different than being an accessory to the intentional destruction of
innocent lives.
innocent lives." In the name of righting injustice outside of the established legal process with no justifaction other than your own views and intrest.
Point two:
Often, some incompetent computer forensics professional will
have
already done work on behalf of the defense and authored a report
of
their own. These reports read like those authored by the
prosecution's
computer forensic examiners, they list the contents of the hard
drive,
itemize entries from Internet Explorer history files and explain
that
some "deleted" files were recovered that further
incriminate.
Rebuttal:
Can you state here in public that you have never done the samewhen you were starting out.Nothing personal bud ,But those who live in glass houses shouldnt through stones.
From: [EMAIL PROTECTED] on behalf of Jason Coombs
Sent: Mon 8/8/2005 8:51 PM
To: [email protected]
Subject: Re: [Full-disclosure] "responsible disclosure" explanation
"responsible disclosure" causes serious harm to people. It is
no
different than being an accessory to the intentional destruction
of
innocent lives.
Anyone who believes that "responsible disclosure"
is a good thing needs
to volunteer their time to teach law enforcement,
judges, prosecutors,
and attorneys that the consequence of everyone
communicating with
everyone else online is that some people use secret
knowledge of
security vulnerabilities to ruin other people's lives or commit
crimes
by hijacking innocent persons' vulnerable computers.
Some of
you may know that I work as an expert witness in civil and
criminal court
cases that involve computer forensics, information
security, and electronic
evidence.
I just received a phone call from a member of the armed
services in the
U.S. who is being court martialed for possession of
computerized child
pornography.
This happens every day in courtrooms
throughout the world.
On a regular basis somebody accused of this crime
finds me and asks for
my help explaining that a third-party could have been
responsible for
the crime. In every case the prosecution is alleging that the
computer
forensics prove beyond a reasonable doubt that the defendant is
guilty
of the crime because it was their Windows computer that was used
to
commit it.
Often, some incompetent computer forensics professional
will have
already done work on behalf of the defense and authored a report
of
their own. These reports read like those authored by the
prosecution's
computer forensic examiners, they list the contents of the hard
drive,
itemize entries from Internet Explorer history files and explain
that
some "deleted" files were recovered that further incriminate.
So
you tell me, those of you who believe that "responsible disclosure"
is a good
thing, how can you justify holding back any detail of the
security
vulnerabilities that are being used against innocent victims,
when the court
system that you refuse to learn anything about is
systematically chewing up
and spitting out innocent people who are
accused of crimes solely because the
prosecution, the judge, the
forensic examiners, investigators, and countless
"computer people" think
it is unrealistic for a third-party to have been
responsible for the
actions that a defendant's computer hard drive clearly
convicts them of?
You cannot withhold the details of security
vulnerabilities or you
guarantee that victims of those vulnerabilities will
suffer far worse
than the minor inconvenience that a few companies encounter
when they
have no choice but to pull the plug on their computer network for
the
day in order to patch vulnerabilities that they could otherwise
ignore
for a while longer.
"Responsible disclosure" is malicious.
Plain and simple, it is wrong.
"Responsible disclosure" ensures that
ignorance persists, and there is
no doubt whatsoever that ignorance is the
enemy.
Therefore, supporters of "responsible disclosure" are the source
of the
enemy and you must be destroyed. Hopefully some patriotic hacker
will
break into your computers and plant evidence that proves you are
guilty
of some horrific crime against children. Then you will see how nice
it
is that all those "responsible" people kept hidden the details that
you
needed to prevent your own conviction on the charges brought against
you
by the prosecution.
How can "responsible" people be so maliciously
stupid and ignorant?
Please, somebody tell me that I'm not the only one
inviting judges to
phone me at 2am so that I can teach them a little about
why a Windows
2000 computer connected to broadband Internet and powered-on
24/7 while
a member of the armed forces is at work defending the nation could
in
fact have easily been compromised by an intruder and used to swap
warez,
pirated films and music, and kiddie porn without the service
member's
knowledge.
How can trained "computer forensics" professionals
from the DCFL and
private industry author reports that fail to explain
information
security? The answer is that the people who teach computer
forensics
don't understand information security. It is not "responsible"
to
suppress knowledge of security vulnerabilities that impact
ordinary
people. Suppress security vulnerability knowledge that impacts
only
military computer systems, but don't suppress security
vulnerability
knowledge that impacts computer systems owned and operated by
ordinary
people; for doing so ruins lives and you, the suppressing agent, are
to
blame for it moreso than anyone else.
Grr. Rant. Rant.
Grumble.
Sincerely,
Jason
Coombs
[EMAIL PROTECTED]
_______________________________________________
Full-Disclosure
- We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
