Re: Valid disclosure analogy

[full-disclosure () lists netsys com (Defender Defender)]

> > If I find a flaw in a bank's security system, I might not be the one
> > who will be able to exploit it. Furthermore, some bank accounts may
> > only be accessible with specific credentials required by someone
> > working in the bank, which will be exactly the same as the situation
> > of a 'closed network' you were presenting.
>
> how many 'closed networks' are out there? would your ability to break
> into one of them give you any info on all the others? would the ability
> to break into bank 'A' give you eventually all info about the accounts
> in bank 'A'? while the former is a definitive 'no', the latter is a
> 'maybe'. ie. the analogy is wrong.

And how does this difference make the analogy no good?

You could also mention that software have no walls
Or that banks must be broken into localy, unlike software
etc.

Not all differences of situation break an analogy, otherwise analogy would 
be equality. Analogies link situations that share common elements that are 
relevent to an argument. In this case, its the fact that disclosing the 
vulnerability put other clients at risk. Nothing more, nothing less.

Now you tell me, how does the difference you explained above could break the 
analogy. As I told you, even if a single person could only attack 10% of the 
bank accounts. The point is not there. The other 90% could also be exposed 
to other people. The risk is there, and it is the very reason why people 
disclose the vulnerability, thus you cannot deny its presence.

This is what the analogy is about - disclosure and the variation of risk. 
Please stand by that.

> if it's *your* guess, why do you extend it to *me*? and if you read my
> words again, you'll see the examples of blackhats/hackers/whatever who
> are not criminals - you guessed wrong. and there are pentesters who are
> blackhats, whatever you want to mean by those words. nowhere did i
> generalize to 'all' however, which you want to make it appear.

Sorry then, general understanding is that blackhats are criminals. You 
probably are the only one to consider pentesters are blackhats.

> > Man, are you for real?
>
> i take it you failed to establish the analogy then.
>
> > Absolutely not. Banks have the entire right to show you their security 
> > measures. In fact, for specific clients ($$$$$), they do.
> > You seem to enjoy using bullshit arguments, dont you?
>
> you never worked for a bank, apparently, there's not much to argue about
> that.

Please show me the regulations that *forces* them to do that.
If you get to show me that such regulations exist in countries like the US, 
I will be willing to substitute "bank" for any other provider of service or 
product that would be exposed to a threat upon the disclosure of one of its 
vulnerabilities.

> > You used it? You trust it? I guessed so.
>
> yes on both accounts. guess that's not what you expected. and in any
> case, the point was to prove your saying "As for making a binary patch,
> I have yet to see any poster on this mailing list do it ;)" wrong, which
> i did.

You cannot ask a majority of people to trust binary patches coming from 
untrusted sources (eg. not the vendor). If you are dumb enough to run a 
binary that patches your server without exact understanding of what it does 
(eg. without having assembly skills, which most admins do not have), then 
there's nothing more I can say.

As for what I said ("any poster on this mailing list"), I hoped you would 
have understood it is a manner of saying it is far from being common 
behavior, which I also explained previously. Obviously, you prefer to fight 
on words than to fight on ideas.

And wasn't that guy from bugtraq anyway? (I used words "from this mailing 
list") If I wanted to defend my words, that would be the exact kind of 
shitty argument I would use. But that would be as irrelevent as your fight 
to prove that exceptions to my words exist.

> > Therefore, this ability you have of fixing thing is irrelevent, and >not 
> > even used by bugtraq posters.
>
> wrong of course. and unless you've asked every single bugtraq poster
> (did you mean reader btw?), you couldn't possibly know anyway - yet
> another unfounded generalization from you.

No, I meant poster. As in "posters dont provide binary patches when 
disclosing bugs in commercial software".

Generalized? As I said, you demonstrate a fact based on one post, which 
obviously was an exception. Maybe *you* are the one who generalizes. Ability 
to patch is useless if people dont use it.

I say again, people disclose vulnerabilities in commercial software in order 
to force the vendor to fix.

> > People want to disclose, thats all.
>
> wrong. people want to help.

If they wanted to 'help', they would make use of this ability to produce 
binary patches that you mentionned previously.

And please dont tell me about the IMail case again. Conclusions are not 
built from exceptions.

> not all, not all the time of course. which
> is quite contradicting your generalization of the above (don't come
> back saying you didn't generalize, you said "that's all").

God, where you come from? 'thats all' is an expression. Maybe you'll also 
say my analogy is no good because unlike what I say ("thats all"), not all 
people disclose for forcing the vendor to fix?

> > And? Why you say I'm wrong? Where did I say MS is the sole software 
> > > company on the planet or that its the only one having bugs in their 
> > > software?
>
> you cited MS as the one which "rarely take outsider advice at face
> value". and i said MS is not the only software company, i.e. how would
> you know what other companies do? obviously you don't.

Even if another company was more willing to take an outsider advice, the 
analogy demonstrated the similarity with situations where the vendor *does 
not* take it, thus triggering disclosure by the one who discovers the 
vulnerability.

If you consider that the vendor does take your advice into account, than the 
analogy is not even to be considered anymore. The disclosure problem does 
not even rise up, in fact.

> > I dont "promote myself".
>
> sure thing. and is your opinion on things not part of 'yourself' either?

No. Thats the very idea of argumenting.

> i said it already, you had never worked for a bank. you have no idea how
> one works. and apparently you didn't call. what a pity.

You pretend that if I am aware of a way to breach in the bank from the 
outside, they are forced to put me on a blacklist and never hire me for 
their security? Also a regulation of yours?

I'd like you to show me a proof of that, as for the other regulation 
regarding them not having right to providing proof of their security.

Also keep in mind that me telling you to send them your resume was sarcasm, 
in first place. But I'm still interested by those regulations you tell me 
about.

> > God, you really thought I was saying 'any' literally?
>
> appeared so. a-n-y. when read it looks like 'any', quite literally.

I say again, you build your arguments on exceptions. Saying that no bugtraq 
poster provide binary patches is quite obviously a way of saying that it is 
not common behavior (one out of a few thousands is quite far from common to 
me). Exceptions can always exist, if not in the past then in the future, and 
I am very well aware of that. You dont have to provide me with a link to 
some bugtraq post that contains a binary patch in order to prove me that my 
"any" does not stand anymore.

And you dont have to smile/be proud about it either. It is not worth it.

> > I meant bugtraqers (yes, that basicaly means more than one) disclose >bugs 
> > in commercial software with the intent of forcing the vendors to >fix 
> > them. It is not common behavior to give a patch for commercial >software.
>
> i'm sure there was more than one occasion when patches like that got
> published. besides in the given context 'any' means 'any one of them';
> language is apparently not your best skill. and you might even be right
> about the intents of bugtraq posters and how commonly they actually fix
> stuff, however that has nothing to do with your (failed) attempts at
> generalization all the time.

When I discuss general intent, I do not do it based on exceptional cases, 
and therefore I do not take the care of mentionning "probably" everytime I 
talk of it.

If we always had to consider the one-out-of-a-thousand exception, "generaly" 
and "probably" would (PROBABLIY) fill our affirmations.

> > If you dont then it wont be your reponsability, and I wont beat the >shit 
> > out of your fucking skull.
>
> that is, you're ok with people keeping bugs to themselves and as a side
> effect causing you damage?

You keep them responsible for the damage caused? Hell, we must all be 
criminals then.

That is the very distinction between disclosing and not disclosing: assuming 
responsability. Shutting up on something that could cause more trouble if 
disclosed than if kept secret does not make you responsible for its 
exploitation, if it ever happens.

> > You also say you do not have the authority to switch the managers of >the 
> > company assets. That kinda conflicts, dont you think?
>
> no, it's a different example. as much as you adapt yours 'runtime',
> allow me to do the same, will you?

Well sorry but the example I was replying to is the one where you did not 
have authority to switch managers of the company assets. Of course if you 
reverse that fact (take the opposite position), my arguments dont stand 
anymore.

As for me adapting my examples runtime, it has yet never proved you right on 
the invalidity of my analogy. It just gives you the satisfaction of me using 
more precise words to include potential exceptions, which obviously do not 
prove you right.

> > Where you see "all" ?
>
> at several places. "autohack all openssh" or "the bug was (somehow)
> reproduced in all the copies". are you still claiming that "I did not
> say all were compromised." ? if you're so proud of your apparently
> higher intelligence, then why don't you admit that your argument above
> has failed?

Oh God, sorry for not mentionning "accessible". Would that make you any 
right regarding our main topic? Hell, I dont think so.

But yes, the bug is still in all the copies, which would make them most 
likely vulnerable to someone, somewhere. Which is the reason so many people 
consider necessary to disclose the vulnerability, which is the context of my 
analogy.

You sure are skilled at taking me by the word, but much less at proving my 
analogy wrong.

> > mass-own implies "massively owned" not "all owned". Has nothing to do 
> > > with actual actions or not, just fact that them not all being owned is 
> > irrelevent.
>
> so "autohack all openssh" doesn't imply "all owned", let alone action.
> ok. you got a weird interpretation of words, but what the heck, if you
> say that shall save your argument, so be it. the rest of us knows it
> better regardless of how you tweak it ;-).

As I said previously, them being all owned or not is irrelevent.
Please do not waste my time on trying to fight on words in order to save 
yourself from fighting on the topic of the discussion.

> > As a matter of fact, all frenchies in the field that are not blackhats >do 
> > speak shit english and lack intelligence.
>
> why would being a french blackhat enhance one's language skills and
> intelligence? or does it go the other way? every intelligent english
> speaking french is by extension a blackhat? either way, you have a hard
> case to defend ;-).

No, its only that all french whitehats in the field are stupid people. 
Simple fact, not necessarily linked with fact they are french, its only the 
way it is...



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx