Re: It takes two to tango
I've been looking at them for years, and so has FX, both of us will be giving talks at DEFCON this year (and no, unlike Gobbles, I'll be paying my own way this year and don't need anyone elses' help.) Epson is terrible at dealing with vulnerabilities in their systems, and so are the others. Feel free to look at http://members.cox.net/ltlw0lf/printers/ for more info on this, there is a nice white-paper up there on printer security issues. I expect cox or hp to be coming down on me too... Mike Forrester wrote: >>Hi, >> >>I just read the article at News.com >>(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the >>controversy between HP and Snosoft. It seems that HP is upset that >>details of a dangerous security hole in the HP Tru64 operating system >>were published by "Phased", a security researcher with Snosoft, here on >>Bugtraq. I really feel that HP went way over the line by trying to >>place all the blame on Snosoft for HP's security hole by invoking the >>DMCA and the Computer Fraud and Abuse Act. > > > Sounds like now might be the time to start looking at Espon, Canon, etc. for > printers and scanners, which sucks cause I've always has good luck with > their stuff... > > I would suggest that everyone who agrees send HP an email expressing your > disappointment in this matter. Just to help those short on time: > > Contact HP (USA): > http://www.hp.com/country/us/eng/contact_us.htm > > E-mail Carly Fiorina (CEO): > http://www.hp.com/hpinfo/execteam/email/fiorina/index.htm >
Re: It takes two to tango
As much as it pains me to say this, I feel I must (for sake of argument). There is an assumed risk in using any product. The different analogies that people are coming up with are ludicrous. Given the current political and prejudice* situations, litigation in the courts is not the way to go. Our great nation was founded with freedom in mind, and this freedom is what we try to assist other nations in achieving. It is this Freedom that allows our open market and Freedom of speech. Our freedom of speech may or may not infringe upon a companies intellectual property. Would we all be in agreement that no one else took apart the Wright Brothers first Bi-Plane and then reassembled it using their own tweaks? No, I dont think so. The Wright Brothers and other Great Minds from the generation before us shared their ideas for the benefit of the common good. Proof of this is the existence of the Engineers Club of Dayton Ohio. Back in the day, if people didnt like what product ABC did or did not do they used the freedom of an open market to purchase someone elses product or they used their freedom of independent thinking to create a better ABC. That is what we need to do. Boycott the vendor who does not work with the consumer watchdogs. Should a vulnerability be found Without criminal intent a message of said vulnerabilities should be sent to the watchdogs who then work with the vendors. The vendors should make a reasonable effort to reproduce the vulnerability (after all the watchdog is most likely going to reproduce it so the vendor should be able to reproduce it). If the vendor fails to take appropriate actions then the vendor should be placed on a black list. The consumers (you and me) then do not purchase items from those vendors. However, we do not need to overwhelm our judicial system with frivolous lawsuits because it is US the consumers who need to ASSUME the risk of making any information public. We all know the only way to have a totally secure system is to not turn it on. Knowing this we must assume that risk and let our customers know the risk. Or it will come down to suing the local news station for announcing the severe lighting storm which in turn struck the office causing a surge which melted the CPU onto the motherboard causing a downtime of 4 hours. During these 4 hours employees were not able to utilize the computer system thus causing a loss of wages . Come on people . It is like the cold war scenario all aver again I can blow your country up more time than you can blow my country up. No one wins. However, do not under estimate the power of your dollar, which is a war that can (and is daily) be won. Randy Hinders * Prejudices = as in an irrational attitude to sue over the pettiest of things to include someone feelings being hurt life is hard and it sometimes sucks, get used to it. _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com
RE: It takes two to tango
Riad, et al, You are ignoring a major difference between the software industry and most other industries. The following applies to the US and most jurisdictions. The software vendor is selling you a license to use their product, not the product itself. Their license requires you to agree to certain conditions, including limited liability of the software company and certain non-disclosure provisions. The software is copyrighted and subject to copyright law. Your use of their product is an implicit acceptance of their licensing conditions, and of copyright law. If you find bugs or vulnerabilities in a software company's products you have generally waived your rights to disclose that information in the license agreement you implicitly agreed to. If you are using stolen, or pirated, versions of the software when you make your disclosure known you are subject to prosecution under copyright law. Some licenses could allow a software manufacturer to sue an individual for losses if they can prove a drop in license sales due to the disclosure. Under certain circumstances you could be liable to prosecution under DMCA and other legislation - legislation which is designed to enforce the rights of copyright holders, not just the software industry. In some jurisdictions you could be liable to prosecution under anti-terrorism laws, if any disclosure you made is exploited and used to harm life or property. These are the laws. Like it or loathe it. If you really disagree with vendor's licensing agreements, don't use their software. If you don't like the law, petition your elected representative. It is only relatively recently that the manufacturer of any defective product sold (but not licensed) could be prosecuted for their negligence. Note that under most jurisdictions there are options to prosecute companies who are knowingly negligent and when their actions result in death, e.g. Corporate Manslaughter. I am not aware of any software vendor prosecuted under such a statute, though. To all those litigators out there - case law is waiting to be written, and precedents set. John Howie -Original Message- From: Riad S. Wahby [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 12:19 PM To: [EMAIL PROTECTED] Subject: Re: It takes two to tango Chris Paget <[EMAIL PROTECTED]> wrote: > Does V still have the right to sue R? Let's put this a different way: Ford makes a car that seems to sell pretty well. Unfortunately, it has a fatal design flaw: if the car suffers a rear-end collision while it's in third gear during a rainstorm at night while the moon is waxing, the car explodes, killing its passengers. Consumer Reports discovers that this is the case and publishes a warning to its readers concerning this car. Ford is unable to reproduce the vulnerable configuration and ignores the warning, assuming it's a hoax. Two weeks later, a story breaks in the national news that a psychopath has taken it upon himself to rear-end all Ford cars on rainy moonlit nights. So far, five people have died. Who is responsible, Ford or Consumer Reports? Do you think Ford could successfully prosecute a lawsuit against Consumer Reports? Extra credit: if you said "no" to the second question, but think V should win a suit against R in Chris's hypothetical situation, please explain how the two situations are so substantially different as to result in completely opposite conclusions with regard to liability. -- Riad Wahby [EMAIL PROTECTED] MIT VI-2/A 2002
RE: It takes two to tango
// I just read the article at News.com // (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the // controversy between HP and Snosoft. It seems that HP is upset that // details of a dangerous security hole in the HP Tru64 ... and why not? This has put all their customers at risk. They did not just disclose the bug they are showing you how to exploit it. // operating system // were published by "Phased", a security researcher with 'security researcher', that is funny. // Snosoft, here on // Bugtraq. I really feel that HP went way over the line by trying to // place all the blame on Snosoft for HP's security hole by // invoking the // DMCA and the Computer Fraud and Abuse Act. Just exactly where did you hear or see that? The article does not state that. They are protecting their customers. That is what a good company is supposed to do. Any company not doing this in my opinion is negligent. They are doing exactly what they should be doing; using the law to protect their company and it's clients. // // If this particular security hole is ever exploited by the // "bad guys", // we'll probably have both HP and Phased to thank. It really No you will have the luser that uses the exploit to thank. // does take // two to tango. The Phased exploit code would never have // been published // if HP programmers didn't mess up in the first place. What a crock. Are you perfect. NO! Why in the world would you expect anyone else to be what you yourself are not? Expecting perfect code is just stupid. // // So this quote from Kent Ferson of HP in the News.com article was // probably a big mistake: // // "Ferson also said that HP reserves // the right to sue SnoSoft and its members "for monies // and damages caused by the posting and any use of the // buffer overflow exploit." // // Pretty clearly if there were ever to be any lawsuits over this // particular bug, HP has much deeper pockets which are much // easier to get // to. HP has acted to stop the problem. In other words CYA. The fact is that the person exploiting the issue is the problem, not HP. Could someone sue HP, yes. But as you pointed out they have deeper pockets than most people. It works both ways. They can call out an army of lawyers for this. They can also show that they acted in good faith. Game over. As for this hampering 'research', hardly. Phased said it himself. He does not live in the U.S. and SnoSoft does not know where he lives (assuming they are telling the truth). Let's face it being a criminal with little skill gets your more respect than skill without a record. IMO Symantec purchasing Security Focus is a much greater risk to openness than a few clowns releasing code. My guess is that the code was pulled to keep from queering the deal with Symantec, more than some hacker ethics. Just take a look at NTBugtraq. Ever since they were acquired by a MS friendly company; Russ Cooper has been pushing limited disclosure. Even going so far as to propose that he would decide on an inner circle of 'trusted' people who would get information as he saw fit. As an aside I have noticed a substantial drop in traffic on the list within the last year. Could be lots of filtering, I don't know. Maybe they are now worried about law suits. Just seems fishy considering the push for limiting the discourse. Should we release code that exploits bugs, I don't think so. I do believe that we should let others know of the issue with software or hardware for that matter. Companies should be given a chance to fix the issue before letting the word out that there is a bug. Unfortunately in the mad dash for glory, that is sometimes not a consideration.
Re: It takes two to tango
On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget wrote: > IMHO, vendors SHOULD be responsible for security holes. What, precisely, do you mean by "responsible"? Do you mean "monetary liable"? Suppose I find a remotely exploitable flaw in a major open source project, such as BIND or sendmail or Apache. I communicate the flaw to the vendor. It responds quickly, confirming my find and working with system integrators to release patches. The patches are well publicized and widely available. Subsequently a black hat releases an aggressive worm which exploits this vulnerability. It does $1 million in damages. Is the vendor (ISC, Sendmail Consortium, Apache Foundation, etc.) now liable for $1 million in compensatory damages? If so, is it also liable for punitive damages because it should never have introduced that bug in the first place, even though it did its best to respond? Put another way, if I'm Microsoft and I want to destroy open source, should I start looking for vulnerabilities in big open source projects? > However, > before that can be done there needs to be some kind of law put in > place to protect the researchers who find the holes. Doesn't need to > be much, just a blanket law that if the researcher has taken > reasonable steps to alert the vendor, they cannot be held liable for > the consequences of releasing the advisory. If that doesn't happen, > things are going to get messy. Reasonable steps is a very vague term. You have made the point that the researcher needs protection from an unreasonable vendor, but vendors also need protection from unreasonable researchers. Any system which unfairly protects either side courts abuse. -- Kyle R. Hofmann <[EMAIL PROTECTED]>
Re: It takes two to tango
On Wed, 2002-07-31 at 10:48, Jose Nazario wrote: > > 4) R attempts communication several times over the next 90 days, but > > never receives a response. > > if the researcher doesn't attempt to work with an established third party > (ie CERT, SecurityFocus) to get this contact made, they are acting in an > irresponsible fashion. at least the researcher waited 90 days, though. Refusing to work with an "established third party" does not constitute "irresponsible behavior". Arguably it does make the process smoother when a third party is used, but should not a litmus test for the proper way to notify a vendor, or any other purveyor of software or hardware. There are many researchers who do this work outside of any organization for any number of reasons including questioning the motives of commercial security companies to disagreeing with directional statements from non-commercial entities. Regardless of the reason... very credible work has been performed by lone individuals and we would be re-miss in casting doubt on their methods and loose that advantage. Established guidelines, that everyone can follow across organizational boundaries, are the best solution. Contact addresses, expectations of both the vendor and the researcher, and methodologies for distribution of a solution should be public knowledge and defined broadly by standards. Each vendor should also publish their own expectations with regard to handling vulnerabilities and bugs. Specifically, they should state where they are diverging from the aforementioned standards. In this way, the researcher knows what he or she is getting into by notifying the vendor. This doesn't mean that each vendor should have their own, unique policies, but make it clear so that responsible individuals can do their best to adhere to the ideas set forth and thus prevent threatening letters. -- - branson --- Branson Matheson" If you are falling off of a mountain, Systems ConsultantYou may as well try to fly." Windborne, Inc. - Delenn, Minbari Ambassador ( $statements = ) !~ /Company Opinion/;
Re: It takes two to tango
> On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget <[EMAIL PROTECTED]> said: CP> >> "Ferson also said that HP reserves >> the right to sue SnoSoft and its members "for monies >> and damages caused by the posting and any use of the >> buffer overflow exploit." CP> This raises a very interesting point. Bruce Schneier has stated CP> publicly that he believes vendors should be held responsible for CP> security flaws in their products CP> (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I CP> agree with this viewpoint, as, I am sure, do many people on this list. CP> However, how would this affect the vulnerability disclosure process? Others, even some lawyers, agree: http://www.gocsi.com/pdfs/byte.pdf Erin also had a similar article in ;login: (requires USENIX membership): http://www.usenix.org/publications/login/2001-12/pdfs/kenneally.pdf and most recently in IEEE Computer: http://www.computer.org/computer/co2002/r6toc.htm -- Tom E. Perrine <[EMAIL PROTECTED]> | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ |
RE: It takes two to tango (or samba for that matter)
As much as corporate liability makes sense, I doubt it will ever come to fruition. I think it will be near impossible to prove "negligence." It will be a matter on interpreting the raw code and showing that the programmers intentionally cut corners. That won't be an easy thing to prove. Chris ponders if vendor V has the "right" to sue researcher R. Remember that in this country, you have the right to sue anyone for anything (like the guy suing McDonald's because he's fat http://www.cnn.com/2002/HEALTH/diet.fitness/07/26/fast.food.lawsuit.ap/index .html ) or people who sue the tobacco companies, as if you thought lighting something on fire and inhaling it was GOOD for you? Jeez. It is now vital for everyone, especially small companies, to keep a paper trail of everything to protect themselves, although that may not matter. Were my company to go head to head with an HP caliber opponent, we'd lose hands down. We couldn't afford to win. Legal expenses would choke us. Anyone remember Microsoft vs. Stacker? There is an interesting talk on this very subject at Defcon this weekend that I am looking forward to called "The Politics of Vulnerabilities." Should be interesting. I think the systems works for now and hopefully it will stay that way. Sooner or later though, one of the big boys will get an itchy legal trigger finger and go after (and probably bury) some small security company. The security community will go nuts. Dogs and cats, sleeping together. People will yell and point fingers then they'll create a government agency that will handle all vulnerabilities and liaison between the security guys and the software vendors, which will suck and I'll get out of the security business and sell Tupperware in the Caymans. My last two cents: don't always blame the programmers. I recall a 2 million dollar development project I led that had to be completed in 6 weeks (including QA) because the marketing dept. of the company I worked for had already spent huge $$ on ads. Never mind if anyone thought we could actually complete the project in that time frame. We had to cut a lot of corners to pull that off and had planned on going back and fixing them after the fact. Of course, the marketing guys came up with all new stuff for us to build and sell. You get the idea. Blame the marketing and sales folks. They're evil. OK. I'm off my soap box. Hope to see you at DefCon this weekend! Buy me a beer...or two. I'll be happy to rant on for days. Gibby McCaleb www.covertsystems.net Covert Systems, Inc. -Original Message- From: Chris Paget [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 3:35 AM To: Richard M. Smith; [EMAIL PROTECTED] Subject: Re: It takes two to tango >"Ferson also said that HP reserves >the right to sue SnoSoft and its members "for monies >and damages caused by the posting and any use of the >buffer overflow exploit." This raises a very interesting point. Bruce Schneier has stated publicly that he believes vendors should be held responsible for security flaws in their products (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I agree with this viewpoint, as, I am sure, do many people on this list. However, how would this affect the vulnerability disclosure process? 1) Researcher R finds a security hole in vendor V's product. 2) R attempts to contact V to reveal the bug. 3) V does not respond. 4) R attempts communication several times over the next 90 days, but never receives a response. 5) R releases an advisory. 6) Attacker A writes an exploit for the hole, and uses it to hack into company C. 7) C successfully sues V for several million dollars compensation. Does V still have the right to sue R? If vendors are made liable for security holes, and those vendors have the right to sue the people who find advisories and / or release exploits, then we'll be seeing security researchers on the wrong end of multi-million dollar lawsuits. I'm sure I'm not the only person who feels uncomfortable about this. Buffer overflow exploits are not difficult to write; it doesn't come down to whether there's exploit code or just an advisory. IMHO, vendors SHOULD be responsible for security holes. However, before that can be done there needs to be some kind of law put in place to protect the researchers who find the holes. Doesn't need to be much, just a blanket law that if the researcher has taken reasonable steps to alert the vendor, they cannot be held liable for the consequences of releasing the advisory. If that doesn't happen, things are going to get messy. Chris -- Chris Paget [EMAIL PROTECTED]
Re: It takes two to tango
[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ] > Subject: Re: It takes two to tango > > Does V still have the right to sue R? Absolutely not. They were given more than fair notice. > If vendors are made liable for > security holes, and those vendors have the right to sue the people who > find advisories and / or release exploits, then we'll be seeing > security researchers on the wrong end of multi-million dollar > lawsuits. Only if the law fails to recognize the notice given by the discoverer to the vendor. Perhaps security researchers should begin using registered mail to notify vendors. It probably also means that those who feel vendors do not deserve fair notice will (have to / continue to) resort to posting exploits anonymously. > IMHO, vendors SHOULD be responsible for security holes. However, > before that can be done there needs to be some kind of law put in > place to protect the researchers who find the holes. IANAL, but I would hope no new laws are necessary -- the recognition of fair notice should be sufficient. -- Greg A. Woods +1 416 218-0098;<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Planix, Inc. <[EMAIL PROTECTED]>; VE3TCP; Secrets of the Weird <[EMAIL PROTECTED]>
Re: It takes two to tango
On Wed, 31 Jul 2002 11:15:27 -0400 (EDT), Greg A. Woods wrote: >[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ] >> Subject: Re: It takes two to tango >> >> Does V still have the right to sue R? > >Absolutely not. They were given more than fair notice. According to the CNet article: In HP's case, SnoSoft says that information made public last year should have given the computer maker enough time to fix the problem. and HP has known about the Tru64 vulnerability "for some time," SnoSoft's Finisterre said, but never fixed the problem. An HP spokesman said he did not know if a patch had been released. Last year? if >7 months isn't enough time to count as "fair notice" then what is? This was a new exploit for an old hole, demonstrating that fair notice is irrelevant if the vendor doesn't like what's going on. That's what's frightening me - even if I follow widely recognised industry best practices when releasing an advisory, I can still be held personally liable if the vendor decides to invoke that magical 4-letter acronym - DMCA. Yes, I'm in the UK, and could probably argue that the DMCA doesn't apply to me. But the EUCD is virtually identical, and would apply in exactly the same way as the DMCA should the vendor choose to wield it. Chris -- Chris Paget [EMAIL PROTECTED] > >> If vendors are made liable for >> security holes, and those vendors have the right to sue the people who >> find advisories and / or release exploits, then we'll be seeing >> security researchers on the wrong end of multi-million dollar >> lawsuits. > >Only if the law fails to recognize the notice given by the discoverer to >the vendor. Perhaps security researchers should begin using registered >mail to notify vendors. > >It probably also means that those who feel vendors do not deserve fair >notice will (have to / continue to) resort to posting exploits anonymously. > >> IMHO, vendors SHOULD be responsible for security holes. However, >> before that can be done there needs to be some kind of law put in >> place to protect the researchers who find the holes. > >IANAL, but I would hope no new laws are necessary -- the recognition of >fair notice should be sufficient.
Re: It takes two to tango
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At some point hitherto, Riad S. Wahby hath spake thusly: > Two weeks later, a story breaks in the national news that a psychopath > has taken it upon himself to rear-end all Ford cars on rainy moonlit > nights. So far, five people have died. > > Who is responsible, Ford or Consumer Reports? Do you think Ford could > successfully prosecute a lawsuit against Consumer Reports? How about the psychopath? Certainly Ford's negligence contributes, in that it allows the opportunity for the psychopath's mission... But, as I think often happens in security circles, people are often wont to overlook the responsibility of the misguided, perhaps unknown individual who is actually committing these acts, in favor of the obvious easy target with deep pockets. People who commit computer crime should be tracked down and punished according to the severity of their crime. OTOH, recent trends here in the United States suggest that legislatures are passing, and judical systems all too quick to make use of very stiff penalties for crimes which often amount to tresspassing or vandalism. Today's political climate seems to be becoming one where it's not unlikely that someone will be sentenced to life in prison for actions which largely amount to throwing a rock through someone's window -- a crime whose penalty would itself likely amount to some official court person admonishing the convicted to "don't do that again." Software vendors seem quite happy with this development. It points the blame at someone besides themselves, and relieves them again of their duty to write good software that doesn't break when you sneeze in its general direction. The possible case of HP v. SnoSoft highlights this issue. Evidently writing good software is too hard or too costly for many vendors, so they'd rather just prosecute people who make them look bad. It's cheaper, and it cuts down on the number of people willing to do the kind of research and publish the results that make the Bugtraq mailing list worth reading. Despite all the work that has been done by the security community, full disclosure seems only to have angered the software giants into using their financial resources NOT to actually fix the problems with their software, as a responsible corporate citizen would do, but instead to keep people like you from exposing them and complaining about them publicly, essentially making it illegal to do so. And through their most generous campaign donations, they have bought the support of the legislature for such atrocities as the DMCA and other similar legislation, which effectively squash your 1st Amendment right to free speech. We have wonderful agencies like the EFF and others, who take on the challenges of combating these offensive laws and their misuses, but they appear to be fighting a losing battle. We vote in public elections, and nothing happens. So I ask the Bugtraq community, what aren't we doing, that we can do to keep the corporate giants from squashing our voices, and put technology back in the hands of the people, where it belongs? - -- Derek Martin [EMAIL PROTECTED] - - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9SGAidjdlQoHP510RAur7AJ9lMgLl1chF4uXQ5c9fOSsbuescBQCfUH6P 8jWfj3hjxE3UiIRWW2WQeA8= =r89C -END PGP SIGNATURE-
RE: It takes two to tango
There are some interesting issues being raised: 1) Researcher R finds a security hole in vendor V's product. 2) R attempts to contact V to reveal the bug. 3) V does not respond. 4) R attempts communication several times over the next 90 days, but never receives a response. 5) R releases an advisory. 6) Attacker A writes an exploit for the hole, and uses it to hack into company C. 7) C successfully sues V for several million dollars compensation. Does V still have the right to sue R? If vendors are made liable for security holes, and those vendors have the right to sue the people who find advisories and / or release exploits, then we'll be seeing security researchers on the wrong end of multi-million dollar lawsuits. I'm sure I'm not the only person who feels uncomfortable about this. Buffer overflow exploits are not difficult to write; it doesn't come down to whether there's exploit code or just an advisory. [RS] Lets assume that contracts and licensing are not defunct of liability. Providing that the security vulnerability is reported to the vendor, the vendor should immediately verify the claims and inform all its licensed clients. In most cases many vulnerabilities could be mitigated with certain other efforts, whilst not as efficient or reduce business functionality, may reduce the risk, until a patch is available. The business would decide if the risk is acceptable to continue business or would defer risk by either reducing functionality (stopping services etc) or completely stop until a patch (in the event the IDS picked something up). Just because a vulnerability is detected in a service one is using does not necessarily mean my server has to be placed off line. However, I would expect a patch if I intend to use that feature in the future. In such cases, businesses are fully aware of risk of doing business, can apply some vague quantitative measure of risk and understand the risk model. If the client was not notified, after the vulnerability was published (not the exploit), businesses affected by the security hole, could sue the vendor. The vendor may have chosen not to inform it's clients of the potential security problem, and thus did not do its due diligence. I believe this would be a better model of controlling and enabling full disclosure. Thus, the vulnerability owner would notify a vendor, and following the guidelines, give 30 days for client notification (assume 30, could be anything noted..). The Vendor must notify clients to take precautionary action. If vendor refuses to notify clients, and clients discover additional risk, and/or potential damage litigation can be a consequence. [Seems very similar to other product warranties et al ?? ...] IMHO, vendors SHOULD be responsible for security holes. However, before that can be done there needs to be some kind of law put in place to protect the researchers who find the holes. Doesn't need to be much, just a blanket law that if the researcher has taken reasonable steps to alert the vendor, they cannot be held liable for the consequences of releasing the advisory. If that doesn't happen, things are going to get messy. [RS] I must admit that the legal system in this country is not proactive, very reactive and very heavily fraught with strange laws. The introduction of laws and regulations to prevent reverse engineering is just step to remove full disclosure. The onus should be placed back in to liability and insurance. Preventing discovery is not the answer. If Full Disclosure was covered by some government classification as to require adequate and official steps, liability is placed on both hands of the vulnerability. The author would be required to follow the steps, informing the vendor and then releasing an advisory and then potentially the exploit. Whilst the vendor must be required to notify licensees / clients prior to the advisory and then follow up with a patch. Secondly, just because one person has discovered the flaw doesn't mean others do not know about it. Hence, it is vital that vendors treat advisories as high priority issues and must assume that potential criminals could use those vulnerabilities. It doesn't seem much to stretch the Homeland office for security to regard commerce systems as "Infrastructure" and hence bind researchers and vendors to an agreement. The only sticky part is if a vendor fails to take note and the advisory and exploits are released. In such a case the department of HLS could be involved in high level cases, i.e. large scale potential. This is just a sketch and there are numerous possible obstacles, but it certainly beats the current rogue view of many members who regard FD a terrible thing. Cheerio r. Richard Scott INFORMATION SECURITY Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries
Re: It takes two to tango
Chris Paget <[EMAIL PROTECTED]> wrote: > Does V still have the right to sue R? Let's put this a different way: Ford makes a car that seems to sell pretty well. Unfortunately, it has a fatal design flaw: if the car suffers a rear-end collision while it's in third gear during a rainstorm at night while the moon is waxing, the car explodes, killing its passengers. Consumer Reports discovers that this is the case and publishes a warning to its readers concerning this car. Ford is unable to reproduce the vulnerable configuration and ignores the warning, assuming it's a hoax. Two weeks later, a story breaks in the national news that a psychopath has taken it upon himself to rear-end all Ford cars on rainy moonlit nights. So far, five people have died. Who is responsible, Ford or Consumer Reports? Do you think Ford could successfully prosecute a lawsuit against Consumer Reports? Extra credit: if you said "no" to the second question, but think V should win a suit against R in Chris's hypothetical situation, please explain how the two situations are so substantially different as to result in completely opposite conclusions with regard to liability. -- Riad Wahby [EMAIL PROTECTED] MIT VI-2/A 2002
Re: It takes two to tango
I agree fully, with what both of you have to say, and I have another point to bring up. If companies like HP or Microsoft can put in their license, terms which remove all liability of themselves for damage caused security in their products or general defects, and this stands up in court (and as we know it has), how can teh courts say that the producer of the product is not liable at all, but that a consumer investigating security holes in that product is liable for damages resulting from his research on vulnerabilities in that product. The whole concept itself is ludicrous, and the HP case is particularly troubling. If indeed HP knew of the bug for a year and either didn't acknowledge the problem or didn't fix it, then would it be safe to say they knew of its existence, but chose to not proceed in announcing or fixing the problem? What is a consumer to do? The company is not liable for the hole in their product, has in most cases to way to fix it, and the lack of liability on HP's part makes it impossible for the consumer to force them to fix it. This leaves the consumer with a dangerous and defective product which could cost them endless amounts financial loss if the problem is not resolved before a hacker resolves to take advantage. In publishing an exploit for said vulnerability, a consumer is in a sense promoting action to be taken by administrators (assuming a patch is available) and on HP's part as well, now that the public is aware of the hole more pressure can be levied to get the company to fix the problem. But this now leaves them vulnerable to be sued under Copyright laws? Where does the Copyright come into play? Is the 'su' on HP systems purely HP's code or is it derived from older shared code? What right then would have to sue them if this vulnerability affected other operating systems as well. Furthermore the exploit is not remote and thus its hard to see how HP could prove damages from such an exploit given it's local nature on the OS. This brings me to Phase. [EMAIL PROTECTED], is he even in the US or is he indeed in Russia? I hate this whole situation and the power large corporations have over our government and our courts. I look at the law about allowing groups like MPAA to hack the systems of consumers and their networks based on cirumstantial evidence as a clear sign that corporate corruption in our government has already gone to far, and too many of our rights are already limited for them to stop now. I'm not so sure any court is going to be willing to challenge this , as lawmakers are too influenced by large corporations to care about learning the least bit about programming and compters work. They rely on their pocket-lining supporters to tell them that. Things look grim, and my goal of being a security researcher is far from certain. If such limitation are arising that you cannot investigate commercial software's vulnerabilities, I don't see a lucrative future and may continue down a different in the near future. I lost faith in my government long ago. -Stan Bubrouski (Soon to be ) Middler Computer Science Major at Northeastern University, Boston, MA Chris Paget wrote: > > > > >> "Ferson also said that HP reserves >> the right to sue SnoSoft and its members "for monies >> and damages caused by the posting and any use of the >> buffer overflow exploit." >> >> > >This raises a very interesting point. Bruce Schneier has stated >publicly that he believes vendors should be held responsible for >security flaws in their products >(http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I >agree with this viewpoint, as, I am sure, do many people on this list. >However, how would this affect the vulnerability disclosure process? > >1) Researcher R finds a security hole in vendor V's product. >2) R attempts to contact V to reveal the bug. >3) V does not respond. >4) R attempts communication several times over the next 90 days, but >never receives a response. >5) R releases an advisory. >6) Attacker A writes an exploit for the hole, and uses it to hack >into company C. >7) C successfully sues V for several million dollars compensation. > >Does V still have the right to sue R? If vendors are made liable for >security holes, and those vendors have the right to sue the people who >find advisories and / or release exploits, then we'll be seeing >security researchers on the wrong end of multi-million dollar >lawsuits. I'm sure I'm not the only person who feels uncomfortable >about this. Buffer overflow exploits are not difficult to write; it >doesn't come down to whether there's exploit code or just an advisory. > >IMHO, vendors SHOULD be responsible for security holes. However, >before that can be done there needs to be some kind of law put in >place to protect the researchers who find the holes. Doesn't need to >be much, just a blanket law that if the researcher has taken >reasonable steps to alert the vendor, they cannot be held liabl
Re: It takes two to tango
> Hi, > > I just read the article at News.com > (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the > controversy between HP and Snosoft. It seems that HP is upset that > details of a dangerous security hole in the HP Tru64 operating system > were published by "Phased", a security researcher with Snosoft, here on > Bugtraq. I really feel that HP went way over the line by trying to > place all the blame on Snosoft for HP's security hole by invoking the > DMCA and the Computer Fraud and Abuse Act. Sounds like now might be the time to start looking at Espon, Canon, etc. for printers and scanners, which sucks cause I've always has good luck with their stuff... I would suggest that everyone who agrees send HP an email expressing your disappointment in this matter. Just to help those short on time: Contact HP (USA): http://www.hp.com/country/us/eng/contact_us.htm E-mail Carly Fiorina (CEO): http://www.hp.com/hpinfo/execteam/email/fiorina/index.htm
Re: It takes two to tango
to continue the "it takes two to tango" metaphor, i will say the following (inline): On Wed, 31 Jul 2002, Chris Paget wrote: > 2) R attempts to contact V to reveal the bug. > 3) V does not respond. this is the fault of the vendor for not having a well known and publicized contact point for handling security concerns. furthermore, if publicly published email addresses for the company (ie webmaster, abuse, postmaster, support, security) do NOT have the correct stuff forwarded to the security contact, there is an organizational breakdown for the vendor. this has been beaten to death by this point, there is no reason this should still be the case. > 4) R attempts communication several times over the next 90 days, but > never receives a response. if the researcher doesn't attempt to work with an established third party (ie CERT, SecurityFocus) to get this contact made, they are acting in an irresponsible fashion. at least the researcher waited 90 days, though. so, it does take two to tango, both sides have to have made honest efforts to make sure this process of vulnerability notification can work as smoothly as possible. this has been the subject of many recent discussion, including standards drafts. no excuses for not attempting to adhere to these best practices for either side of the issue. ___ jose nazario, ph.d. [EMAIL PROTECTED] http://www.monkey.org/~jose/
Re: It takes two to tango
>"Ferson also said that HP reserves >the right to sue SnoSoft and its members "for monies >and damages caused by the posting and any use of the >buffer overflow exploit." This raises a very interesting point. Bruce Schneier has stated publicly that he believes vendors should be held responsible for security flaws in their products (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I agree with this viewpoint, as, I am sure, do many people on this list. However, how would this affect the vulnerability disclosure process? 1) Researcher R finds a security hole in vendor V's product. 2) R attempts to contact V to reveal the bug. 3) V does not respond. 4) R attempts communication several times over the next 90 days, but never receives a response. 5) R releases an advisory. 6) Attacker A writes an exploit for the hole, and uses it to hack into company C. 7) C successfully sues V for several million dollars compensation. Does V still have the right to sue R? If vendors are made liable for security holes, and those vendors have the right to sue the people who find advisories and / or release exploits, then we'll be seeing security researchers on the wrong end of multi-million dollar lawsuits. I'm sure I'm not the only person who feels uncomfortable about this. Buffer overflow exploits are not difficult to write; it doesn't come down to whether there's exploit code or just an advisory. IMHO, vendors SHOULD be responsible for security holes. However, before that can be done there needs to be some kind of law put in place to protect the researchers who find the holes. Doesn't need to be much, just a blanket law that if the researcher has taken reasonable steps to alert the vendor, they cannot be held liable for the consequences of releasing the advisory. If that doesn't happen, things are going to get messy. Chris -- Chris Paget [EMAIL PROTECTED]