On 3/23/2011 12:54 PM, Luigi Auriemma wrote: >> I fundamentally disagree with the idea that public disclosure >> as a means of vendor notification serves any purpose > so now the question is, why don't all these "good guys" spend their > personal time and skills to find these vulnerabilities and reporting > them to the vendors before me? > > the answer is that usually such people don't have the skills or simply > don't like the idea of doing a professional work completely for free and > even with the obligation of doing everything the vendor wants before > the releasing of the patch that can take months or even years... > practically a slave. > You stated: "usually such people don't have the skills" Humor me and others on this list why don't you... Reported to CERT two days ago: Vulnerability Report Vulnerability Description Over 300 ActiveX based vulnerabilities have been discovered on multiple VMWare Server applications. Vulnerabilities range from denial of service attacks to full control of EIP which can lead to code execution Vulnerability Impact Attacker can trigger code execution Date 2011-03-21T11:53:40 I contacted CERT after getting a slight run around from the vendor yet I could have turned around and unloaded this information anywhere. The reality is what point would it prove? This does not include the fact that I'm sitting on vulnerabilities for SAP, IBM, CA even Siemens via way of Stuxnet analysis. There others that I've reported and others I haven't had time or chose not to and I'm sure there are plenty of security researchers, hackers, attackers, etc. who do the same. Sure I understand where the argument comes from: "they can take months or even years" but the reality is, SCADA is "hip" right now so this comes across as nothing more than juvenile idiocy to release SCADA based bugs. "Look at me, I has SCADA!" You assume that every vendor is similar to the irresponsible vendors who do take forever to respond. To that I refer back to the car analogy. You did nothing to give anyone an iota of an idea there was/is an issue. Bravo. Personally, I am torn between full, responsible and even "no more free bugs" types of disclosure, however, common sense dictates that playing with SCADA right about now is like playing with fire. We're not talking about a system blue screen or website graffiti as the outcome. "Look at me I reverse shelled MS08067. With SCADA based systems, we are potentially dealing with the risks of physical harm to individuals via those systems. Did this cross your mind as being "responsible" or would you rather jump out in the public with the following: "Look, I have a gun... See I just shot someone, you can too, all you have to do is the following" What you did was nothing more than that. "Look I have SCADA bugs, SCADA systems can be dangerous and kill you. Here, here is the bug to trigger potential damage. Thank you sincerely, Luigi." > now that the users of the vulnerable products are aware of the > vulnerabilities they can verify if their network is really safe like it > should be in any case and in the meantime they will wait the patches of > the vendors. > How about we reflect reality? "Now that millions of script kiddies, organized crime groups, need I mention the *t* word here also have this information. Now anyone can custom target these vulnerable products. It's ok because many SCADA systems engineers are not coders and many are incapable of making a patch on their own but hey, what the hell!!! I has lots of bugs" Systems that otherwise could have been secured had you taken the time to be responsible and or mindful maybe even clueful are now at a greater risk. What did you accomplish? SCADA vulnerabilities are no big mystery and there are plenty of researchers who do things responsibly and make money at the same time. You could have chose the ZDI route which would have yielded you the same credits in the advisory while being paid for your research. So unless you live under a rock, your argument is sort of moot with regards to: "or do you think that you can contact the vendor asking funds for the research you have already found?" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
