Security vs. obscurity (Was: Re: Regmon(a new puzzle))

NTDEV
21

Michal Vodicka wrote:

One extreme is to publish security hole with exploit code (full disclosure)
without previous warning and the next is your standpoint. What would you do
if you know about serious security hole and company simply ignores you?
Remember you may not be the only one who discovered problem but may be the
only one who decided to warn. The hole can be misused by others in the
meantime.

If serious harm results, the company which simply ignored the warning
had also better hope that plaintiffs don’t discover that a warning was
made. *That* is your leverage, not publicizing the hole. The publication
invites an attack that might not have happened otherwise. As a
plaintiff, I would argue that the volunteer who took it upon himself to
publicize the hole is also liable for the damage, so I’d sue both him
and the company. As a defending company, I’d want that volunteer in
court as a third-party defendant on any of several theories. Any way you
look at it, publicizing a security hole before it’s been well and truly
fixed is risky.

If you’re in the position of someone who has warned a company of a
security hole that’s later exploited, you might consider whether you
want to contact persons who were harmed with a view towards testifying
on their behalfs.


Walter Oney
NOTE: Nothing in this message should be construed as legal advice or as
establishing an attorney-client relationship. You should always seek
competent local counsel to help resolve legal issues.

22

Walter Oney waltoney-at-oneysoft.com |ntdev/1.0-Allow| wrote:

If serious harm results, the company which simply ignored the warning
had also better hope that plaintiffs don’t discover that a warning was
made. *That* is your leverage, not publicizing the hole.

I am not a lawyer, but every MS license I’ve read seemed to say
to me that they take no responsibility for the security or safety
of your data or application of the system. Their damages are
limited to the replacement costs of the product and/or media?

And by the way, exploits of all sorts do get published on CERT.org
pages. Exploits to open source products (sendmail/apache/Linux/etc.)
of course seem to get published much more quickly, though, so if
you are the type that wants peer reviewed software, that’s what
you use. If you believe that the vendor finds and fixes these things
faster then the black-hats, and that public peer review invites
attacks, then you use a closed source product. Pick your poison.

Steve Williams “The woods are lovely, dark and deep.
steve at icarus.com But I have promises to keep,
http://www.icarus.com and lines to code before I sleep,
http://www.picturel.com And lines to code before I sleep.”

23

Michal Vodicka wrote:

Steve was faster; software licences seem to avoid a possibility of success.
Do you remember any case when ignorant company had to pay for damages? I
don’t and it is not because there aren’t ignorant companies and damages
caused by ignorance. On the other hand, I vaguely remember several cases
when publicizing the hole forced a company to make a fix which was ignored
for months. Maybe making rules and force companies to follow them is
arrogant but if companies make own rules it would be unnecessary. You can
search NTBUGTRAQ archives and compare how for example MS changed their
policies for security problems handling over years. Now it is much better
and I don’t believe it would be without publicizing some holes and exploits
examples.

If there haven’t been any publicly known lawsuits, it may mean (a) there
were suits, but they were settled, (b) there were suits, but you didn’t
hear about them, or (c) there haven’t been any suits. There are other
possibilities too.

Trust me, if a software exploit contributes to a major catastrophe,
anyone who contributed in any way to is going to be sued and/or
prosecuted for a criminal offense. Because, to the outside world, this
publicity of security flaws in products the economy depends on is going
to look like children playing with matches.


Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com

24

“Loren Wilton” wrote in message news:xxxxx@ntdev…
>
> Now, MS, SCO, or East Taiwan Engineering aren’t Unisys, and they can and
> doubtless do have different policies. But if I’m running a bank DP center
> and some hacker keeps stealing credit card info with his exploit every
day,
> I think I might get a little upset if the company getting hacked didn’t
come
> up with at least an acknowledgement of the problem within 2 or 3 weeks.

How about a situation such as the most recent blaster worm? In that case,
Microsoft
found the exploit and made a fix available back in early JULY. It was
inattentive customers
who failed to apply the patch and left their systems vulnerable. (Count me
as one of them
for a couple of my own systems :frowning:

Carl

25

Michal Vodicka wrote:

Well, I agree publicizing security holes is the last resort. Today an
information to company is usually enough. However, I don’t have illusions it
would be enough without implicit threat of publicizing.

In that case, if you publicize an exploit based on your own assessment,
and harm results, it would be unwise to enter the country where the harm
occurs and to hope that your country doesn’t have an extradition treaty.


Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com

26

xxxxx@des.co.uk wrote:

This, and other cases like it may change things…
“The Sad Tale of a Security Whistleblower”
http://www.securityfocus.com/columnists/179

I’m not at all surprised, and I think the prosecution was entirely
warranted. The columnist who’s reporting this is obviously on the
defense side, but I think it’s worthwhile to address this rhetorical
question:

“There is little doubt that what McDanel did was irresponsible and
malicious. But, assuming the vulnerability existed, what were his
alternatives?”

The answer I would give is that his best alternative was do nothing at
all. What he *did* do was to meddle in a situation that didn’t need
meddling. Had somebody actually exploited the security hole, he could
have had his revenge (or whatever it was he wanted) by phoning the
victims and offering to testify.


Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com

27

> This, and other cases like it may change things…

“The Sad Tale of a Security Whistleblower”
http://www.securityfocus.com/columnists/179

yes this sounds like a bad joke. but what would you expect from a
country where even dogs have lawyers? and where people do believe this
shit?

i cannot stop wondering reading Walter Oneys comments to this
topic. i’ve naively thought, that security through obscurity issue was
solved years ago.

but wait we’re here in europe 100 years after apes! ah that must
be it. but well at least we have electricity here …

(anyway i would please you to go back to technical stuff instead of
talking about nothing - none of the sides can convince the other (as
usual) so why to bother?)


Best regards,
Ivona Prenosilova

28

Walter Oney waltoney-at-oneysoft.com |ntdev/1.0-Allow| wrote:

xxxxx@des.co.uk wrote:

>This, and other cases like it may change things…
>“The Sad Tale of a Security Whistleblower”
>http://www.securityfocus.com/columnists/179

The answer I would give is that his best alternative was do nothing at
all. What he *did* do was to meddle in a situation that didn’t need
meddling. Had somebody actually exploited the security hole, he could
have had his revenge (or whatever it was he wanted) by phoning the
victims and offering to testify.

Companies use Windows computers to control critical equipment.
(Whether it’s sane or not is a different question.) In those cases,
exploits can kill people. Calling the family of the victoms to offer
to testify that you knew of the vulnerability and kept quiet on
purpose might get you in a whole heap of trouble.

Anyhow, the idea of “security by obscurity” as a principle means of
security presupposed the required knowledge *never* gets out for the
lifetime of the product. The advantage is that undiscovered openings
are never exploited, the disadvantage is that a leak or discovery,
whatever the source, is catostrophic and a widespread burden.

Security by design and peer review does not rely on secrecy, but
does rely on concientious peers. The disadvantage is that there are
no undiscovered openings, but the advantage is that white hats are
working on the problem too, those who need to know are more likely
to be informed, and presumably the peer review leads to a more
secure product in the first place.

Steve Williams “The woods are lovely, dark and deep.
steve at icarus.com But I have promises to keep,
http://www.icarus.com and lines to code before I sleep,
http://www.picturel.com And lines to code before I sleep.”

29

Walter has done his job ( in the technical area) so are some of the others
(but here the subject is Walter in this note).

His books are already gold mine to learn. Here
he is on a different mission, and might be for good reason.

Some of us might not like this, but with 0 calory buring process I will
close my eyes if I dont like anyones notes or comments.

He is a stallwart in his area, and really hate to see such a comment.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of ivona prenosilova
Sent: Wednesday, August 20, 2003 11:48 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new
puzzle))

This, and other cases like it may change things…
“The Sad Tale of a Security Whistleblower”
http://www.securityfocus.com/columnists/179

yes this sounds like a bad joke. but what would you expect from a
country where even dogs have lawyers? and where people do believe this
shit?

i cannot stop wondering reading Walter Oneys comments to this
topic. i’ve naively thought, that security through obscurity issue was
solved years ago.

but wait we’re here in europe 100 years after apes! ah that must
be it. but well at least we have electricity here …

(anyway i would please you to go back to technical stuff instead of
talking about nothing - none of the sides can convince the other (as
usual) so why to bother?)


Best regards,
Ivona Prenosilova

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

30

Stephen Williams wrote:

Companies use Windows computers to control critical equipment.
(Whether it’s sane or not is a different question.) In those cases,
exploits can kill people. Calling the family of the victoms to offer
to testify that you knew of the vulnerability and kept quiet on
purpose might get you in a whole heap of trouble.

I think you’ve misunderstood my point of view. I’m assuming that someone
has *already* disclosed the vulnerability to whoever might fix it. I
agree 100% with you that Windows is part of our critical infrastructure,
which is really my whole point: by publicizing a hole before it’s been
plugged, someone might well contribute to loss of life or other
catastrophic injury. The company that learns that its product has a
security hole has its own priorities. It ignores warnings at its peril,
and no additional public pressure is appropriate.

Someone reading this may point out that people like Ralph Nader have had
much to do with correcting safety defects, and that one of their
techniques has been publicity. Rubbing a company’s nose in the fact that
its products are unsafe is very different from announcing to the world
at large how they might be successfully sabotaged.


Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com

31

I don’t know Walter, I don’t very often find myself at odds with you, but I
think you are 180 degrees out of phase on this one.

I believe the only hope for making NT secure is to get as many people as
possible to report holes and vulnerabilities. And I believe Microsoft has
condoned such behavior. Once a vulnerability is known, it should be
publicized as widely as possible so people can steel themselves against it.
This does mean that Microsoft has to patch very quickly, and people have to
stay sharp and update quickly, but I really don’t see any alternative.

I think throwing this guy in jail for 16 months means that Tornado had
better lawyers than he did, because the technical grounds are weak in the
extreme. I am not clear on how he obtained the customer list, and for that
he could and probably should have prosecuted, but for letting people know of
a problem he had given his former employer AMPLE opportunity to fix?? That
is a really really bad precedent to set.

Analogy: I know that some car manufacturers’ cars will explode if you use
the cigarette lighter, and I promptly let the manufacturer know. I give the
manufacturer several months to correct the problem. Later I see some couple
at the beach with a brand spanking new car from said manufacturer. I notice
the couple setting out a romantic picnic lunch complete with romantic
candles. I see one of them heading towards the car with one of the
aforementioned romantic candles, but I say and do nothing. BOOM! Death by
cigarette lighter. I’m not culpable in this case?

This guy, while he may have made these customers vulnerable for a time,
actually did them a HUGE favor. How do we know that this vulnerability
wasn’t exploited? We don’t. I bet we can be pretty sure that Tornado fixed
the vulnerability now. I think the law makers are not consulting the
“technology haves” when they write laws, nor judges when they interpret
them. Scary stuff.


Bill McKenzie
Compuware Corporation
Watch your IRPs/IRBs/URBs/SRBs/NDIS pkts with our free WDMSniffer tool:
http://frontline.compuware.com/nashua/patches/utility.htm

“Walter Oney” wrote in message news:xxxxx@ntdev…
>
> Stephen Williams wrote:
> > Companies use Windows computers to control critical equipment.
> > (Whether it’s sane or not is a different question.) In those cases,
> > exploits can kill people. Calling the family of the victoms to offer
> > to testify that you knew of the vulnerability and kept quiet on
> > purpose might get you in a whole heap of trouble.
>
> I think you’ve misunderstood my point of view. I’m assuming that someone
> has already disclosed the vulnerability to whoever might fix it. I
> agree 100% with you that Windows is part of our critical infrastructure,
> which is really my whole point: by publicizing a hole before it’s been
> plugged, someone might well contribute to loss of life or other
> catastrophic injury. The company that learns that its product has a
> security hole has its own priorities. It ignores warnings at its peril,
> and no additional public pressure is appropriate.
>
> Someone reading this may point out that people like Ralph Nader have had
> much to do with correcting safety defects, and that one of their
> techniques has been publicity. Rubbing a company’s nose in the fact that
> its products are unsafe is very different from announcing to the world
> at large how they might be successfully sabotaged.
>
> –
> Walter Oney, Consulting and Training
> Basic and Advanced Driver Programming Seminars
> Check out our schedule at http://www.oneysoft.com
>
>

32

Bill McKenzie wrote:

I don’t know Walter, I don’t very often find myself at odds with you, but I
think you are 180 degrees out of phase on this one.

Hmm. I guess that means that the two of us can therefore occupy the same
space simultaneously? But I digress…

I think throwing this guy in jail for 16 months means that Tornado had
better lawyers than he did, because the technical grounds are weak in the
extreme. I am not clear on how he obtained the customer list, and for that
he could and probably should have prosecuted, but for letting people know of
a problem he had given his former employer AMPLE opportunity to fix?? That
is a really really bad precedent to set.

Don’t forget that a criminal prosecution has the government on one side.
Tornado’s lawyers were not in the picture at all, except possibly as
advising management about the implications of complaining to the US
Attorney. This case would have been styled The United States of America
vs. McDaniel. That’s us, folks. We decided, through our elected
representatives, to enact a law about computer crime. The people we’ve
hired to enforce our laws decided it fit this situation. And I agree
with them in the abstract.

You can read more about the appeal in this case, including the
defendant’s brief, at
http://cyberlaw.stanford.edu/about/cases/united_states_of_america_.shtml).
The recitation of facts in this brief obviously has a defense spin to
it, but it indicates that no harm actually resulted from publication of
the security flaw in this case. Furthermore, the publication was to
potential victims rather than to the world at large. In these
circumstances, were I sitting as a judge on an appellate panel, I might
be inclined to view the defendant’s actions as reckless but not
criminal, or perhaps as constituting an *attempt* to commit the crime.
Maybe someday, in my copious free time, I’ll read the government’s brief
in the case. I confidently expect to find Justice Holmes’ famous quote
about how the First Amendment doesn’t let you shout ‘fire’ in a crowded
theater. No more does it let you show a would-be saboteur where the
button is that will set off the bomb.

Even if McDaniel’s actions are ultimately found not to have been
criminal, they were very stupid. Change the facts a little bit, and add
a real attack with real personal injury or great economic harm, and lots
of people would be shouting for blood.

Analogy: I know that some car manufacturers’ cars will explode if you use
the cigarette lighter, and I promptly let the manufacturer know. I give the
manufacturer several months to correct the problem. Later I see some couple
at the beach with a brand spanking new car from said manufacturer. I notice
the couple setting out a romantic picnic lunch complete with romantic
candles. I see one of them heading towards the car with one of the
aforementioned romantic candles, but I say and do nothing. BOOM! Death by
cigarette lighter. I’m not culpable in this case?

Publicizing this safety defect is not the same thing as telling people
how to sabotage cars so that they’ll explode when the cigarette lighter
is used. I applaud whistle blowing in your car analogy.

This guy, while he may have made these customers vulnerable for a time,
actually did them a HUGE favor. How do we know that this vulnerability
wasn’t exploited? We don’t. I bet we can be pretty sure that Tornado fixed
the vulnerability now. I think the law makers are not consulting the
“technology haves” when they write laws, nor judges when they interpret
them. Scary stuff.

And you don’t know that it *was* exploited beforehand, either.
Certainly, it became more likely to be exploited once it was publicized.

I’ll say this again, too. The rest of the world thinks we’re children
playing with matches when they see how cheerily we tell each other how
to hack important systems. Some of you may remember the story of the MIT
student and the guillotine… I found it here:
(http://fr.groups.yahoo.com/group/CongoVista/message/16306?source=1)


Walter Oney
Denizen of Both Worlds
http://www.oneysoft.com
http://www.oneylaw.com

33

Moreover, if we divide it to two parts –

  1. intention of the act
  2. potential consequences of the act.

One would have an winning chance if both 1) and 2) is in favour.

If the intention is to help, and the potential consequences are very
damaging, one would have hard time to prove the intention. Other cases
follows the same route.

So he would have been a hero, if both were in his favor. Hard to prove other
cases, so he might need extra(s) to help him out from the mess

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Walter Oney
Sent: Wednesday, August 20, 2003 6:58 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new
puzzle))

Bill McKenzie wrote:

I don’t know Walter, I don’t very often find myself at odds with you, but
I
think you are 180 degrees out of phase on this one.

Hmm. I guess that means that the two of us can therefore occupy the same
space simultaneously? But I digress…

I think throwing this guy in jail for 16 months means that Tornado had
better lawyers than he did, because the technical grounds are weak in the
extreme. I am not clear on how he obtained the customer list, and for
that
he could and probably should have prosecuted, but for letting people know
of
a problem he had given his former employer AMPLE opportunity to fix??
That
is a really really bad precedent to set.

Don’t forget that a criminal prosecution has the government on one side.
Tornado’s lawyers were not in the picture at all, except possibly as
advising management about the implications of complaining to the US
Attorney. This case would have been styled The United States of America
vs. McDaniel. That’s us, folks. We decided, through our elected
representatives, to enact a law about computer crime. The people we’ve
hired to enforce our laws decided it fit this situation. And I agree
with them in the abstract.

You can read more about the appeal in this case, including the
defendant’s brief, at
http://cyberlaw.stanford.edu/about/cases/united_states_of_america_.shtml).
The recitation of facts in this brief obviously has a defense spin to
it, but it indicates that no harm actually resulted from publication of
the security flaw in this case. Furthermore, the publication was to
potential victims rather than to the world at large. In these
circumstances, were I sitting as a judge on an appellate panel, I might
be inclined to view the defendant’s actions as reckless but not
criminal, or perhaps as constituting an *attempt* to commit the crime.
Maybe someday, in my copious free time, I’ll read the government’s brief
in the case. I confidently expect to find Justice Holmes’ famous quote
about how the First Amendment doesn’t let you shout ‘fire’ in a crowded
theater. No more does it let you show a would-be saboteur where the
button is that will set off the bomb.

Even if McDaniel’s actions are ultimately found not to have been
criminal, they were very stupid. Change the facts a little bit, and add
a real attack with real personal injury or great economic harm, and lots
of people would be shouting for blood.

Analogy: I know that some car manufacturers’ cars will explode if you use
the cigarette lighter, and I promptly let the manufacturer know. I give
the
manufacturer several months to correct the problem. Later I see some
couple
at the beach with a brand spanking new car from said manufacturer. I
notice
the couple setting out a romantic picnic lunch complete with romantic
candles. I see one of them heading towards the car with one of the
aforementioned romantic candles, but I say and do nothing. BOOM! Death
by
cigarette lighter. I’m not culpable in this case?

Publicizing this safety defect is not the same thing as telling people
how to sabotage cars so that they’ll explode when the cigarette lighter
is used. I applaud whistle blowing in your car analogy.

This guy, while he may have made these customers vulnerable for a time,
actually did them a HUGE favor. How do we know that this vulnerability
wasn’t exploited? We don’t. I bet we can be pretty sure that Tornado
fixed
the vulnerability now. I think the law makers are not consulting the
“technology haves” when they write laws, nor judges when they interpret
them. Scary stuff.

And you don’t know that it *was* exploited beforehand, either.
Certainly, it became more likely to be exploited once it was publicized.

I’ll say this again, too. The rest of the world thinks we’re children
playing with matches when they see how cheerily we tell each other how
to hack important systems. Some of you may remember the story of the MIT
student and the guillotine… I found it here:
(http://fr.groups.yahoo.com/group/CongoVista/message/16306?source=1)


Walter Oney
Denizen of Both Worlds
http://www.oneysoft.com
http://www.oneylaw.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com