Re: It takes two to tango

[Ltlw0lf]

I've been looking at them for years, and so has FX, both of us will be 
giving talks at DEFCON this year (and no, unlike Gobbles, I'll be paying 
my own way this year and don't need anyone elses' help.)  Epson is 
terrible at dealing with vulnerabilities in their systems, and so are 
the others.  Feel free to look at 
http://members.cox.net/ltlw0lf/printers/ for more info on this, there is 
a nice white-paper up there on printer security issues.

I expect cox or hp to be coming down on me too...

Mike Forrester wrote:
>>Hi,
>>
>>I just read the article at News.com
>>(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
>>controversy between HP and Snosoft.  It seems that HP is upset that
>>details of a dangerous security hole in the HP Tru64 operating system
>>were published by "Phased", a security researcher with Snosoft, here on
>>Bugtraq.  I really feel that HP went way over the line by trying to
>>place all the blame on Snosoft for HP's security hole by invoking the
>>DMCA and the Computer Fraud and Abuse Act.
> 
> 
> Sounds like now might be the time to start looking at Espon, Canon, etc. for
> printers and scanners, which sucks cause I've always has good luck with
> their stuff...
> 
> I would suggest that everyone who agrees send HP an email expressing your
> disappointment in this matter.  Just to help those short on time:
> 
> Contact HP (USA):
> http://www.hp.com/country/us/eng/contact_us.htm
> 
> E-mail Carly Fiorina (CEO):
> http://www.hp.com/hpinfo/execteam/email/fiorina/index.htm
> 

Re: It takes two to tango

[Randy Hinders]

As much as it pains me to say this, I feel I must (for sake of argument).  
There is an assumed risk in using any product.  The different analogies that 
people are coming up with are ludicrous.  Given the current political and 
prejudice* situations, litigation in the courts is not the way to go.  Our 
great nation was founded with freedom in mind, and this freedom is what we 
try to assist other nations in achieving.  It is this Freedom that allows 
our open market and Freedom of speech.  Our freedom of speech may or may not 
infringe upon a companies “intellectual property”.  Would we all be in 
agreement that no one else took apart the Wright Brothers first Bi-Plane and 
then reassembled it using their own tweaks?  No, I don’t think so.  The 
Wright Brothers and other Great Minds from the generation before us shared 
their ideas for the benefit of the common good.  Proof of this is the 
existence of the Engineers Club of Dayton Ohio.  Back in the day, if people 
didn’t like what product ABC did or did not do they used the freedom of an 
open market to purchase someone else’s product or they used their freedom of 
independent thinking to create a better ABC.

That is what we need to do.  Boycott the vendor who does not work with the 
consumer watchdogs.  Should a vulnerability be found “Without criminal 
intent” a message of said vulnerabilities should be sent to the watchdogs 
who then work with the vendors.  The vendors should make a “reasonable 
effort” to reproduce the vulnerability (after all the watchdog is most 
likely going to reproduce it so the vendor should be able to reproduce it).  
If the vendor fails to take appropriate actions then the vendor should be 
placed on a black list.  The consumers (you and me) then do not purchase 
items from those vendors.  However, we do not need to overwhelm our judicial 
system with frivolous lawsuits because it is US the consumers who need to 
ASSUME the risk of making any information public.

We all know the only way to have a totally secure system is to not turn it 
on.  Knowing this we must assume that risk and let our customers know the 
risk.  Or it will come down to suing the local news station for announcing 
the severe lighting storm which in turn struck the office causing a surge 
which melted the CPU onto the motherboard causing a downtime of 4 hours.  
During these 4 hours employees were not able to utilize the computer system 
thus causing a loss of wages…. Come on people….  It is like the cold war 
scenario all aver again “I can blow your country up more time than you can 
blow my country up”.

No one wins.  However, do not under estimate the power of your dollar, which 
is a war that can (and is daily) be won.

Randy Hinders

* Prejudices = as in an irrational attitude to sue over the pettiest of 
things to include someone feelings being hurt… life is hard and it sometimes 
sucks, get used to it.


_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

RE: It takes two to tango

[John Howie]

Riad, et al,

You are ignoring a major difference between the software industry and
most other industries. The following applies to the US and most
jurisdictions.

The software vendor is selling you a license to use their product, not
the product itself. Their license requires you to agree to certain
conditions, including limited liability of the software company and
certain non-disclosure provisions. The software is copyrighted and
subject to copyright law. Your use of their product is an implicit
acceptance of their licensing conditions, and of copyright law.

If you find bugs or vulnerabilities in a software company's products you
have generally waived your rights to disclose that information in the
license agreement you implicitly agreed to. If you are using stolen, or
pirated, versions of the software when you make your disclosure known
you are subject to prosecution under copyright law. Some licenses could
allow a software manufacturer to sue an individual for losses if they
can prove a drop in license sales due to the disclosure. Under certain
circumstances you could be liable to prosecution under DMCA and other
legislation - legislation which is designed to enforce the rights of
copyright holders, not just the software industry.

In some jurisdictions you could be liable to prosecution under
anti-terrorism laws, if any disclosure you made is exploited and used to
harm life or property.

These are the laws. Like it or loathe it. If you really disagree with
vendor's licensing agreements, don't use their software. If you don't
like the law, petition your elected representative. It is only
relatively recently that the manufacturer of any defective product sold
(but not licensed) could be prosecuted for their negligence. Note that
under most jurisdictions there are options to prosecute companies who
are knowingly negligent and when their actions result in death, e.g.
Corporate Manslaughter. I am not aware of any software vendor prosecuted
under such a statute, though. To all those litigators out there - case
law is waiting to be written, and precedents set.

John Howie


-Original Message-
From: Riad S. Wahby [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, July 31, 2002 12:19 PM
To: [EMAIL PROTECTED]
Subject: Re: It takes two to tango

Chris Paget <[EMAIL PROTECTED]> wrote:
> Does V still have the right to sue R?

Let's put this a different way:

Ford makes a car that seems to sell pretty well.  Unfortunately, it
has a fatal design flaw: if the car suffers a rear-end collision while
it's in third gear during a rainstorm at night while the moon is
waxing, the car explodes, killing its passengers.  Consumer Reports
discovers that this is the case and publishes a warning to its readers
concerning this car.  Ford is unable to reproduce the vulnerable
configuration and ignores the warning, assuming it's a hoax.

Two weeks later, a story breaks in the national news that a psychopath
has taken it upon himself to rear-end all Ford cars on rainy moonlit
nights.  So far, five people have died.

Who is responsible, Ford or Consumer Reports?  Do you think Ford could
successfully prosecute a lawsuit against Consumer Reports?

Extra credit: if you said "no" to the second question, but think V
should win a suit against R in Chris's hypothetical situation, please
explain how the two situations are so substantially different as to
result in completely opposite conclusions with regard to liability.

-- 
Riad Wahby
[EMAIL PROTECTED]
MIT VI-2/A 2002

RE: It takes two to tango

[Mark L. Jackson]

//  I just read the article at News.com
//  (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
//  controversy between HP and Snosoft.  It seems that HP is upset that
//  details of a dangerous security hole in the HP Tru64

... and why not? This has put all their customers at risk. They did not
just disclose the bug they are showing you how to exploit it.

//  operating system
//  were published by "Phased", a security researcher with

'security researcher', that is funny.

//  Snosoft, here on
//  Bugtraq.  I really feel that HP went way over the line by trying to
//  place all the blame on Snosoft for HP's security hole by
//  invoking the
//  DMCA and the Computer Fraud and Abuse Act.

Just exactly where did you hear or see that? The article does not state
that.

They are protecting their customers. That is what a good company is
supposed to do. Any company not doing this in my opinion is negligent.
They are doing exactly what they should be doing; using the law to
protect their company and it's clients.

//
//  If this particular security hole is ever exploited by the
//  "bad guys",
//  we'll probably have both HP and Phased to thank.  It really

No you will have the luser that uses the exploit to thank.

//  does take
//  two to tango.  The Phased exploit code would never have
//  been published
//  if HP programmers didn't mess up in the first place.

What a crock. Are you perfect. NO! Why in the world would you expect
anyone else to be what you yourself are not? Expecting perfect code is
just stupid.

//
//  So this quote from Kent Ferson of HP in the News.com article was
//  probably a big mistake:
//
// "Ferson also said that HP reserves
// the right to sue SnoSoft and its members "for monies
// and damages caused by the posting and any use of the
// buffer overflow exploit."
//
//  Pretty clearly if there were ever to be any lawsuits over this
//  particular bug, HP has much deeper pockets which are much
//  easier to get
//  to.

HP has acted to stop the problem. In other words CYA. The fact is that
the person exploiting the issue is the problem, not HP.

Could someone sue HP, yes. But as you pointed out they have deeper
pockets than most people. It works both ways. They can call out an army
of lawyers for this. They can also show that they acted in good faith.
Game over.

As for this hampering 'research', hardly. Phased said it himself. He
does not live in the U.S. and SnoSoft does not know where he lives
(assuming they are telling the truth). Let's face it being a criminal
with little skill gets your more respect than skill without a record.

IMO Symantec purchasing Security Focus is a much greater risk to
openness than a few clowns releasing code. My guess is that the code was
pulled to keep from queering the deal with Symantec, more than some
hacker ethics. Just take a look at NTBugtraq. Ever since they were
acquired by a MS friendly company; Russ Cooper has been pushing limited
disclosure. Even going so far as to propose that he would decide on an
inner circle of 'trusted' people who would get information as he saw
fit. As an aside I have noticed a substantial drop in traffic on the
list within the last year. Could be lots of filtering, I don't know.
Maybe they are now worried about law suits. Just seems fishy considering
the push for limiting the discourse.

Should we release code that exploits bugs, I don't think so. I do
believe that we should let others know of the issue with software or
hardware for that matter. Companies should be given a chance to fix the
issue before letting the word out that there is a bug. Unfortunately in
the mad dash for glory, that is sometimes not a consideration.

Re: It takes two to tango

[Kyle R. Hofmann]

On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget wrote:
> IMHO, vendors SHOULD be responsible for security holes.

What, precisely, do you mean by "responsible"?  Do you mean "monetary liable"?

Suppose I find a remotely exploitable flaw in a major open source project,
such as BIND or sendmail or Apache.  I communicate the flaw to the vendor.
It responds quickly, confirming my find and working with system integrators
to release patches.  The patches are well publicized and widely available.
Subsequently a black hat releases an aggressive worm which exploits this
vulnerability.  It does $1 million in damages.  Is the vendor (ISC, Sendmail
Consortium, Apache Foundation, etc.) now liable for $1 million in compensatory
damages?  If so, is it also liable for punitive damages because it should
never have introduced that bug in the first place, even though it did its
best to respond?

Put another way, if I'm Microsoft and I want to destroy open source, should
I start looking for vulnerabilities in big open source projects?

> However,
> before that can be done there needs to be some kind of law put in
> place to protect the researchers who find the holes.  Doesn't need to
> be much, just a blanket law that if the researcher has taken
> reasonable steps to alert the vendor, they cannot be held liable for
> the consequences of releasing the advisory. If that doesn't happen,
> things are going to get messy.

Reasonable steps is a very vague term.  You have made the point that the
researcher needs protection from an unreasonable vendor, but vendors
also need protection from unreasonable researchers.  Any system which
unfairly protects either side courts abuse.

-- 
Kyle R. Hofmann <[EMAIL PROTECTED]>

Re: It takes two to tango

[Branson Matheson]

On Wed, 2002-07-31 at 10:48, Jose Nazario wrote:

> > 4)  R attempts communication several times over the next 90 days, but
> > never receives a response.
> 
> if the researcher doesn't attempt to work with an established third party
> (ie CERT, SecurityFocus) to get this contact made, they are acting in an
> irresponsible fashion. at least the researcher waited 90 days, though.

Refusing to work with an "established third party" does not constitute
"irresponsible behavior". Arguably it does make the process smoother
when a third party is used, but should not a litmus test for the proper
way to notify a vendor, or any other purveyor of software or hardware.

There are many researchers who do this work outside of any organization
for any number of reasons including questioning the motives of
commercial security companies to disagreeing with directional statements
from non-commercial entities. Regardless of the reason... very credible
work has been performed by lone individuals and we would be re-miss in
casting doubt on their methods and loose that advantage.

Established guidelines, that everyone can follow across organizational
boundaries, are the best solution. Contact addresses, expectations of
both the vendor and the researcher, and methodologies for distribution
of a solution should be public knowledge and defined broadly by
standards. 

Each vendor should also publish their own expectations with regard to
handling vulnerabilities and bugs. Specifically, they should state where
they are diverging from the aforementioned standards. In this way, the
researcher knows what he or she is getting into by notifying the vendor.
This doesn't mean that each vendor should have their own, unique
policies, but make it clear so that responsible individuals can do their
best to adhere to the ideas set forth and thus prevent threatening
letters.
-- 

  - branson

---
Branson Matheson" If you are falling off of a mountain,
Systems ConsultantYou may as well try to fly." 
Windborne, Inc.   - Delenn, Minbari Ambassador 
   ( $statements =  ) !~ /Company Opinion/;

Re: It takes two to tango

[Tom Perrine]

> On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget <[EMAIL PROTECTED]> said:

CP> 

>> "Ferson also said that HP reserves
>> the right to sue SnoSoft and its members "for monies
>> and damages caused by the posting and any use of the
>> buffer overflow exploit."

CP> This raises a very interesting point.  Bruce Schneier has stated
CP> publicly that he believes vendors should be held responsible for
CP> security flaws in their products
CP> (http://www.nwfusion.com/columnists/2002/0422faceoffyes.html).  I
CP> agree with this viewpoint, as, I am sure, do many people on this list.
CP> However, how would this affect the vulnerability disclosure process?

Others, even some lawyers, agree:

http://www.gocsi.com/pdfs/byte.pdf

Erin also had a similar article in ;login: (requires USENIX
membership):

http://www.usenix.org/publications/login/2001-12/pdfs/kenneally.pdf

and most recently in IEEE Computer:

http://www.computer.org/computer/co2002/r6toc.htm

-- 
Tom E. Perrine <[EMAIL PROTECTED]> | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/ | 

RE: It takes two to tango (or samba for that matter)

[Gibby McCaleb]

As much as corporate liability makes sense, I doubt it will ever come to
fruition.  I think it will be near impossible to prove "negligence."  It
will be a matter on interpreting the raw code and showing that the
programmers intentionally cut corners.  That won't be an easy thing to
prove.

Chris ponders if vendor V has the "right" to sue researcher R.  Remember
that in this country, you have the right to sue anyone for anything (like
the guy suing McDonald's because he's fat
http://www.cnn.com/2002/HEALTH/diet.fitness/07/26/fast.food.lawsuit.ap/index
.html ) or people who sue the tobacco companies, as if you thought lighting
something on fire and inhaling it was GOOD for you?  Jeez.  It is now vital
for everyone, especially small companies, to keep a paper trail of
everything to protect themselves, although that may not matter.  Were my
company to go head to head with an HP caliber opponent, we'd lose hands
down.  We couldn't afford to win.  Legal expenses would choke us.  Anyone
remember Microsoft vs. Stacker?

There is an interesting talk on this very subject at Defcon this weekend
that I am looking forward to called "The Politics of Vulnerabilities."
Should be interesting.

I think the systems works for now and hopefully it will stay that way.
Sooner or later though, one of the big boys will get an itchy legal trigger
finger and go after (and probably bury) some small security company.  The
security community will go nuts. Dogs and cats, sleeping together.  People
will yell and point fingers then they'll create a government agency that
will handle all vulnerabilities and liaison between the security guys and
the software vendors, which will suck and I'll get out of the security
business and sell Tupperware in the Caymans.

My last two cents: don't always blame the programmers.  I recall a 2 million
dollar development project I led that had to be completed in 6 weeks
(including QA) because the marketing dept. of the company I worked for had
already spent huge $$ on ads.  Never mind if anyone thought we could
actually complete the project in that time frame.  We had to cut a lot of
corners to pull that off and had planned on going back and fixing them after
the fact.  Of course, the marketing guys came up with all new stuff for us
to build and sell.  You get the idea.  Blame the marketing and sales folks.
They're evil.

OK. I'm off my soap box.  Hope to see you at DefCon this weekend!  Buy me a
beer...or two.  I'll be happy to rant on for days.


Gibby McCaleb

www.covertsystems.net

Covert Systems, Inc.


-Original Message-
From: Chris Paget [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 3:35 AM
To: Richard M. Smith; [EMAIL PROTECTED]
Subject: Re: It takes two to tango





>"Ferson also said that HP reserves
>the right to sue SnoSoft and its members "for monies
>and damages caused by the posting and any use of the
>buffer overflow exploit."

This raises a very interesting point.  Bruce Schneier has stated
publicly that he believes vendors should be held responsible for
security flaws in their products
(http://www.nwfusion.com/columnists/2002/0422faceoffyes.html).  I
agree with this viewpoint, as, I am sure, do many people on this list.
However, how would this affect the vulnerability disclosure process?

1)  Researcher R finds a security hole in vendor V's product.
2)  R attempts to contact V to reveal the bug.
3)  V does not respond.
4)  R attempts communication several times over the next 90 days, but
never receives a response.
5)  R releases an advisory.
6)  Attacker A writes an exploit for the hole, and uses it to hack
into company C.
7)  C successfully sues V for several million dollars compensation.

Does V still have the right to sue R?  If vendors are made liable for
security holes, and those vendors have the right to sue the people who
find advisories and / or release exploits, then we'll be seeing
security researchers on the wrong end of multi-million dollar
lawsuits.  I'm sure I'm not the only person who feels uncomfortable
about this.  Buffer overflow exploits are not difficult to write; it
doesn't come down to whether there's exploit code or just an advisory.

IMHO, vendors SHOULD be responsible for security holes.  However,
before that can be done there needs to be some kind of law put in
place to protect the researchers who find the holes.  Doesn't need to
be much, just a blanket law that if the researcher has taken
reasonable steps to alert the vendor, they cannot be held liable for
the consequences of releasing the advisory. If that doesn't happen,
things are going to get messy.

Chris

--
Chris Paget
[EMAIL PROTECTED]

Re: It takes two to tango

[Greg A. Woods]

[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
> Subject: Re: It takes two to tango
>
> Does V still have the right to sue R?

Absolutely not.  They were given more than fair notice.

>  If vendors are made liable for
> security holes, and those vendors have the right to sue the people who
> find advisories and / or release exploits, then we'll be seeing
> security researchers on the wrong end of multi-million dollar
> lawsuits.

Only if the law fails to recognize the notice given by the discoverer to
the vendor.  Perhaps security researchers should begin using registered
mail to notify vendors.

It probably also means that those who feel vendors do not deserve fair
notice will (have to / continue to) resort to posting exploits anonymously.

> IMHO, vendors SHOULD be responsible for security holes.  However,
> before that can be done there needs to be some kind of law put in
> place to protect the researchers who find the holes.

IANAL, but I would hope no new laws are necessary -- the recognition of
fair notice should be sufficient.

-- 
Greg A. Woods

+1 416 218-0098;<[EMAIL PROTECTED]>;   <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; VE3TCP; Secrets of the Weird <[EMAIL PROTECTED]>

Re: It takes two to tango

[Chris Paget]

On Wed, 31 Jul 2002 11:15:27 -0400 (EDT), Greg A. Woods wrote:

>[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
>> Subject: Re: It takes two to tango
>>
>> Does V still have the right to sue R?
>
>Absolutely not.  They were given more than fair notice.

According to the CNet article:

In HP's case, SnoSoft says that information made public last year
should have given the computer maker enough time to fix the problem. 

and

HP has known about the Tru64 vulnerability "for some time," SnoSoft's
Finisterre said, but never fixed the problem. An HP spokesman said he
did not know if a patch had been released.

Last year?  if >7 months isn't enough time to count as "fair notice"
then what is?  This was a new exploit for an old hole, demonstrating
that fair notice is irrelevant if the vendor doesn't like what's going
on.  That's what's frightening me - even if I follow widely recognised
industry best practices when releasing an advisory, I can still be
held personally liable if the vendor decides to invoke that magical
4-letter acronym - DMCA.

Yes, I'm in the UK, and could probably argue that the DMCA doesn't
apply to me.  But the EUCD is virtually identical, and would apply in
exactly the same way as the DMCA should the vendor choose to wield it.

Chris

-- 
Chris Paget
[EMAIL PROTECTED]



>
>>  If vendors are made liable for
>> security holes, and those vendors have the right to sue the people who
>> find advisories and / or release exploits, then we'll be seeing
>> security researchers on the wrong end of multi-million dollar
>> lawsuits.
>
>Only if the law fails to recognize the notice given by the discoverer to
>the vendor.  Perhaps security researchers should begin using registered
>mail to notify vendors.
>
>It probably also means that those who feel vendors do not deserve fair
>notice will (have to / continue to) resort to posting exploits anonymously.
>
>> IMHO, vendors SHOULD be responsible for security holes.  However,
>> before that can be done there needs to be some kind of law put in
>> place to protect the researchers who find the holes.
>
>IANAL, but I would hope no new laws are necessary -- the recognition of
>fair notice should be sufficient.

Re: It takes two to tango

[Derek D. Martin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At some point hitherto, Riad S. Wahby hath spake thusly:
> Two weeks later, a story breaks in the national news that a psychopath
> has taken it upon himself to rear-end all Ford cars on rainy moonlit
> nights.  So far, five people have died.
> 
> Who is responsible, Ford or Consumer Reports?  Do you think Ford could
> successfully prosecute a lawsuit against Consumer Reports?

How about the psychopath?  Certainly Ford's negligence contributes, in
that it allows the opportunity for the psychopath's mission...  But,
as I think often happens in security circles, people are often wont to
overlook the responsibility of the misguided, perhaps unknown
individual who is actually committing these acts, in favor of the
obvious easy target with deep pockets.  People who commit computer
crime should be tracked down and punished according to the severity of
their crime.

OTOH, recent trends here in the United States suggest that
legislatures are passing, and judical systems all too quick to make
use of very stiff penalties for crimes which often amount to
tresspassing or vandalism.  Today's political climate seems to be
becoming one where it's not unlikely that someone will be sentenced to
life in prison for actions which largely amount to throwing a rock
through someone's window -- a crime whose penalty would itself likely
amount to some official court person admonishing the convicted to
"don't do that again."

Software vendors seem quite happy with this development.  It points
the blame at someone besides themselves, and relieves them again of
their duty to write good software that doesn't break when you sneeze
in its general direction.  The possible case of HP v. SnoSoft
highlights this issue.  Evidently writing good software is too hard or
too costly for many vendors, so they'd rather just prosecute people
who make them look bad.  It's cheaper, and it cuts down on the number
of people willing to do the kind of research and publish the results
that make the Bugtraq mailing list worth reading.

Despite all the work that has been done by the security community,
full disclosure seems only to have angered the software giants into
using their financial resources NOT to actually fix the problems with
their software, as a responsible corporate citizen would do, but
instead to keep people like you from exposing them and complaining
about them publicly, essentially making it illegal to do so.  And
through their most generous campaign donations, they have bought the
support of the legislature for such atrocities as the DMCA and other
similar legislation, which effectively squash your 1st Amendment right
to free speech.  We have wonderful agencies like the EFF and others,
who take on the challenges of combating these offensive laws and their
misuses, but they appear to be fighting a losing battle.  We vote in
public elections, and nothing happens.  So I ask the Bugtraq
community, what aren't we doing, that we can do to keep the corporate
giants from squashing our voices, and put technology back in the hands
of the people, where it belongs?


- -- 
Derek Martin   [EMAIL PROTECTED]
- -
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9SGAidjdlQoHP510RAur7AJ9lMgLl1chF4uXQ5c9fOSsbuescBQCfUH6P
8jWfj3hjxE3UiIRWW2WQeA8=
=r89C
-END PGP SIGNATURE-

RE: It takes two to tango

[Scott, Richard]

There are some interesting issues being raised:



1)  Researcher R finds a security hole in vendor V's product.
2)  R attempts to contact V to reveal the bug.
3)  V does not respond.
4)  R attempts communication several times over the next 90 days, but
never receives a response.
5)  R releases an advisory.
6)  Attacker A writes an exploit for the hole, and uses it to hack
into company C.
7)  C successfully sues V for several million dollars compensation.

Does V still have the right to sue R?  If vendors are made liable for
security holes, and those vendors have the right to sue the people who
find advisories and / or release exploits, then we'll be seeing
security researchers on the wrong end of multi-million dollar
lawsuits.  I'm sure I'm not the only person who feels uncomfortable
about this.  Buffer overflow exploits are not difficult to write; it
doesn't come down to whether there's exploit code or just an advisory.


[RS] Lets assume that contracts and licensing are not defunct of liability.
Providing that the security vulnerability is reported to the vendor, the
vendor should immediately verify the claims and inform all its licensed
clients.  In most cases many vulnerabilities could be mitigated with certain
other efforts, whilst not as efficient or reduce business functionality, may
reduce the risk, until a patch is available.  The business would decide if
the risk is acceptable to continue business or would defer risk by either
reducing functionality (stopping services etc) or completely stop until a
patch (in the event the IDS picked something up).  Just because a
vulnerability is detected in a service one is using does not necessarily
mean my server has to be placed off line.  However, I would expect a patch
if I intend to use that feature in the future.

In such cases, businesses are fully aware of risk of doing business, can
apply some vague quantitative measure of risk and understand the risk model.
If the client was not notified, after the vulnerability was published (not
the exploit), businesses affected by the security hole, could sue the
vendor.  The vendor may have chosen not to inform it's clients of the
potential security problem, and thus did not do its due diligence.

I believe this would be a better model of controlling and enabling full
disclosure.  Thus, the vulnerability owner would notify a vendor, and
following the guidelines, give 30 days for client notification (assume 30,
could be anything noted..).  The Vendor must notify clients to take
precautionary action.
If vendor refuses to notify clients, and clients discover additional risk,
and/or potential damage litigation can be a consequence.  [Seems very
similar to other product warranties et al ?? ...]


IMHO, vendors SHOULD be responsible for security holes.  However,
before that can be done there needs to be some kind of law put in
place to protect the researchers who find the holes.  Doesn't need to
be much, just a blanket law that if the researcher has taken
reasonable steps to alert the vendor, they cannot be held liable for
the consequences of releasing the advisory. If that doesn't happen,
things are going to get messy.


[RS] I must admit that the legal system in this country is not proactive,
very reactive and very heavily fraught with strange laws.  The introduction
of laws and regulations to prevent reverse engineering is just step to
remove full disclosure.  The onus should be placed back in to liability and
insurance.  Preventing discovery is not the answer.  If Full Disclosure was
covered by some government classification as to require adequate and
official steps, liability is placed on both hands of the vulnerability.  The
author would be required to follow the steps, informing the vendor and then
releasing an advisory and then potentially the exploit.  Whilst the vendor
must be required to notify licensees / clients prior to the advisory and
then follow up with a patch.

Secondly, just because one person has discovered the flaw doesn't mean
others do not know about it.  Hence, it is vital that vendors treat
advisories as high priority issues and must assume that potential criminals
could use those vulnerabilities.

It doesn't seem much to stretch the Homeland office for security to regard
commerce systems as "Infrastructure" and hence bind researchers and vendors
to an agreement.  The only sticky part is if a vendor fails to take note and
the advisory and exploits are released.  In such a case the department of
HLS could be involved in high level cases, i.e. large scale potential.

This is just a sketch and there are numerous possible obstacles, but it
certainly beats the current rogue view of many members who regard FD a
terrible thing.

Cheerio
r.

Richard Scott
INFORMATION SECURITY
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries

Re: It takes two to tango

[Riad S. Wahby]

Chris Paget <[EMAIL PROTECTED]> wrote:
> Does V still have the right to sue R?

Let's put this a different way:

Ford makes a car that seems to sell pretty well.  Unfortunately, it
has a fatal design flaw: if the car suffers a rear-end collision while
it's in third gear during a rainstorm at night while the moon is
waxing, the car explodes, killing its passengers.  Consumer Reports
discovers that this is the case and publishes a warning to its readers
concerning this car.  Ford is unable to reproduce the vulnerable
configuration and ignores the warning, assuming it's a hoax.

Two weeks later, a story breaks in the national news that a psychopath
has taken it upon himself to rear-end all Ford cars on rainy moonlit
nights.  So far, five people have died.

Who is responsible, Ford or Consumer Reports?  Do you think Ford could
successfully prosecute a lawsuit against Consumer Reports?

Extra credit: if you said "no" to the second question, but think V
should win a suit against R in Chris's hypothetical situation, please
explain how the two situations are so substantially different as to
result in completely opposite conclusions with regard to liability.

-- 
Riad Wahby
[EMAIL PROTECTED]
MIT VI-2/A 2002

Re: It takes two to tango

[Stan Bubrouski]

I agree fully, with what both of you have to say, and I have another
point to bring up.  If  companies like HP or Microsoft can put in their
 license, terms which remove all liability of themselves for damage
caused security in their products or general defects, and this stands
up in court (and as we know it has), how can teh courts say that the
producer of the product is not liable at all, but that a consumer
investigating security holes in that product is liable for damages
resulting from his research on vulnerabilities in that product.

The whole concept itself is ludicrous,  and the HP case is particularly
troubling.  If indeed HP knew of the bug for a year and either didn't
acknowledge the problem or didn't fix it, then would it be safe to say
they knew of its existence, but chose to not proceed in announcing
or fixing the problem?  What is a consumer to do?  The company is
not liable for the hole in their product, has in most cases to way to
fix it, and the lack of liability on HP's part makes it impossible for
the consumer to force them to fix it. This leaves the consumer with
a dangerous and defective product which could cost them endless
amounts financial loss if the problem is not resolved before a hacker
resolves to take advantage.

In publishing an exploit for said vulnerability, a consumer is in a sense
promoting action to be taken by administrators (assuming a patch is
available) and on HP's part as well, now that the public is aware of
the hole more pressure can be levied to get the company to fix the
problem.  But this now leaves them vulnerable to be sued under
Copyright laws? Where does the Copyright come into play?  Is the
'su' on HP systems purely HP's code or is it derived from older
shared code?  What right then would have to sue them if this
vulnerability affected other operating systems as well.  Furthermore
the exploit is not remote and thus its hard to see how HP could
prove damages from such an exploit given it's local nature on the OS.

This brings me to Phase.  [EMAIL PROTECTED], is he even in the US or is
he indeed in Russia? I hate this whole situation and the power large
corporations have over our government and our courts.  I look at
the law about allowing groups like MPAA to hack the systems of
consumers and their networks based on cirumstantial evidence as
a clear sign that corporate corruption in our government has already
gone to far, and too many of our rights are already limited for them
to stop now.  I'm not so sure any court is going to be willing to
challenge this , as lawmakers are too influenced by large corporations
to care about learning the least bit about programming and compters
work. They rely on their pocket-lining supporters to tell them that. 
Things look grim, and my goal of being a security researcher is far
from certain.  If such limitation are arising that you cannot investigate
commercial software's vulnerabilities, I don't see a lucrative future
and may continue down a different in the near future.  I lost faith
in my government long ago.

-Stan Bubrouski
(Soon to be ) Middler Computer Science Major at Northeastern University, 
Boston, MA


Chris Paget wrote:

>
>
>  
>
>>   "Ferson also said that HP reserves
>>   the right to sue SnoSoft and its members "for monies
>>   and damages caused by the posting and any use of the
>>   buffer overflow exploit."
>>
>>
>
>This raises a very interesting point.  Bruce Schneier has stated
>publicly that he believes vendors should be held responsible for
>security flaws in their products
>(http://www.nwfusion.com/columnists/2002/0422faceoffyes.html).  I
>agree with this viewpoint, as, I am sure, do many people on this list.
>However, how would this affect the vulnerability disclosure process?
>
>1)  Researcher R finds a security hole in vendor V's product.
>2)  R attempts to contact V to reveal the bug.
>3)  V does not respond.
>4)  R attempts communication several times over the next 90 days, but
>never receives a response.
>5)  R releases an advisory.
>6)  Attacker A writes an exploit for the hole, and uses it to hack
>into company C.
>7)  C successfully sues V for several million dollars compensation.
>
>Does V still have the right to sue R?  If vendors are made liable for
>security holes, and those vendors have the right to sue the people who
>find advisories and / or release exploits, then we'll be seeing
>security researchers on the wrong end of multi-million dollar
>lawsuits.  I'm sure I'm not the only person who feels uncomfortable
>about this.  Buffer overflow exploits are not difficult to write; it
>doesn't come down to whether there's exploit code or just an advisory.
>
>IMHO, vendors SHOULD be responsible for security holes.  However,
>before that can be done there needs to be some kind of law put in
>place to protect the researchers who find the holes.  Doesn't need to
>be much, just a blanket law that if the researcher has taken
>reasonable steps to alert the vendor, they cannot be held liabl

Re: It takes two to tango

[Mike Forrester]

> Hi,
>
> I just read the article at News.com
> (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
> controversy between HP and Snosoft.  It seems that HP is upset that
> details of a dangerous security hole in the HP Tru64 operating system
> were published by "Phased", a security researcher with Snosoft, here on
> Bugtraq.  I really feel that HP went way over the line by trying to
> place all the blame on Snosoft for HP's security hole by invoking the
> DMCA and the Computer Fraud and Abuse Act.

Sounds like now might be the time to start looking at Espon, Canon, etc. for
printers and scanners, which sucks cause I've always has good luck with
their stuff...

I would suggest that everyone who agrees send HP an email expressing your
disappointment in this matter.  Just to help those short on time:

Contact HP (USA):
http://www.hp.com/country/us/eng/contact_us.htm

E-mail Carly Fiorina (CEO):
http://www.hp.com/hpinfo/execteam/email/fiorina/index.htm

Re: It takes two to tango

[Jose Nazario]

to continue the "it takes two to tango" metaphor, i will say the following
(inline):

On Wed, 31 Jul 2002, Chris Paget wrote:

> 2)  R attempts to contact V to reveal the bug.
> 3)  V does not respond.

this is the fault of the vendor for not having a well known and publicized
contact point for handling security concerns. furthermore, if publicly
published email addresses for the company (ie webmaster, abuse,
postmaster, support, security) do NOT have the correct stuff forwarded to
the security contact, there is an organizational breakdown for the vendor.
this has been beaten to death by this point, there is no reason this
should still be the case.

> 4)  R attempts communication several times over the next 90 days, but
> never receives a response.

if the researcher doesn't attempt to work with an established third party
(ie CERT, SecurityFocus) to get this contact made, they are acting in an
irresponsible fashion. at least the researcher waited 90 days, though.

so, it does take two to tango, both sides have to have made honest efforts
to make sure this process of vulnerability notification can work as
smoothly as possible. this has been the subject of many recent discussion,
including standards drafts. no excuses for not attempting to adhere to
these best practices for either side of the issue.

___
jose nazario, ph.d. [EMAIL PROTECTED]
http://www.monkey.org/~jose/

Re: It takes two to tango

[Chris Paget]

>"Ferson also said that HP reserves
>the right to sue SnoSoft and its members "for monies
>and damages caused by the posting and any use of the
>buffer overflow exploit."

This raises a very interesting point.  Bruce Schneier has stated
publicly that he believes vendors should be held responsible for
security flaws in their products
(http://www.nwfusion.com/columnists/2002/0422faceoffyes.html).  I
agree with this viewpoint, as, I am sure, do many people on this list.
However, how would this affect the vulnerability disclosure process?

1)  Researcher R finds a security hole in vendor V's product.
2)  R attempts to contact V to reveal the bug.
3)  V does not respond.
4)  R attempts communication several times over the next 90 days, but
never receives a response.
5)  R releases an advisory.
6)  Attacker A writes an exploit for the hole, and uses it to hack
into company C.
7)  C successfully sues V for several million dollars compensation.

Does V still have the right to sue R?  If vendors are made liable for
security holes, and those vendors have the right to sue the people who
find advisories and / or release exploits, then we'll be seeing
security researchers on the wrong end of multi-million dollar
lawsuits.  I'm sure I'm not the only person who feels uncomfortable
about this.  Buffer overflow exploits are not difficult to write; it
doesn't come down to whether there's exploit code or just an advisory.

IMHO, vendors SHOULD be responsible for security holes.  However,
before that can be done there needs to be some kind of law put in
place to protect the researchers who find the holes.  Doesn't need to
be much, just a blanket law that if the researcher has taken
reasonable steps to alert the vendor, they cannot be held liable for
the consequences of releasing the advisory. If that doesn't happen,
things are going to get messy.

Chris

-- 
Chris Paget
[EMAIL PROTECTED]