Re: [Full-disclosure] UK ISP threatens security researcher
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 n3td3v! your postings have become much more articulate. i didnt know that you could use big words. by the way - does "Dr. Neal Krawetz, PhD" even know youre pretending to be him? does dave aitel know that your doing this on company time or did he fire your sorry ass? On Wed, 18 Apr 2007 06:01:05 -0600 "Dr. Neal Krawetz, PhD" <[EMAIL PROTECTED]> wrote: >Let's keep in mind that publishing most security information >borders extortion. There isn't any other industry where fat nerds >try to strongarm large corporations into admitting there are excess flamebait deleted -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYmUpYACgkQiDw0BWMaDTHn4gQAjYT74sqYJhYUZdELdCQJjThN/7xv 0UAW9CDtErDN9rrEPedpHj0W0JAFxeEcoJTY12AG/NxFHLfk1Wu5Ihc69Ye/iavVt6pU 5HjcoEl/bIhXiOCqzEBTo2N130yUJSnNRsJ4eHFP9i9eQgEO3zU93kOtbJ+R5r4jfJH6 HsBDRgg= =Y4Dr -END PGP SIGNATURE- -- Click to get a free credit repair consultation, raise your FICO score http://tagline.hushmail.com/fc/CAaCXv1QNssxDpGHmyOWMwE0OqYn90SV/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
Extortion is AFAIK the demand for money or valuables without legal authority. I do not believe "fame" qualifies, and in any event one who points out a bug in public has his fame or infamy independently of what a company does. At a former employer (an OS vendor) the general line was to ask customers to not disclose vulnerabilities. However this was accompanied by an almost paranoid internal search-and-destroy attitude toward security holes and by prompt fixes to such problems as became known. As a result the customers supported this stand. Mind, there was little or none of the childish "counting coup" that seems to go on in some quarters involved. Those who advocated disclosing problems did not "claim credit" for finding the problems in the cases that surfaced. The discussion about whether to do so was always centered on the theory (with some observational support) that attackers knew of the bugs already and countermeasures could often be used if the attacks were known to exist. To my mind, a company that wants its problems to be kept quiet externally till fixed needs to earn that consideration by such paranoia. If a company is smart it will communicate with outsiders who point out problems. (Communicating about problems that can affect third party software is also a good thing. Many of us did.) Still, one who reveals a problem to the public is contributing to public knowledge, and that act by itself is not extortion or bullying. It should not be confused with such. The ethical issues center around whether the warning might help avoid a problem, or simply precipitate it. A similar ethical issue appeared in science fiction and is a caution to the "reveal everything" side. In the story a small group learns to build a cheap doomsday device. In the end one of them kills the others because he worries about it being used for extortion. However, he is shortly afterwards killed by his wife, who worries that if the device can be built her children's lives cannot be safe. The law ought to be clear that revealing information freely is OK, but that something that risks precipitating a catastrophe is not. A properly defended (in 2nd Amendment sense!) society might very well in clear cases resort to the science fiction solution. On the other hand, claiming such risk for every oversight, and at the same time not advertising your code does not run in hostile environments, is a kind of public fraud which does not deserve either protection or respect. The science fiction example is in clearly defined territory. Computer risks are seldom so, and before legal (or extralegal societal extreme) measures get involved there should be much more proof than has been common, and clarity about what is arguably beneficial and what is thuggery. When I propose designs, by the way, I am very glad to have heard about vulnerabilities in different technical areas so I might design around them. If I must propose a kludge I am also very glad to have heard about where the dangers lie. At least it allows my guesstimates of how long the kludge might be used to be more accurate. In the case referred to, the ISP's arguments remind me of what English banks were reputed to do some years ago when thefts occurred: argue that (in so many words) "our systems are secure so you must have done something wrong to breach them". Yep, bullying seems to be going on, but from the ISP. A response more along the lines of fixing the holes (as Microsoft has done when holes cropped up in its mail systems) would be more responsible. Had they considered that the researcher was giving them free help, having found the problem due to some vulnerabilities the ISP's software was causing on his home system, the ISP would have wound up looking better. Reading the original post btw shows the guy gives a workaround for customers to close the holes created in their home systems. No evidence there far as I can see that the guy wanted anything other than to alert others about a hole in their own systems that the ISP software created (perhaps inadvertently), and what he noted. (That they responded noting that the terms & conditions say a customer is responsible for security of account passwords selected by the customer, and claiming this somehow applies to passwords evidently "selected" by the ISP, is an indication of CYA, not of problem solving.) Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Neal Krawetz, PhD Sent: Wednesday, April 18, 2007 8:01 AM To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] UK ISP threatens security researcher ** This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If y
Re: [Full-disclosure] UK ISP threatens security researcher
On 4/18/07, Dr. Neal Krawetz, PhD <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Let's keep in mind that publishing most security information > borders extortion. There isn't any other industry where fat nerds > try to strongarm large corporations into admitting there are > weaknesses in their products, defaming them publicly, causing their > stock prices to fall, or otherwise damaging their public image and > thus causing financial damage, et cetera. > Obviously this news hasn't trickled down to investigative journalists yet. Does anybody know of a mailing list where fat journalism majors hang out so this can be cross-posted? This could save a lot of time. In the "real world" there are a number of socially responsible incidents where corporations were strong armed into admitting weaknesses in products which resulted in serious financial harm. For example during the late 1970's and early/mid 1980's investigative television shows exposed weaknesses in a number of automobile platforms. These exposes were very harmful to the image and financial well being of the attacked automakers. I think there are very few that would argue that this was bad for consumers. This was also good publicity whoring (ratings) for the television networks that aired them. Consumers, including the subset that buys software, have the right to received a product that does not unreasonably place them at risk of serious danger. If the corporation producing the product does so in a negligent or dangerous manner and refuses to fix or recall the problem than some strong arming is in order. > When was the last time an auto manufacturer was humiliated publicly > because their car windows can easily be broken and contents of the > car stolen? When have chain manufacturers been chastised by the > mass media for the existence of bolt cutters? What about the > serious threat of hacksaws? I think the key is that the threat must pose serious risk of damage due to a design flaw rather than a consequence of its usage. And as pointed out above auto manufacturers are humiliated when the fail to properly design and test their products. I'm not sure how all of this relates to the view of the "Dr."' that all Jews hate Arabs, the original post or Gadi needing to be treated like a criminal. Either way the "Dr." has some good public whoring going on with his thoughtful and academic troll posts. Regards, Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
Dear mr. Dr. Neal Krawetz, PhD, On 18/04/07, Dr. Neal Krawetz, PhD <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Let's keep in mind that publishing most security information borders extortion. There isn't any other industry where fat nerds try to strongarm large corporations into admitting there are weaknesses in their products, defaming them publicly, causing their stock prices to fall, or otherwise damaging their public image and thus causing financial damage, et cetera. pretty cool, huh? Gadi, I doubt your people would be thrilled if you tried to petition Yahweh with complaints regarding His children being vulnerable to pieces of metal fired at high velocity from guns, and demanding that if things aren't fixed within what you consider a satisfactory timeframe (which, in the end is just some arbitrary number invented by people with no concept of industry and economics) that you will arm every man, woman, child, and lizard of bordering Arabic nations to Israel in order to teach that big guy up in the sky a lesson about not making humans impervious to gunfire! Your analogies are flawed. I'm not going to elaborate on this. Come on man! You're smarter than this! When socially inept people who possess only rudimentary computer skills start bullying (call it what you will, in the end if you argue against my points you clearly are one of those people who can't make it in the real world) corporations for fame and money, which have real-world financial consequences to said corporate entities, you are in the least committing extortion. And while you might think these efforts are noble, the reality of the situation is simple - this is absolutely no different than a bunch of Russians with botnets, forcing businesses to comply with their demands if that business wishes to continue existing on the Internet. So what about you? You enrolled in some university, then X years of conformism later you "made" it in "the real world"? I bet your mom is proud of you. When was the last time an auto manufacturer was humiliated publicly because their car windows can easily be broken and contents of the car stolen? When have chain manufacturers been chastised by the mass media for the existence of bolt cutters? What about the serious threat of hacksaws? People, grow up. If your life is spent behind a computer discovering uninteresting oversights in software design, where you clearly lack experience and ability, and proclaiming yourself the #chatzone badass and drolling saying "I'm the best evah!!!" doesn't make you important. The sad state of this industry is that there are enough ignorant people that find it impressive, and who don't understand the ramifications of their publicity whoring and the obvious parallels to other industries. The long and short of it is: If you want to act like a criminal, be prepared to be treated like a criminal, and don't cry about the choices you've made in life. You aren't a fucking martyr when your motivations and cause are only self-promoting and otherwise selfish. the motivations of major corporations are any better? What are their motivations again, ah right, ROI, TBD, BAU. QoS and customer satisfaction isn't that high on the priority list if it's not related to the bucks. Always remember the embarrassment to hackers, humans, and Hebrews everywhere that is Kevin Mitnick. what ethnic groups are ashamed by you? Prolly not the mba'ers or the marketing department, they love people like you! - - Dr. Neal Krawetz, PhD http://www.hackerfactor.com/blog/ On Tue, 17 Apr 2007 19:30:54 -0400 Gadi Evron <[EMAIL PROTECTED]> wrote: >http://www.theregister.com/2007/04/17/hackers_service_terminated/ > >"A 21-year-old college student in London had his internet service >terminated and was threatened with legal action after publishing >details >of a critical vulnerability that can compromise the security of >the ISP's >subscribers." > >I happen to know the guy, and I am saddened by this. > > Gadi. > > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYmCAUACgkQDpFP8dW5K4bwFgP/Z2cmOC7HiPZ9Bp1p0VqC/1IMv40l Vxi/gS/jMQMDG9XiIZqnDQQwMGm8OhnBu6LfMPi66Xnfr9ZV5zcE3wCeqlRfDsyAuAD7 TvpzfqAfhdLDgfG6hmX9BBZdpALXIa4ijwKuo4zs5uqtA/najmlIwgDjmGXC1NefQsZP acyWgT8= =zSxl -END PGP SIGNATURE- -- Click here for free information on earning a criminal justice degree today. http://tagline.hushmail.com/fc/CAaCXv1S4xxoKJy71c1syHceuiPxgdCh/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Regards, Thomas Pollet _
Re: [Full-disclosure] UK ISP threatens security researcher
On 18-Apr-07, at 6:01 AM, Dr. Neal Krawetz, PhD wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Let's keep in mind that publishing most security information > borders extortion. There isn't any other industry where fat nerds > try to strongarm large corporations into admitting there are > weaknesses in their products, defaming them publicly, causing their > stock prices to fall, or otherwise damaging their public image and > thus causing financial damage, et cetera. > Lets also keep in mind that most vendors won't patch a hole in a timely fashion, and will happily leave their customers hanging in the wind to protect their stock price and image. > Gadi, I doubt your people would be thrilled if you tried to > petition Yahweh with complaints regarding His children being > vulnerable to pieces of metal fired at high velocity from guns, and > demanding that if things aren't fixed within what you consider a > satisfactory timeframe (which, in the end is just some arbitrary > number invented by people with no concept of industry and > economics) that you will arm every man, woman, child, and lizard of > bordering Arabic nations to Israel in order to teach that big guy > up in the sky a lesson about not making humans impervious to > gunfire! > Did you really just metaphorically compare software companies to Yahweh?? And for completeness sake, do you really mean to assert that people don't cry out to $deity about various injustices? > Come on man! You're smarter than this! When socially inept people > who possess only rudimentary computer skills Speak for yourself doctor. > start bullying (call > it what you will, in the end if you argue against my points you > clearly are one of those people who can't make it in the real > world) Oooo. Nice. "if you disagree with me, you suck and stuff!" > corporations for fame and money, which have real-world > financial consequences to said corporate entities, you are in the > least committing extortion. Cuz Yahweh forbid there be consequences. > And while you might think these > efforts are noble, the reality of the situation is simple - this is > absolutely no different than a bunch of Russians with botnets, > forcing businesses to comply with their demands if that business > wishes to continue existing on the Internet. You must live an interesting life when you lack the ability to differentiate between truth and lawlessness. > > When was the last time an auto manufacturer was humiliated publicly > because their car windows can easily be broken and contents of the > car stolen? When have chain manufacturers been chastised by the > mass media for the existence of bolt cutters? What about the > serious threat of hacksaws? When the hacksaw threat costs users, business and government as much as insecurities in poorly audited code you'll see these stories. Somehow I don't see that happening though. There are clear laws in place when a company places a poor/flawed product on the market. Software seems to get a pass on this. > > People, grow up. If your life is spent behind a computer > discovering uninteresting oversights in software design, where you > clearly lack experience and ability, and proclaiming yourself the > #chatzone badass and drolling saying "I'm the best evah!!!" doesn't > make you important. The sad state of this industry is that there > are enough ignorant people that find it impressive, and who don't > understand the ramifications of their publicity whoring and the > obvious parallels to other industries. That's right ladies and germs. Stop searching for holes and insecurities in your applications and OS. Stick your head in the sand and let people with ill intent find it and exploit before you can be aware of the problem and protect yourself. Definitely *do not* share the information if you stumble on it. $deity knows you'd be a poor example if you acted to protect and inform others. > > The long and short of it is: > If you want to act like a criminal, be prepared to be treated > like a criminal, and don't cry about the choices you've made in > life. You aren't a fucking martyr when your motivations and cause > are only self-promoting and otherwise selfish. Yes, because you're all psychic and stuff, and can immediately ascertain someone's motives. It's a miracle you aren't employed full time by the legal system with this super amazing power. --- Tremaine Lea Network Security Consultant Be in pursuit of equality, but not at the expense of excellence. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
- Dr. Neal Krawetz, PhD <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED BS- All I can utter after reading your post is, "It's so simple to be wise. Just think of something stupid to say and the opposite should have been said." Ummm... the above applies to me as well. Sorry, hope you wont mind, we all act funny sometimes. -- Sincerely Ajay Pal Singh Atwal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Let's keep in mind that publishing most security information borders extortion. There isn't any other industry where fat nerds try to strongarm large corporations into admitting there are weaknesses in their products, defaming them publicly, causing their stock prices to fall, or otherwise damaging their public image and thus causing financial damage, et cetera. Gadi, I doubt your people would be thrilled if you tried to petition Yahweh with complaints regarding His children being vulnerable to pieces of metal fired at high velocity from guns, and demanding that if things aren't fixed within what you consider a satisfactory timeframe (which, in the end is just some arbitrary number invented by people with no concept of industry and economics) that you will arm every man, woman, child, and lizard of bordering Arabic nations to Israel in order to teach that big guy up in the sky a lesson about not making humans impervious to gunfire! Come on man! You're smarter than this! When socially inept people who possess only rudimentary computer skills start bullying (call it what you will, in the end if you argue against my points you clearly are one of those people who can't make it in the real world) corporations for fame and money, which have real-world financial consequences to said corporate entities, you are in the least committing extortion. And while you might think these efforts are noble, the reality of the situation is simple - this is absolutely no different than a bunch of Russians with botnets, forcing businesses to comply with their demands if that business wishes to continue existing on the Internet. When was the last time an auto manufacturer was humiliated publicly because their car windows can easily be broken and contents of the car stolen? When have chain manufacturers been chastised by the mass media for the existence of bolt cutters? What about the serious threat of hacksaws? People, grow up. If your life is spent behind a computer discovering uninteresting oversights in software design, where you clearly lack experience and ability, and proclaiming yourself the #chatzone badass and drolling saying "I'm the best evah!!!" doesn't make you important. The sad state of this industry is that there are enough ignorant people that find it impressive, and who don't understand the ramifications of their publicity whoring and the obvious parallels to other industries. The long and short of it is: If you want to act like a criminal, be prepared to be treated like a criminal, and don't cry about the choices you've made in life. You aren't a fucking martyr when your motivations and cause are only self-promoting and otherwise selfish. Always remember the embarrassment to hackers, humans, and Hebrews everywhere that is Kevin Mitnick. - - Dr. Neal Krawetz, PhD http://www.hackerfactor.com/blog/ On Tue, 17 Apr 2007 19:30:54 -0400 Gadi Evron <[EMAIL PROTECTED]> wrote: >http://www.theregister.com/2007/04/17/hackers_service_terminated/ > >"A 21-year-old college student in London had his internet service >terminated and was threatened with legal action after publishing >details >of a critical vulnerability that can compromise the security of >the ISP's >subscribers." > >I happen to know the guy, and I am saddened by this. > > Gadi. > > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYmCAUACgkQDpFP8dW5K4bwFgP/Z2cmOC7HiPZ9Bp1p0VqC/1IMv40l Vxi/gS/jMQMDG9XiIZqnDQQwMGm8OhnBu6LfMPi66Xnfr9ZV5zcE3wCeqlRfDsyAuAD7 TvpzfqAfhdLDgfG6hmX9BBZdpALXIa4ijwKuo4zs5uqtA/najmlIwgDjmGXC1NefQsZP acyWgT8= =zSxl -END PGP SIGNATURE- -- Click here for free information on earning a criminal justice degree today. http://tagline.hushmail.com/fc/CAaCXv1S4xxoKJy71c1syHceuiPxgdCh/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/