|Main Archive Page > Month Archives > full-disclosure-uk archives|
Again, irony abounds ... pushing for a "Responsible Disclosure Act" on a forum named "Full Disclosure" ... makes me smile. (Not saying either side is right/wrong, just throwing that out there)
* Said laws would only apply within a given jurisdiction
... so disclosures would simply come, or appear to come, from outside said jurisdiction.
>> ----- Original Message -----
>> From: "n3td3v" <email@example.com>
>> To: <firstname.lastname@example.org>
>> Sent: Friday, July 25, 2008 6:56 AM
>> Subject: [Full-disclosure] Kaminsky's Law
>>> So what you're saying is HD Moore and |)ruid are exploiting a loop
>>> hole in the law to do what they do... looks like we need to get the
>>> law tightened.
>>> I say a "Responsible Disclosure Act" is drawn up, and anyone who
>>> breaks it goes to jail.
>>> That will mean:
>>> - People will think twice before hitting send on blog entries,
>>> - People will think twice about releasing code early,
>>> - That the decided time line for disclosure can be enforced,
>>> - That the people who release information and/or code early, they get
>>> fined for every computer system compromised because of the
>>> vulnerability information and/or code disclosure, on top of the jail
>>> So instead for the future its not just a verbal contract for
>>> responsible disclosure, its a legally binding contract as well
>>> meaning if the Responsible Disclosure Act has been signed by the
>>> security researcher and its affected vendors, then ass hats like HD
>>> Moore and
>>> |)ruid are breaking the law.
>>> The details are a bit fuzzy right now, but i'm sure the big guys in
>>> the industry can draw up proper rules for a Responsible Disclosure
>>> Its likely the Responsible Disclosure Act would only be used in
>>> exceptional circumstances like this DNS caching vulnerability, and
>>> the approval of the act per vulnerability case has to be decided on
>>> by a judge in a court of law, so that the Responsible Disclosure Act
>>> can't be over used and abused, to keep the use of the act fair and
>>> proportional in relation to the level of the threat.
>>> That means, Full-Disclosure of vulnerability information and/or
>>> wouldn't be illegal all the time, just in exceptional circumstances
>>> that has to be OK'd by a judge.
>>> This safe guards the deployment of a patch or patches while telling
>>> what the importance of patching is to the public, while disallowing
>>> security researchers to release information and/or code before the
>>> time line for responsible disclosure.
>>> So the scenario would be,
>>> jake: hey did you hear about the patches being deployed and the news
>>> reports about the flaw and why the patch is critical?
>>> joe: yes, but the responsible disclosure act has been signed so we
>>> need to wait until it expires before we can share info.
>>> jake: no way, whats the assigned disclosure date?
>>> joe: the standard 4 weeks, although with the responsible disclosure
>>> act, after the 4 weeks, the security researcher and vendors can go
>>> back to the judge to ask for an extra 4 week extension onto that, so
>>> it could be eight weeks bro before we can become famous for five
>>> minutes by releasing attack code.
>>> jake: ah, sucks for us, but yeah if the judge has approved the
>>> signing there isn't alot we can do unless we want to be labeled
>>> criminals, and hunted down by interpol.
>>> What has to be told to the community under the act:
>>> - The community must be told the Responsible Disclosure Act has been
>>> signed and OK'd by a judge.
>>> - The community must be told the date the Responsible Disclosure Act
>>> expires and disclosure can be made.
>>> - The community must be told that security researcher and vendor can
>>> go back to the judge after 4 weeks and ask for extension of the act
>>> if extra time is needed, this must be announced to the community
>>> again with notice.
>>> All members of the community who break the Responsible Disclosure Act
>>> are breaking the law and face charges.
>>> Obviously this is just an email I rattled up in five minutes during a
>>> water machine break, so the big guys in the industry can take these
>>> ideas and throw them into a properly put together act.
>>> I think Dan Kaminsky should lobby the industry and the government to
>>> get something like this drawn up, since he is the one who has
>>> inspired me to come up with the Responsible Disclosure Act.
>>> I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid
>>> had to be dick heads about releasing code on purpose against his
>>> request of Dan Kaminsky, the vendors and people who agree with
>>> responsible disclosure, especially in exceptional circumstances like
>>> the DNS flaw.
>>> Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan.
>>> All the best,
>>> ---------- Forwarded message ----------
>>> From: <Valdis.Kletnieks@vt.edu>
>>> Date: Thu, Jul 24, 2008 at 5:56 PM
>>> Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in
>>> the wild
>>> To: n3td3v <email@example.com>
>>> Cc: firstname.lastname@example.org
>>> On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said:
>>>> This whole HD Moore savior of info sec thing has gone on long
>>>> enough, its time to see him for what he is and get him slammed up in
>>>> jail along with his counterpart |)ruid.
>>> I'll point out that you happen to live in the country that invented
>>> the concept of "habeus corpus". In other words, you cant slam him in
>>> jail unless you actually *charge* him with something.
>>> Please tell us which countr(y|ies) you intend to have him charged,
>>> and what offense. Specific references to statutes would be
>>> appreciated (for starters, I'll help you out and point out that in
>>> the US, he probably could *not* be charged under 17 USC 1201 (the
>>> DMCA anti-circumvention clause), nor under
>>> USC 1030 (the primary federal anti-hacking statute), unless you have
>>> actual evidence that HD personally hacked into a computer covered by
>>> 18 USC 1030.
>>> run into similar issue with 18 USC 2701 (access to stored
>>> You *might* be able to make a case under 18 USC 2512 (dealing in
>>> devices for intercepting communications), except that there's the
>>> nasty clause "knowing or having reason to know that the design of
>>> such device renders it primarily useful for the purpose of the
>>> surreptitious interception of wire, oral, or electronic
>>> communications;" - and you'd fail on the "primarily" because there's
>>> lots of *other* uses for Metasploit.
>>> He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC
>>> 7523(a)(1), however.
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/