is just to simplistic a term for Snape. ... Harry with the information he needed to ultimately defeat Voldemort. ...
    (alt.fan.harry-potter)
  • Re: PYASID: Demons on the Good Side
    ... >>> teams set up, White Hats and Black Hats, and you want to hear ... >>> opportunities are thin) and signs up with Black Hats instead? ... and my sister is a vampire slayer, her best friend is a witch who ...
    (rec.arts.sf.written)
  • FW: Information Anarchy
    ... The black hats and the white hats are both very talented - generally, ... Any alternative to full disclosure that I've seen is primarily designed ... The script kiddies are a major problem, but the hard core black hats ...
    (NT-Bugtraq)
  • Re: PYASID: Demons on the Good Side
    ... >> teams set up, White Hats and Black Hats, and you want to hear ... >> opportunities are thin) and signs up with Black Hats instead? ... Toss in "other White Hats are clueless dolts" and you get She-Go ... >No. I'm asking for good characters that go over to the bad side, ...
    (rec.arts.sf.written)
  • Re: Understanding SEO Factions
    ... Black Hats vs. ... White Hats, it is probably best you should. ... never meant to be tossed around like dead minnows in the compost heaps ... a-tremble in its darkest SEO places. ...
    (alt.internet.search-engines)