Saturday, February 24, 2007

On Disclosure

Firstly, just so that you understand my bias, my view on this topic is as follows:


  • I don't care how unethical disclosure is; if it interests me, and possibly others I'll post it.

  • I have no responsibility to give a vendor who has written insecure software time to fix their flaws - they've had time ever since they started writing it.

  • I also have no responsibility to contact them about any issues either.

  • I have no need to justify my position to anyone, and it won't change unless I get paid for it to change.



Anyway; Sid wrote a post on blogs.securiteam.com about how an ISP had backdoored its customers routers to make administration easier, entitled Accidental backdoor by ISP, which generated a bit of heat from some people, especially Cd-MaN.

He goes on about how Sid's post was unethical because didn't help anyone by mentioning which ISP it was, and saying which subnet they owned and what the passwords were, other than people who would want to attack the ISP.

Now, arguing on in cd-man's terms, there are people it helps. It helps anyone who wants to do some further investigation of the issue. It helps anyone who has an account with that ISP to secure themselves; I see no reason why it has to be disclosed in such a way that it would reach the majority of affected users, its not our responsibility to fix other people's mistakes; and never should be.

It also helps raise awareness of an issue which hasn't got much (if any) air time before. Because if you read any of the SpeedTouch manuals you will notice that they have a default remote administrator account, which most users never know about. Furthermore I'm willing to bet on the fact that most ISPs who use SpeedTouch routers will all have the same remote admin passwords.

And it really doesn't help anyone to say thing like (http://hype-free.blogspot.com/2007/02/full-disclosure-gone-bad.html)
But this recent post on security team screams of the "I'm 1337, I can use nmap, I rooted 14716 computers" sentiment.

Because all it does is spread the FUD. If cd-man had bothered reading the post carefully he would have noticed that all I did was run an nmap scan to determine how many of the hosts were running telnet in that subnet. I think the number is higher than 14716 though, because my wireless network is dodgy and prone to giving out halfway through something, and considering that that scan took hours (unattended), I wouldn't be surprised if it had missed whole chunks.

Oh and he also says:
How does disclosing this flaw with such detail (like subnet addresses and the ISP name) help anyone? The story would have been just as interesting would he left those details out.

I have no real argument her, but I see nothing interesting in someone posting that some ISP somewhere has used the same remote admin password on all its routers. But that's not exactly something we can argue about, since that's just like arguing which tv show is better.

3 comments:

cdman83 said...

I don't care how unethical disclosure is; if it interests me, and possibly others I'll post it.

It is your right to feel this way, but may I remind you that you might be breaking the law (and I say might because IANAL) by doing this.

I have no responsibility to give a vendor who has written insecure software time to fix their flaws - they've had time ever since they started writing it.

I also have no responsibility to contact them about any issues either.

And I never said that you have a responsibility towards the vendor. After all, you are right, they made the product and they are making money out of it. My argument is that you have a responsibility towards the customers of the product. The overwhelming majority of people (like 99% of them) do not have the technical expertise to judge all the merits of a product. In some fields (like security) they have to rely on what the vendor tells them (and this isn't all to different from real life if you think about it: how many people can judge the real merits of car alarm system for example?). And more times than not, what the vendor tells them is, to put it gently, overstated. If you have personal feelings against the vendor, that is understandable and justifiable to a certain degree, but to you also want to hurt all its customers?

I have no need to justify my position to anyone, and it won't change unless I get paid for it to change.

It is your right to believe anything you want. It is not your right to do anything you want, because we have some laws (a few international and many national) which were (or at least should have been) created by consensus. You are liable under those laws. Also there is the ethical side of it, but as you made it clear, you don't care much about it...

cdman83 said...

Also, comments on my blog are moderated only to prevent spam. I publish all and every comment which is not spam in a maximum of 48 hours.

kuza55 said...

First of all, the statements at the start of the article were just to put the rest into perspective, rather than what I wanted to discuss.

IANAL either, but AFAIK vulnerability disclosure isn't illegal in any countries. Exploiting those vulnerabilities is, but disclosing them isn't. If I'm wrong, I'd love to hear it, because I want to avoid jail as much as the next person.

Now; I don't see why I have a responsibility to customers either, sure they have to trust someone other than a vendor; is there any way to get them to not trust the vendor other than by proving the vendor's claims inaccurate?

And furthermore, I don't know how you can hurt a vendor without hurting its customers; because apart from legal repercussions the only things which can hurt a business is a loss of business, which isn't going to happen unless customers don't feel threatened by issues that the vendor has.

I understand I'm not free to do whatever I want, but I should be free to do whatever I want that is within the law.

Now, given you seem to feel that people should be able to do what they want within the law; why make derogatory (or if not derogatory, at the very least inaccurate) remarks about people, e.g. "But this recent post on security team screams of the I'm 1337, I can use nmap, I rooted 14716 computers sentiment."

But more than that, I'm not quite sure I understand your need to essentially try and browbeat Sid into editing the article (who did so at the request of the ISP, rather than anyone else, but still), who actually has some ethics and does want to make things secure.

And even given the fact that I don't think ethical issues matter, I'm still willing to discuss things as if they do; interesting things can come out.

Also, I realise most systems where comments need moderation exist only to prevent spam, that doesn't mean that all of them are, or that I'm going to trust any of them.