Re: [Full-disclosure] security industry software license
On Wed, Oct 15, 2008 at 7:37 AM, AaRoNg11 [EMAIL PROTECTED] wrote: Society doesn't care, just n3td3v :P Why does society care about doing this? Or is it just that you can't figure out how to use it, so you don't want others to have access to it? -- Aaron Goulden -- Aaron Goulden ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security industry software license
The only thing this would serve to do is cause cracked versions of tools such as Metasploit and other security scanners to be put up on sites like the pirate bay. Then, what about if somebody coded their own security tool? Would they have to have a license to use it? This whole idea goes against the idea of open source and free software. Sure, let the large corporate vulnerability scanners do whatever the hell they want with their software, but try telling an open source project that they have to close their source so that the bad guys can't get hold of their tools. A licensing system of this size would cost millions, if not billions to implement. This, along with the fact that it would be completely unenforceable when implemented makes it clear that you really haven't thought this through properly. It's like the government springing up and saying you must have a license to own a computer. Virtually every home in every MEDc has a computer already, that was bought before the licensing. There are no records of who owns a computer. Must the government go round to each home and search for a computer? If the owner hasn't got a license what do they do? Remove the computer? Sorry for this crappy metaphor, but it's something of a simillar scale and it's all I could think of to represent the absurdity of the idea. On Fri, Oct 10, 2008 at 2:31 AM, n3td3v [EMAIL PROTECTED] wrote: there should be a central license that people apply for to use software like metasploit. all the *respected* programmers would require the license before you get to download. anyone can apply for a licence, however only those who meet the criteria get given the licence. background checks are done on you to see you are who you say you are. that you're not a cyber criminal or terrorist, and that you're going to be using the software for the intentions of which the product was designed. verbal contracts never hold ground, saying, this software is for testing purposes isn't any guarantee that the bad guys won't use the software. we need a centralised security industry software license scheme so the good guys can take full advantage of the tools made by creators of security software, while shuttering the bad guys out. to rely on a verbal contract for security software as a safe guard is no longer enough for the security industry in light of metasploit and other borderline evil purpose software. its time that members of the industry work together to form such a scheme, to insure a streamline programme that all the good guys can be part of, only letting the good guys use the software for good purposes. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Aaron Goulden ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security industry software license
I really don't understand how you even think this idea has any chance of succeeding. You obviously didn't read my response properly; not only did I address issues of money, but also the fact that it would be absolutely impossible to implement such a system due to existing infrastructures and lack of records. Please read the rest of my response properly. On Sat, Oct 11, 2008 at 5:47 PM, n3td3v [EMAIL PROTECTED] wrote: On Sat, Oct 11, 2008 at 9:47 AM, AaRoNg11 [EMAIL PROTECTED] wrote: A licensing system of this size would cost millions, if not billions to implement. What's a few million here, a few billion there in the name of national security? Money hasn't stopped the Department of Homeland Security implement far more stupider things in the past. No, I don't think money is the issue here, what the issue here is, is ironing out the details to make this whole thing workable and effective, and getting cross-government, cross-sector cooperation with rolling the scheme out and it be made an industry standard that everyone is agreed upon. That is the real challenge that faces us, not how much money its going to cost. We can talk about the money later, let's just get the proposal details worked out and put on the table first and see if its got a chance for any funding. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Aaron Goulden ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] To disclose or not to disclose
On Sat, Sep 27, 2008 at 9:13 AM, AaRoNg11 [EMAIL PROTECTED] wrote: Hey, this is a situation that occurs quite frequently within the security industry. (Bad) Vendors often refuse to fix bugs or ignore them completely until it's too late. You should ideally assess each situation on a case by case basis. Ideally, the first step should be to notify the vendor giving them as much technical information about the bug as possible. You should also document the severity of the bug, and give the vendor some examples of what a malicious user would be able to do. If the vendor has not responded within 5 weeks, the second step should be to create an extremely generic public advisory. This advisory should explain what the bug allows a malicious user to do, while not detailing the technical aspects. By doing this, you are letting the industry know that the software is vulnerable, and it would be a good idea to start looking at possible alternatives. It is at this point that you should set a deadline for your public disclosure of the full advisory. This will put pressure on the vendor to get a patch out ASAP. A few days before the deadline, you should try to release a fix for the affected product yourself. Obviously this is only possible with open source software. Most people that use mission critical software (such as hospitals etc) will be signed up to at least one security mailing list. By doing this, you give them a chance to patch the bug before the script kiddies get in. While it may be possible to recreate the exploit from the patched code, it is unlikely that anybody will be able to rush anything out in the few days before the public advisory. On Sat, Sep 27, 2008 at 4:39 AM, Simon Smith [EMAIL PROTECTED] wrote: Greetings, I have a theoretical question of ethics for other security professionals that participate in this list. This is not an actual situation, but it is a potentially realistic situation that I'm interested in exploring and finding an acceptable solution to. Supposed a penetration testing company delivers a service to a customer. That customer uses a technology that was created by a third party to host a critical component of their infrastructure. The penetration testing company identifies several critical flaws in the technology and notifies the customer, and the vendor. One year passes and the vendor had done nothing to fix the issue. The customer is still vulnerable and they have done nothing to change their level of risk and exposure. In fact, lets say that the vendor flat out refuses to do anything about the issue even though they have been notified of the problem. Lets also assume that this issue affects thousands of customers in the financial and medical industry and puts them at dire risk. What should the security company do? 1-) Create a formal advisory, contact the vendor and notify them of the intent to release the advisory in a period of n days? If the vendor refuses to fix the issue does the security company still release the advisory in n days? Is that protecting the customer or putting the customer at risk? Or does it even change the risk level as their risk still exists. 2-) Does the security company collect a list of users of the technology and notify those users one by one? The process might be very time consuming but by doing that the security company might not increase the risk faced by the users of the technology, will they? 3-) Does the security company release a low level advisory that notifies users of the technology to contact the vendor in order to gain access to the technical details about the issue? 4-) Does the security company do something else? If so, what is the appropriate course of action? 5-) Does the security company do nothing? I'm very interested to hear what people thin the responsible action would be here. It appears that this is a challenge that will at some level create risk for the customer. Is it impossible to do this without creating an unacceptable level of risk? Looking forward to real responses (and troll responses too... especially n3td3v). -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Aaron Goulden -- Aaron Goulden ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] To disclose or not to disclose
Well, if you've already warned your client that their software is vulnerable and they haven't changed to an alternative, then it's fine to release an advisory with all of the details. I really don't understand why they'd pay for a penetration test to not take action if their software was vulnerable. If the vendor is extremely unresponsive to any information, it may be the case that releasing the technical details to the public are the only way to get them to take notice. Just think, you might not be the only person who has found out about the exploit. There might be some black hat hacker somewhere using it to meet their own ends. Some vendors are just like that though; they refuse to do anything until it's too late. Maybe they'll start taking notice of bug reports after this happening a few times and losing half of their clients. On Sat, Sep 27, 2008 at 6:25 PM, Simon Smith [EMAIL PROTECTED] wrote: Great replies guys! So lets take this a step further. Lets suppose (again just theory) that the security company did notify the software vendor and did tell the vendor where the security issues were in their technology, how to exploit the issues, provided a proof of concept, and provided clear and actionable methods for remediation. Lets then say that the software vendor flat out, point blank, rejected that information and refused to implement any fixes. Just to make this more interesting, lets say that this all happened over one year ago. Lets also say that the customer who was being tested by the security company and that is using the vulnerable software has yet to address the vulnerability in their own network too. Is it the ethical duity of the security company to release an advisory? Does that advisory put the customer at risk? It is clearly unethical to do nothing and to leave everyone else at risk. How to proceed? -- - simon -- http://www.snosoft.com -- Aaron Goulden ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The new 'cyber politica' mailing list thats planned for the non-technical elite
Hi, my comment wasn't meant to flame you. I was basically trying to say that if you used your email for sensitive stuff, and it had been compromised, the intruder finding out your IP address is the least of your worries. I'm sorry if it was interpreted as a flame. Anyway, I like the idea of a non-technical mailing list. I'd be sure to sign up :) On Sun, Sep 21, 2008 at 7:02 PM, n3td3v [EMAIL PROTECTED] wrote: On Sun, Sep 21, 2008 at 12:34 PM, n3td3v [EMAIL PROTECTED] wrote: On Sun, Sep 21, 2008 at 4:01 AM, [EMAIL PROTECTED] wrote: On Sat, 20 Sep 2008 21:47:55 BST, AaRoNg11 said: If the job was that sensitive of a job, do you really think they'd be using gmail to send important information? Remember - n3td3v is in the British Isles, where clusterfuck IT is rampant in the government sector. You know, like Let's lose the financial details of *EVERY SINGLE FRIKKING FAMILY IN THE COUNTRY on an UNENCRYPTED DISK. Oh, why was the disk unencrypted? Because the policy on how to securely transfer the data was deemed so sensitive that it was only accessible to upper management - the people *doing* the work didn't have access to the policy of how to do it right. Maybe we can take this over to [EMAIL PROTECTED] or whatever name he gives the new mailing list when John Cartwright finally gets the finger out. We need a non-technical, unbiased, unmoderated version of full-disclosure where people can post rants, raves, speeches, ideas, views, opinons, news items, the dirty on employees, gossip, security conferences, or other intelligence thats non-technical. A place where people like n3td3v don't get made to feel bad for posting their views on whats going on in the security community. There seems to be a feeling that anyone who is non-technical is unwelcome on full-disclosure and end up getting written about on securityfocus by robert lemos and made to feel a bad person. :( This is unfair, in the bigger scope of things, there just isn't anywhere to go to post non-technical stuff thats unmoderated. So instead of being nasty to n3td3v and writing about him on securityfocus and declaring a hunt for n3td3v, let's just create a new mailing list where people like me won't get made uncomfortable for posting. The bottom line is, there is no non-technical, unbiased, unmoderated version of full-disclosure and there should be one. We need a cyber political mailing list, where anything goes, right now it just seems that people don't really want n3td3v around, but thats not because n3td3v has done something wrong, its just because there is no where else suitable to post about cyber politics thats non-technical, unbiased, unmoderated. I don't like posting to full-disclosure if I feel unwelcome, but I don't want to be muzzled, I want John Cartwright to setup a new mailing list for the non-technical issues. This is my proposal im putting forward, so let's talk about it. I say 'cyber-politica' is a decent name for it we can have. Although im concerned the 'cyber' might go out of fashion over the years, so if you have cyber in the name it might get outdated. I think the new mailing list will be perfect for me and gadi types, then we won't be annoying the list anymore about what we think of everyone and cyber security. I think full-disclosure has had enough of opinionated people like me and gadi who chime in when we feel like it, it appears to upset the full-disclosure crowd, so a new mailing list would be brilliant for the non-technical crowd who still want to chime in when we're not happy about something. When people like me and gadi types post our opinionated views about people and cyber security, folks don't always reply and give their views, because they think the mailing list isn't supposed to be about the non-technical subject, so are reluctant to get involved incase it increases the 'noise'. What's needed is a non-technical mailing list where the non-technical elite can hang out. US-CERT.gov website already have technical and non-technical sections, so why can't full-disclosure be split in two? Its obvious me and gadi are not welcome on the current format full-disclosure, so we need a new mailing list for the non-technical elite. I was very upset to be bashed by robert lemos and his friends via news articles and blogs, so now its time for a place we can go and not upset people anymore. It was never my intention to upset folks but thats what seems to have happened. They seem to think the full-disclosure list is being destroyed by the non-technical elite. So why not give the non-technical elite a mailing list of their own, so people won't get upset because we post an email that hasn't got a vulnerability or exploit in it. We should leave the full-disclosure list for technical users, and the non-technical users have their own mailing list to post on, then nobody can be accused
Re: [Full-disclosure] The new 'cyber politica' mailing list thats planned for the non-technical elite
It refers to neither. I'm sorry, i'm new to this list so I assumed that n3td3v's post was serious. On Sun, Sep 21, 2008 at 7:48 PM, Razi Shaban [EMAIL PROTECTED] wrote: Aaron, there's something you don't seem to get here. n3td3v is a troll. I'm hoping that eleven refers to your college graduation year and not your high school graduation; if it's the first you might know what a troll is. If not, look it up. -- Razi -- Aaron Goulden ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
