What would you do If you found a security hole/bug/exploit

View Poll Results: What do you think of Internet Cafes

49. You may not vote on this poll
  • When Im On Vacation I Always Go To Internet Cafes.

    9 18.37%
  • I Would Like To See More Internet Cafes Around.

    27 55.10%
  • I Would Never Spend Money At An Internet Cafe.

    13 26.53%
Results 1 to 6 of 6

Thread: What would you do If you found a security hole/bug/exploit

  1. #1
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002

    Question What would you do If you found a security hole/bug/exploit

    Got this from here: http://news.com.com/2100-1012-948310.html?tag=fd_top

    By Robert Lemos
    Staff Writer, CNET News.com
    August 4, 2002, 12:05 PM PT

    LAS VEGAS--Security researchers and hackers who find vulnerabilities need to realize that discretion is more important than valor, several federal security experts said at the Defcon hacking conference here this weekend.

    Additionally, federal officials also said they would use the government's massive purchasing power to force developers to improve the security of their products.

    While acknowledging that software makers continue to release buggy products, Richard Schaeffer, deputy director of the National Security Agency, stressed that publicizing a vulnerability without warning and before a patch has been created could potentially threaten U.S. computing systems.

    Click Here to go to IBM!

    "Responsible disclosure means not letting out information that could do harm to critical systems falling into the wrong hands," he said.

    Schaeffer's comments echoed those of presidential cybersecurity adviser Richard Clarke, who spoke last week at the Black Hat Security Briefings here. Clarke told attendees that finding vulnerabilities in buggy software is important, but properly handling the disclosure is critical.

    As Clarke did, Schaeffer also blasted the software industry for the large number of bugs in their applications. "The quality of the software that we are getting is terrible," he said.

    Marcus Sachs, a member of Clarke's 16-person Office of Cyberspace Security, warned that the government will use its checkbook to ensure software makers improve their products.

    "We, the federal government, have enormous purchasing power," he said. By demanding more secure software, the government can directly affect the quality of product, he added.

    The debate over disclosing vulnerabilities has heated up as software security has become a high priority in government and industry. Security researchers who find vulnerabilities often use the information as a way to embarrass companies and score public relations points for their own firms. Conversely, software makers frequently fail to find or disclose problems in a timely manner.

    Last week, for example, Hewlett-Packard threatened a security researcher with a lawsuit for releasing information about a flaw in Tru64, the company's high-end server software. HP backed off on Friday.

    While he didn't support such tactics, Sachs underscored the seriousness of releasing vulnerability information before a patch has been created.

    "Microsoft is widely used in the critical infrastructure--more than we thought," Sachs said, stressing that publicized flaws that have not been corrected could damage government systems.

    "The time (to deal with this) is now," he said. "We are past the point where we can keep talking about it."
    I think the feds are forgetting that they need Microsoft more than Microsoft needs them. Anyways this got me thinking about how software vulnerabilities should be released. So my question is if you discovered a major security hole how would you release it? Would you even tell anyone at all?

  2. #2
    Senior Member The Old Man's Avatar
    Join Date
    Aug 2001
    Good thread, relevent and timely. To expand on what Richard Clarke (personal advisor to the President on Computer/Internet Security, i believe is pretty close to his title.) actually said, over a period of time in that conversation; (this is not a direct quote, just the basic ideas) "...We need hackers, (yeah, he said that, then he elaborated on the difference in the public's perception of that terminology, going back to the early days when a hacker was a techie who lived, breathed and dreamed programming and wanted to learn and improve...) because the people who develop programs cannot always see all the flaws. in their rush to get a competing program on the market. *HOWEVER*, when a hacker finds a flaw, or a security hole, in a significant program or operating system, the thing s/he needs to do is contact "The Government" (meaning i suppose his office, i never had the problem of trying to figure out exactly which door and "Dear Sir/madam" name would be proper...) and the producer of the software program or hardware, explain the problem and suggest a patch... that's the legal thing to do and it will help us. " Also, he spoke to the fact that meant that the "hacker" was working on his own copy of the program on his own machine, not trying to penetrate somebody else's machine to find a hole in their copy of the software.
    Doesn't seem really too hard to understand "their" position, i don't see any black helicopters or knocks in the night ("Knock, knock, don't bother answering, we're already in...") .... or did i miss something betweeen the lines, or doesn't the President's main source on this subject know what the operatives on the street are doing? Beats Me!

  3. #3
    Old Fart
    Join Date
    Jun 2002
    Interesting question. I started a thread earlier today specifically referring to HP....it seems they are now contacting security firms and soliciting info on vulnerabilities. There is a link to the news item in the thread below.

    It isn't paranoia when you KNOW they're out to get you...

  4. #4
    Join Date
    Apr 2002
    It's a very good thread !

    Everyone seems confused with what a hacker is or a security advisor is. From the bottom line, they are exactly the same in the way they work to find security holes but for legal stuff of asking people to get into their system and all...

    Like I've said in another thread, the best security advisors out there would also be the best hackers too... Let's just hope that those guys are on our side.

    A lot of companies now are paying a lot of money to get old hackers work for them and find the holes in their products. There is no need to be a real hacker anymore, just sell your expertise to companies and become legit !

    As for me, I'd publish it to the manufacturer with all the explanations and still would publish it worldwide without it. If people know that their product as a security hole, then it will give more preasure to the manufacturer to publish a patch for it.

  5. #5
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Flint, MI

    Humm, what could that be? Maybe a policy for full disclosure? hummmm.....could be.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  6. #6
    Join Date
    Apr 2002
    Originally posted here by souleman

    Humm, what could that be? Maybe a policy for full disclosure? hummmm.....could be.
    Great stuff souleman ! Tks ! I think I'm gonna send it to a few of my application developpers that I know !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts