Re: Websites vulnerabilities disclosure

[Peer Janssen <peer () baden-online de>]

Raghu Chinthoju wrote:

> I say, "... hey listen! your house entrance door latch isn't strong
> enough.. there are only 4 screws instead 16, which is the practice..
> you have a risk of some one easily barging into your house ...". For
> some reason you don't respond.. I publish it in the local news paper
> that ".. Mr. X's door latch is week and any one can break it easily
> ..." Do you think it is ethical??? I seriously think not.
>  
Isn't it more like saying publicly: All those who have a lock of the 
type "X" have a lock which only has 4 screws instead of 16. So that 
everybody could check.

But then, what could they do? Maybe not everybody is reading the paper 
or has the means to change one's lock.

Some may try to sue the lock vendor, but did he have the means to do 
better? Analysing all this may complicate things even further. (And 
then: What could would come out of it? Attempting to change all these 
locks might bankrupt the vendor, create more unemployed, etc.)

It's not easy to solve all this without leaving one's humanity.
I guess the only lasting solution is to generally strive to aquire more 
(human and material) quality.

I also suppose that the recommandation of the Gospel applies here: 
First, talk to the people (customers, vendors, crackers) directly and 
privately, if they won't listen, take some people with you to talk to 
them, if they still don't listen tell the whole community that they do 
the bad things they do.

> More over, going by my personal experience, I think 5 out of 10
> websites[1] would be vulnerable to some kind of security issue, like
> running vulnerable versions of the web server, improper input
> validation etc, which are just specific them and their clients. Would
> would be the interest of general public on such issues?
Probably that people will have more incentive to care about security and 
their work, and probably that systems which allow easier updates will 
become more widespread.

> I don't think
> any one from those sites would be part of bugtraq or FD as you
> mentioned that they are not vendors. Your publication will only
> increase the magnitude of their risk and doesn't do good to any one.
>  
I appreciate your pragmatic approach.

> If you have time, try to provide them with the required knowledge or
> fix. If you cant, just leave them at their fate and move on..
>
> Raghu
>  
Cheers
Peer

> [1] I dont have any data to support this.. If you dont agree, please
> do so. You have every right to :)
>
>
> On 10/6/05, offtopic <offtopic () mail ru> wrote:
>  
>
> > Hi List.
> > I need your opinion.
> > Recently I found multiply vulnerabilities in several sites. some sites behold to security-related firms but not software vendors. I'm 
> > trying to contact that companies under rfpolicy several times but don't receive any response on receive something like "what 
> > injection your talking about?".
> >
> > I want to know - is it "ethical" to use standard vulnerability disclosure policies to public websites? Which fird-party 
> > can't be user as coordinator, like CERT/CC?
> > Or in other worlds - who should care about Web-sites security?
> > Thank you.
> >
> > (c)oded by offtopic () mail ru
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/