Hacker Leaks Unreleased CERT Reports

Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."

Interesting to note...

[gnu-sucks]

What is interesting to note, is that this, or these, as it may be hackers are /releasing/ the truth.

Not defacing web sites, hacking student DB's, etc.

Is truth the new hack of the future?

Re:Interesting to note...

[madmarcel]

Hmmm...I vaguely remember a hacker releasing blueprints/plans/files for a rocket or somesuch a while back...

The idea is not unique, and is to be applauded, consider hacking into CNN's network and releasing what they are NOT showing on TV!

This could get out of thand though....
"Truth is a noble cause" -> "HACK THE PLANET!" ;P

Double-edged sword?

[Raven42rac]

This is both good and bad. Good, in the sense that more people will know about these vulnerabilities. Bad, in the sense that more people will know about these vulnerabilities. In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone. It is unreasonable to expect all code to be completely secure, it is just flat out impossible. However, when new vulnerabilities are found, they should only be disclosed to those who have the capacity to fix them, and not to the public, whose only reaction will be panic. Comments?

Re:Double-edged sword?

[AlexCV]

Maybe so, but a good kick in the ass of the CERT and the vendors can help speed things up. When an advisory has been in the pipe for a while and is only scheduled to be released in 3-4 months, clearly vendors are a bit lenient in fixing their bugs. Next thing you know the CERT cycle will be 12 to 18 months...

I would agree, but...

[Sandman1971]

I was somewhat torn on the issue until I read "I'm going to release these at 7pm on Friday, so that sysadmins don't know about this and can't do anything about this til Monday morning" (paraphrased).

Any inkling of having me agree with posting these advisories just went out the window with this one. He's not trying to help anyone by divulging these, except for maybe script kiddies and crackers. With such a statement it's obvious he's not trying to help vendors release a quicker fix.

Re:Hacker Ethics

[nomadic]

It's a bad thing. I mean, you can justify almost any crime that way ("oh, I was just testing your locks" or "oh, I was just testing police response in this area" or "oh, I was just testing human skin resistance to .38 caliber rounds").

How does CERT secure its servers?

[mabhatter654]

If they store unreleased information on non-complete patches, how do they secure their system?

Moreover, if their vendor doesn't patch their system quickly, how are they ever going to stop this guy if he always knows what's broken next?

Catch-22 isn't it!

Re:Maybe it's an inside job.

[DarwinDan]

If CERT is a joke, why does DoD use them as one of their many early-warning "front-line" defenses against viruses and worms? Is something happening here or am I just dreaming? Shouldn't something DoD-level be secure enough from the social engineering perspective to be admired not regretted?

Re:Maybe it's an inside job.

If CERT is a joke, why does DoD use them as one of their many early-warning "front-line" defenses against viruses and worms? Is something happening here or am I just dreaming?...

Certain organizations do use CERT for front-line information, but not necessarily for the front-line you envision. Certain assets (capabilities in this case) diminish in value as knowledge of their existance propagates. The value in CERT is knowing who knows something, since we're often well beyond what someone knows by the time it hits the list...

How do you define when a vulnerability is fixed?

[Skapare]

How do you define when a vulnerability is fixed, at least for the purpose of determining when to go public with it? Consider a vulnerability in some shared and widely used and distributed library such as OpenSSL or Zlib. Potentially you could say it is fixed as soon as there is a source patch. But that doesn't really make it universally available. Armed with the patch, the vulnerability may well become obvious, yet most systems which are installed and maintained in binary code remain vulnerable. Should things wait until the distributions package the fix? How many have to wait for the others?

And what if the same vulnerability exists in more than one implementation because of things like code re-use, or a flaw in a protocol that can be dealt with in the code anyway? Suppose OpenBSD fixes theirs in 2 hours and NetBSD fixes theirs in 5 hours and FreeBSD fixes theirs in 9 hours and Slackware fixes theirs in 15 hours and Debian fixes theirs in 24 hours and SuSE fixes theirs in 36 hours and Redhat fixes theirs in 60 hours and Microsoft Windows fixes theirs in 10 days (hypothetical times chosen arbitrarily)? Would it be OK for OpenBSD to go ahead and blast their security mailing list with the fix when it's done? Or should everyone have to wait until the stragglers get their act together?

IMHO, vulnerabilities should be released as soon as the first vendor has a fix, or after some fixed determinate time to ensure they don't all get together to hide the problem (not that all of them would, but certain vulnerabilities may only affect a small subset of them, or even just one). Yes, that leaves the systems "supported" by the stragglers unprotected. But that should also help leverage market pressure to fixing things faster, and designing to avoid the as well.