full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Kaminsky's Law

Re: [Full-disclosure] Kaminsky's Law

From: TJ <trejrco_at_nospam>
Date: Wed Aug 06 2008 - 11:56:50 GMT


Again, irony abounds ... pushing for a "Responsible Disclosure Act" on a forum named "Full Disclosure" ... makes me smile. (Not saying either side is right/wrong, just throwing that out there)

Nits:
* Said laws would only apply within a given jurisdiction

        ... so disclosures would simply come, or appear to come, from outside said jurisdiction.

  • Who gets to decide how many machines were comprimised? Some sources never divulge, some drastically over-inflate.
  • Who defines what "responsible" is? Some argue that telling the vendor as hitting send/post counts, some say 1 week, etc. In some cases, maybe a month isn't enough for patch deployment ... is that still "responsible"?
  • I think the "big guys" you reference could come up with answers, but prefer things the way they are now. .... just supposition on my part there ... ... and given the govt's previous track record of "cyber" issues, let's pause and reflect if we want them trying again.

/TJ

>> ----- Original Message -----
>> From: "n3td3v" <xploitable@gmail.com>
>> To: <full-disclosure@lists.grok.org.uk>
>> Sent: Friday, July 25, 2008 6:56 AM
>> Subject: [Full-disclosure] Kaminsky's Law
>>
>>
>>> So what you're saying is HD Moore and |)ruid are exploiting a loop
>>> hole in the law to do what they do... looks like we need to get the
>>> law tightened.
>>>
>>> I say a "Responsible Disclosure Act" is drawn up, and anyone who
>>> breaks it goes to jail.
>>>
>>> That will mean:
>>>
>>> - People will think twice before hitting send on blog entries,
>>>
>>> - People will think twice about releasing code early,
>>>
>>> - That the decided time line for disclosure can be enforced,
>>>
>>> - That the people who release information and/or code early, they get
>>> fined for every computer system compromised because of the
>>> vulnerability information and/or code disclosure, on top of the jail
>>> sentence.
>>>
>>> So instead for the future its not just a verbal contract for
>>> responsible disclosure, its a legally binding contract as well
>>> meaning if the Responsible Disclosure Act has been signed by the
>>> security researcher and its affected vendors, then ass hats like HD
>>> Moore and
>>> |)ruid are breaking the law.
>>>
>>> The details are a bit fuzzy right now, but i'm sure the big guys in
>>> the industry can draw up proper rules for a Responsible Disclosure
>>> Act.
>>>
>>> Its likely the Responsible Disclosure Act would only be used in
>>> exceptional circumstances like this DNS caching vulnerability, and
>>> the approval of the act per vulnerability case has to be decided on
>>> by a judge in a court of law, so that the Responsible Disclosure Act
>>> can't be over used and abused, to keep the use of the act fair and
>>> proportional in relation to the level of the threat.
>>>
>>> That means, Full-Disclosure of vulnerability information and/or
>>> wouldn't be illegal all the time, just in exceptional circumstances
>>> that has to be OK'd by a judge.
>>>
>>> This safe guards the deployment of a patch or patches while telling
>>> what the importance of patching is to the public, while disallowing
>>> security researchers to release information and/or code before the
>>> time line for responsible disclosure.
>>>
>>> So the scenario would be,
>>>
>>> jake: hey did you hear about the patches being deployed and the news
>>> reports about the flaw and why the patch is critical?
>>>
>>> joe: yes, but the responsible disclosure act has been signed so we
>>> need to wait until it expires before we can share info.
>>>
>>> jake: no way, whats the assigned disclosure date?
>>>
>>> joe: the standard 4 weeks, although with the responsible disclosure
>>> act, after the 4 weeks, the security researcher and vendors can go
>>> back to the judge to ask for an extra 4 week extension onto that, so
>>> it could be eight weeks bro before we can become famous for five
>>> minutes by releasing attack code.
>>>
>>> jake: ah, sucks for us, but yeah if the judge has approved the
>>> signing there isn't alot we can do unless we want to be labeled
>>> criminals, and hunted down by interpol.
>>>
>>> What has to be told to the community under the act:
>>>
>>> - The community must be told the Responsible Disclosure Act has been
>>> signed and OK'd by a judge.
>>>
>>> - The community must be told the date the Responsible Disclosure Act
>>> expires and disclosure can be made.
>>>
>>> - The community must be told that security researcher and vendor can
>>> go back to the judge after 4 weeks and ask for extension of the act
>>> if extra time is needed, this must be announced to the community
>>> again with notice.
>>>
>>> All members of the community who break the Responsible Disclosure Act
>>> are breaking the law and face charges.
>>>
>>> Obviously this is just an email I rattled up in five minutes during a
>>> water machine break, so the big guys in the industry can take these
>>> ideas and throw them into a properly put together act.
>>>
>>> I think Dan Kaminsky should lobby the industry and the government to
>>> get something like this drawn up, since he is the one who has
>>> inspired me to come up with the Responsible Disclosure Act.
>>>
>>> I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid
>>> had to be dick heads about releasing code on purpose against his
>>> request of Dan Kaminsky, the vendors and people who agree with
>>> responsible disclosure, especially in exceptional circumstances like
>>> the DNS flaw.
>>>
>>> Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan.
>>>
>>> All the best,
>>>
>>> n3td3v
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: <Valdis.Kletnieks@vt.edu>
>>> Date: Thu, Jul 24, 2008 at 5:56 PM
>>> Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in
>>> the wild
>>> To: n3td3v <xploitable@gmail.com>
>>> Cc: full-disclosure@lists.grok.org.uk
>>>
>>>
>>> On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said:
>>>
>>>> This whole HD Moore savior of info sec thing has gone on long
>>>> enough, its time to see him for what he is and get him slammed up in
>>>> jail along with his counterpart |)ruid.
>>>
>>> I'll point out that you happen to live in the country that invented
>>> the concept of "habeus corpus". In other words, you cant slam him in
>>> jail unless you actually *charge* him with something.
>>>
>>> Please tell us which countr(y|ies) you intend to have him charged,
>>> and what offense. Specific references to statutes would be
>>> appreciated (for starters, I'll help you out and point out that in
>>> the US, he probably could *not* be charged under 17 USC 1201 (the
>>> DMCA anti-circumvention clause), nor under
>>> 18
>>> USC 1030 (the primary federal anti-hacking statute), unless you have
>>> actual evidence that HD personally hacked into a computer covered by
>>> 18 USC 1030.
>>> You
>>> run into similar issue with 18 USC 2701 (access to stored
communication).
>>>
>>> You *might* be able to make a case under 18 USC 2512 (dealing in
>>> devices for intercepting communications), except that there's the
>>> nasty clause "knowing or having reason to know that the design of
>>> such device renders it primarily useful for the purpose of the
>>> surreptitious interception of wire, oral, or electronic
>>> communications;" - and you'd fail on the "primarily" because there's
>>> lots of *other* uses for Metasploit.
>>>
>>> He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC
>>> 7523(a)(1), however.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/