|
Full Disclosure
mailing list archives
Re: No Subject (re: openssh exploit code?)
From: mitch_hurrison () ziplip com
Date: Tue, 21 Oct 2003 11:17:11 -0700 (PDT)
Hi Jason,
First of all, thanks for taking the time to write a well thought
out response to my views and my statements.
Now let's get to it.
That having been said, your conclusions are wrong. In part this
is caused by a simple slip of logic and perhaps a flawed
understanding of statistics.
Slip of moral, perhaps. Slip of logic? No. I contend that
it is neither my obligation nor my duty to share my findings
with the public in general. Allthough I can appreciate your
views on being, in essence, the heroic whistleblower I believe
that information is not a public commodity. I realise this
is an unpopular view, but I also feel this is a view more
in line with our times. I am not anyone's saviour, nor
do I wish to be.
... <snip> ...
We also know that it doesn't happen in practice, despite
your fear that it will and the exploit will be to blame.
Are we simply *lucky* that this has not happened to date
with a widely-successful worm? (recall the many varieties
of virii that do destroy the infected host, but which
do not spread and execute automatically)
You'll have to agree with me that taking the timeline of
the internet as a historical basis for the statistical
analysis of the events you describe is somewhat bogus.
With the unrelentless growth of the internet it becomes
a subject that never has a comparitive state. As such
you get down to a level of comparing apples to pears.
You can't draw any valid definitive conclusions of what
will happen in the future of the internet based on what
has happened in the past. Ergo your argumentation is
fundamentally flawed.
But what you're saying is that you will be one of those
people who come to my house carrying your pitch fork, your
hangman's noose, and your torch, chanting something dreadful
along with the rest of the mob, when the exploit code I
release gets picked up by somebody and incorporated into the
malware that exposes the utterly insane and misguided reliance
upon unprotected, unprotectable software-based programmable
computers throughout the civilized world for elements of
critical infrastructure.
That's a bit of a hyperbole my friend. What I'm saying is I'm
one of those people that will look at that mob, shake his head
and mutter "it didn't have to come to this". Actions have
consequences and just as much you believe I'm responsible for
the results of not blowing the whistle, I believe you're responsible
for the results of blowing the whistle whilst holding up a sign
that says "here's some weaponry you can use to further destabilize
the world".
What you're saying is that you will blame me, not the company
that refused to cut into their profits by installing redundant
failsafes.
What you're saying is that you will convict me and sentence me
because my thoughts, disclosed publicly, were used by somebody
else to create a tool that caused your pretty little house of
cards to collapse around you
What I'm saying is that yes I will blame you. For providing the
murderweapon, I will call you an accomplice to that very murder.
There's an inherit difference between disclosing thoughts and
providing weaponry. And whilst I hesitate to follow you in a rather
irrelevant metaphore, if that house of cards was providing shelter
to alot of people. Then yes, I will hold you responsible and
accountable.
You *should* ... <snip> ...
Here's where you're mistaken. I should do these things based on
your ethics, morals or whatever name you wish to file your
info-sec commandments under. You are assuming I share your
views or atleast should share your views.
Bringing the entire argument down to the level of "I'm right and
you're wrong". I realise when I'm voicing my opinion on the matter
I'm doing the very same thing. But I support this opinion
with sound reasoning. My main point being there is simply no
need for the disclosure of exploits.
This all comes back to the simple viewpoint of not looking at
exploits and the research involved as a public commodity. Your
main grievance is that the information should be accessible? How
is it not accessible. I'm not particularly intelligent nor do
I have special powers that bestow me with super exploit writing
skills. Anyone can do similar research in an independent manner
if they wish to do so. Now you put forward that the uninformed
have a right to know? Bullshit I say. I put to you that the
uninformed have an obligation to get informed. Spoonfeeding people
exploits and research is creating a lax mentality in which
people take exploit research for granted and creativity is
smuthered.
I am not your saviour, I am not your friend, I am not your fucking
exploit writing tool.
With regards,
Mitch
-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org]
Sent: Tuesday, October 21, 2003, 10:25 AM
To: "mitch_hurrison () ziplip com" <mitch_hurrison () ziplip com>
Cc: Paul Schmehl <pauls () utdallas edu>, full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] No Subject (re: openssh exploit code?)
Aloha, Mitch.
Your essay on the immorality of releasing exploit code was very well
thought out, and I commend you for it and for standing up for something
that you believe in -- particularly in a venue that is openly hostile to
your viewpoint.
That having been said, your conclusions are wrong. In part this is
caused by a simple slip of logic and perhaps a flawed understanding of
statistics.
We know beyond much doubt that virtually every computer in existence
today can be owned. We know that worms can spread quickly through
computer networks. We also know that a worm that immediately destroys
its host doesn't get a chance to replicate. We know that worms could be
designed to delay destruction of hosts, essentially dropping a Trojan
with a time bomb inside. We know that the release of exploit code for a
remote exploitable vulnerability in network service code makes it next
to trivial for most script kiddies to tool up precisely this sort of
hybrid attack. We also know that it doesn't happen in practice, despite
your fear that it will and the exploit will be to blame. Are we simply
*lucky* that this has not happened to date with a widely-successful
worm? (recall the many varieties of virii that do destroy the infected
host, but which do not spread and execute automatically)
Perhaps we have been lucky. Perhaps you are correct that we will not
always be so. However, you must reconsider your assessment of the damage
that will be done in the real world when the killer worm Trojan time
bomb does get released because we know from past worms that nowhere near
every vulnerable box gets owned by the beast, and we know that not all
boxes that are thought to be vulnerable actually end up being vulnerable
for one reason or another. A loss, and I mean a complete and
unrecoverable data loss, of 10% to 20% of the world's computers would
just not be a very big deal. Some of the more irresponsible companies
would go out of business, sure. Some people may even die. But people
die. And companies go out of business. Life goes on for everyone else,
and the survivors change and adapt. Damage that could have and should
have been prevented in the first place gets investigated and those
responsible get sued and maybe, if we're lucky just a little more, they
get put in jail for a very long time.
But what you're saying is that you will be one of those people who come
to my house carrying your pitch fork, your hangman's noose, and your
torch, chanting something dreadful along with the rest of the mob, when
the exploit code I release gets picked up by somebody and incorporated
into the malware that exposes the utterly insane and misguided reliance
upon unprotected, unprotectable software-based programmable computers
throughout the civilized world for elements of critical infrastructure.
What you're saying is that you will blame me, not the company that
refused to cut into their profits by installing redundant failsafes.
What you're saying is that you will convict me and sentence me because
my thoughts, disclosed publicly, were used by somebody else to create a
tool that caused your pretty little house of cards to collapse around you.
You *should* blame yourself for building houses of cards and calling
them something that they are not.
You *should* blame yourself for keeping quiet about the true causes of
the problems that lead to vulnerabilities, because you mistakenly and
arrogantly believe that your conclusion is the smarter one that results
in a safer world.
You *should* let go of the burden you feel for keeping the world safe
from all of your hypothetical threats, because it's not your job and it
is misguided to believe that such a thing is even possible with you as a
single point of failure.
You *should* recognize that those elite few who really care about
security can, will, and *do* pull the network cable out of the back of
boxes that are believed to be vulnerable to exploits *when* those
exploits get released. For obvious reasons of practical reality these
same people do not, in general, pull the plug on systems that they
*know* to be vulnerable *until* they see conclusive proof that there is
an immediate risk.
You *should* feel responsible, personally, for every penetration that
occurs that would have been avoided if you had helped to communicate
full disclosure with proof of concept exploit code, since only that
communication has been prove to trigger widespread social response in a
preventative manner. Advisories that attempt to explain complex
hypothetical vulnerabilities and recommend an immediate patch just do
not do the job.
You have an obligation to disclose information in detail that other
people can use to protect themselves immediately. Your failure to
disclose this information makes you nothing less than an accomplice
before the fact to every penetration that occurs in the future when
somebody else finds the hidden secret and exploits it.
I will continue this discussion with you in greater detail if you wish.
There is much need for this conversation to recur, because many people
just like you are still confused about the proper role of an information
security professional in the security process. Many people are also
still confused about the obligations that go along with knowledge,
mistaking those obligations as the same ones that go along with skill
and ability to take decisive action to contain or prevent imminent
damage or risk exposure. Knowledge that other people are at risk must be
disclosed -- and it must be disclosed in full detail and publicly when
there is no other way to communicate with most (if not all) of those
people. This is the inherent value of the Public, and you diminish this
value and reduce its protective power when you presume to know better
than the Public does what it can and can't cope with being told.
Sincerely,
Jason Combs
jasonc () science org
mitch_hurrison () ziplip com wrote:
Hi Paul,
Again, what is it about your personality that makes you incapable
of taking part in an adult discussion of responsible disclosure
issues? Is it that anyone who has a different opinion than yours
is automatically not worth your time? That sounds kind of nazi-like
to me mr. Schmehl.
It's quite saddening to see this list turn into a pack of hungry
saliving fools at even a hint of an exploit for this issue. You
seem to have more of a hardon for the "juarez" than any "kiddie"
I've ever met. Even when trying to debate some of the issues
surrounding the disclosure of such a potentially devastating
exploit all one gets is "yeah, yeah. Now make with the warez".
As far as it being "easy" to exploit. No it isn't. You have to
abuse a lesser issue, a memory leak to be more precise, to get
a heap layout that will allow you to survive the initial memset
without landing in bad memory. Now without going into details
anyone who manages to survive the initial memset should be able
to debug the crash to the point of exploitation. This is managable
on atleast Linux IA32 systems.
Now I'll try and bring my original point forward one last time,
allthough I fear it will just call for more immature commentary
from the likes of Paul Schmehl.
There is no need for anyone to release this exploit. It will change
nothing about the fact that you need to upgrade your daemons. It
will change nothing about the bugdetails already published. There
is no reasoning for it other than "but I want to learn how to do it".
And sorry but that's just not good enough to warrant the mayhem that
will ensue when an exploit like this is released. So if you in
your academic pursuits decide to tackle this problem. By all means
go right ahead. But I think anyone who's discovered the real impact
of this bug will realise that disclosing the exploit to the
general public is highly irresponsible.
Now on a larger scale, I think it's rather foolish to cop an attitude
that assumes anything that doesn't exist in the public eye isn't
possible. It reeks of the same arrogance I'm accused off. Is it
arrogant to step forward to try and explain why noone who managed
to exploit ossh is willing to step forward? Maybe it is.
Fact
remains that exploiting this issue requires creativity beyond
the pre-chewed papers. And that's why you're not seeing the regular
array of mediocre "hackers" producing exploit code. I'd like to
think that anyone who was capable of writing this exploit also
recognises the potential impact of releasing it.
So instead of trying to poke fun at me Paul, why don't you do your
duty as a knight of Full Disclosure and provide the good people
of this list with a definite analysis on the ossh 32k nul heap
munging? (buzzword quota filled).
This is the year 2003. We aren't
the only ones reading these lists people. Do you really want to
be responsible for arming the more hostile elements in the world
with such a tool? I can't stress it enough. Noone should release
this exploit. And to be honoust in this day and age I think anyone
releasing exploits to the general public is losing sight of a
bigger picture that affects us all. Now I'm not talking about
the Nth trivial snosoft local stack overflow "exploit". I'm talking about
the apaches, the openssh's and the ms rpc's. Time and time
again it's become apparent that full disclosure simply does not
function. And allthough I realise that there will always be people
supporting
full disclosure, I think even with the disclosure of vulnerability
information releasing exploits is something that's not justifiable
in any way.
There is simply no need for exploits, especially not one that would
affect people and nations around the globe. You have to look beyond
your own little egocentric world of friendly exploit dev and "but it's fun",
and take a look at the bigger picture.
So to you Paul, and to the rest of this list. I say once again
if you can't write the exploit. You don't..need.. the exploit.
With regards,
Mitch
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- RE: No Subject (re: openssh exploit code?), (continued)
|
Intro
