Results 1 to 10 of 10

Thread: Full Disclosure vs. Closed Disclosure

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Full Disclosure vs. Closed Disclosure

    Well, sometimes when you hit certain plateaus, you sometimes feel the need to "espouse" something great.

    This won't necessarily be great but *eh*.. it'll do.

    AO has come a long way from when I first joined and lurked. I came here because of "troublesome" students (particularly one brightness who printed out ALL his video pr0n --- I figured he wanted to make a flip book or something... *shrug*). Anyways, since then the direction and feel of the site has changed. Maybe for good, maybe for bad. It has changed however.

    One of the changes that has occurred is the attitude I find that people take towards "hacking" (I'm using the general term rather than what I envision "hacking" to mean -- those that truly understand the system in question, be it an OS, a network, the art of hockey or cycling). I took from this site, and still believe, that to truly understand what goes on as far as malicious attacks, you need to know and understand those attacks. It helps you defend your systems. There shouldn't be a fear of discussing those attacks in these forums (I see too often the whipped out "THIS IS A SECURITY FORUM, YOU MORON!"). The advantage of letting those "morons" talk is that you'll see sometimes what some attackers are doing, even if they are script kiddies. Keep in mind that they will do their illegal activities regardless of the answer they get here. The difference is that you won't know who their target is and won't be able to prevent it from happening (errr.. social engineering anyone?!).

    I choose to have wargames in my classes so that students can explore this safely and legally in an environment without having to go outside and potentially get arrested. Granted I do tend to use a fair amount of ethics and remind them of the legal issues that can happen but at least in this environment they can let out what it is they want. Is this a perfect solution? Naw but it helps. It can get a few over the scriptkiddie stage and that initial "oh look how kewl this is!!!!" giggles that comes with first experiments. It's interesting to see them go beyond that when it comes to security because now they've looked at even the simplistic and start (*GASP*) thinking outside of the standard "security practises" box.

    IMO, if we ignore the activities of even the simplest scriptkiddies we'll end up behind again in our defenses of systems (do a search for University of Berkley and Nipissing University for recent examples). We will ignore the simple while looking for finesse. We'll never find the finesse, however, if we don't see the basics (mostly because it'll stand out in stark contrast). In essense we do need the Full Disclosure option to be here. I joined the FD list so that I could see more of what goes on and have a better heads up than what the SecurityFocus lists (BugTraq in particular) provide. I find that BT tends to be behind somewhat and censors out too much. Symantec may believe, much like MS, that "exploits are only created after patches are released" but I believe that's too risky of a view to have. I'd rather have everyone know about a problem and even put in a "Bandage" temp solution than no solution. Not that patch systems work either (I'm surprised that more Patch Management companies aren't making killings out there).

    Is having FD a perfect solution? No. It may bring to light to some attackers that a specific hole exists without any fixes (even if we have followed proper bug submittal procedures -- that is, submit it to the software developer and give them 4-6 weeks to fix) but I suspect there are still channels that the "underground" use and they'll find out somehow, wouldn't they? Even with that risk I'd rather have everyone know -- even if it means scriptkiddies will use the POC -- than attempt some half-assed "security through obscurity" by trying to hide it until a patch can be produced.

    Anyways, that's my "great post" for this plateau. Perhaps not so earth shattering but maybe some will consider it when responding to the "how do I ....". Knowledge and information are powerful things. Why are we choosing to ignore them?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    IMO, if we ignore the activities of even the simplest scriptkiddies we'll end up behind again in our defenses of systems
    Excellent point.

    I have been a lurker here for over a year and I have learned alot... not only from the "how do I secure my box" posts but also from the
    "how do I hack " posts as it gives me a heads up on what they are trying to do...and maybe something for me to watch out for on my networks.

    And sometimes if you read the profiles and other post from the member...you can gleen even more

    Know thy enemy

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Yey!

    That being said, what would Jupiter Media think of this? There might/could be legal repercussions, and is JupMed willing to take that risk? (I was about to link to the 'why I lasted only one year in college' story on JP's homepage, but http://www.antionline.com/jp/ does the four-oh-four).

    I'm agreeing with you, MsM. This site used to have more of those disclosures, before JP announced to go white-hat. Since then users have stopped posting them, and I'm wondering if the users with that knowledge even bother to get on this site anymore. Do you think that the average AO member has that level of knowledge, and would that member be willing to share that, on a public board?
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  4. #4
    I fully support FD here and most other places, for that matter. At the root of it, security is what this site is about. Yes, we can find information elsewhere regarding the latest vulnerabilities, how to exploit, how to prevent, etc., but what's the problem with having all of that information here at AO? Why not open it up and discuss it all here - heck, it may save me some time from visiting other sites when looking for some information that isn't normally posted here...

    Keep in mind that they will do their illegal activities regardless of the answer they get here.
    This statement from MsM is very true - regardless of whether some of this information is available at AO or elsewhere, it will be found by those who are looking. Why not get it out in the open and let's all deal with it as a community.

    If we're taking votes, add one for FD - I'm in...
    - Maverick

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    There might/could be legal repercussions, and is JupMed willing to take that risk?
    How? If I post a POC and you use it, no where have I suggested that you use it. It's the transmission of information. Granted there is a fine line and a lot of it gets down to how you word things.

    Case in point: someone comes along and says "How do I hack x-y-x?". If you said "Well, you take a pick axe, angle it at 45 degree and swing with enough force, repeating many times", then it could be constude that you are encouraging them to do so. However, if you added a tag line or comment to the effect of "While it is illegal to chop down Redwood forests, if you are doing this in your farm's forest it would look like this....".

    The Legal Notices seem to be a general CYA type policy. And looking at them, don't explicitly say you can't talk about this. Keep in mind, understanding this is part of securing an environment (e.g., if I don't understand that thieves might use ladders, then how would I know a removable ceiling tile is a risk/vulnerability?). Hence, these discussions (those on the how to do xyz) do have their place here. Maybe it's just me.


    I will note that I'm not a legal begal so my comments above are my interpretations. If you or JUPM interpret it differently I will not be held responsible.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    I do feel that Full Disclosure would very useful as far as AO is concerned, but if and only if the post merits an answer. An example of a good post would be something like,

    I read on bugtraq that there are exploits out there that exploit new JPEG vulnerabilities in Microsoft products. Anyone know where I can get further information on this preferably with source code? Also, what is a good way to stop these exploits from happening short of blocking access to all jpeg files on my network?

    Cheers,
    cgkanchi
    (This post doesn't exist and I don't know if new JPEG vulnerabilities do. This is just hypothetical.)
    A post like that, definitely merits full disclosure.

    On the other hand, a post such as
    I want to take control of my girlfriend's computer since I feel that she's having an affair. Anyone know any good trojans and where to get them?

    Cheers,
    cgkanchi
    This post, I feel does NOT merit FD. Just my opinion.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  7. #7
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    In comparison with me, you're a legal wizard In any case, I'm pretty sure that the people at Juped have given this some thoughts at the time they were deciding wether or not to take over this site.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    cg,

    The problem I've been seeing is that even your first example is being trashed (mostly because the line "Also, what is a good way to stop these exploits from happening short of blocking access to all jpeg files on my network?" isn't being included I suspect). As I've mentioned here and elsewhere, it is all how it's worded. We tend to get rather paranoid about the questions when people are asking about exploit/POC stuff.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    I think that FD is a good idea for all the forums in AO, even thou I am one of the first people to shut someone down asking for "black hat" information (Yup, I have even used the term Moron!).
    My general feeling is that 1) the scriptkiddies are asking elsewhere, but at least here we know what they are asking about, therefore can look over whatever direction they are working in, and 2) That the people who know enough to give a useful reply on the issue, are also smart enough not to encourage outright illegal behavior. and 3) That we as a group can possible redirect some of the posters to more constructive paths. In example, If someone posts "How do I hack my bank" we can suggest that in doing so, it is illegal and pretty easy to get caught, and maybe suggest a why of looking into the posters own system on how he/she might be tracked.

    One of the things with 99% of the people out there asking for expliot information is that they are looking for shortcuts, they really do NOT want to put the work in to construct a exploit, but what to be told how to do it step by step, and they really have no idea of the process behind it. In reality, they pose little threat to a informed admin, or a secure server. Because when the exploit doesnt work,, they don't have a clue as to why. As an Admin, if I see step byt step instruction on how to break into my system, I also see step by step instruction on how to prevent it.

    It is the 1% that ARENT posting questions, that DO understand the process, that we NEVER hear from that scare me. It isnt likely that they will need to post a HOWTO queation, they already know.

    FD all in all opens AO up a bit to outside critism about hacking (the bad version) but for the members I think it would improve the overall information. Giving Admins a view of BOTH sides of the security coin. And I do not think that it will encourage someone to prusue activities they wouldn't already be doing.

    Cheers!
    MrCoffee
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  10. #10
    Originally posted here by MrCoffee
    It is the 1% that ARENT posting questions, that DO understand the process, that we NEVER hear from that scare me. It isnt likely that they will need to post a HOWTO queation, they already know.

    This is very true, but let's face it, they aren't here on AO because this is their only source of this kind of information - if they want it, they will get it, whether it's here or elsewhere - there's no way to prevent that information from getting to those guys... Not disclosing that information on AO doesn't stop them in the least...

    Most of us here have our places that we go to find information like this, no need to start naming off sites or anything - I say open 'er up and let's all learn and discuss as a community.
    - Maverick

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •