[96189] in North American Network Operators' Group
Re: UK ISP threatens security researcher
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Apr 21 15:07:00 2007
In-Reply-To: <Pine.LNX.4.44.0704201025540.22917-100000@bawx.pilosoft.com>
Cc: Gadi Evron <ge@linuxbox.org>,
Simon Lyall <simon@darkmere.gen.nz>, <nanog@merit.edu>
From: Owen DeLong <owen@delong.com>
Date: Sat, 21 Apr 2007 12:02:45 -0700
To: alex@pilosoft.com
Errors-To: owner-nanog@merit.edu
--Apple-Mail-1--841013096
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
> I think if you are referring to "public disclosure", yes, I think
> there's
> little point of doing this, unless you are seeking attention. Of
> course,
> reporting a problem to vendor privately always makes sense.
Public disclosure of the existence of a vulnerability and whatever
information is required to understand it well enough to mitigate
it, resolve it, or work around it is a good and useful thing.
Public disclosure of details of how to exploit the vulnerability
beyond what is required in my previous paragraph is not
useful and is both rude and counterproductive. Generally,
however, I do not think it should be actionable or criminal.
If you leave your front door unlocked, that's dumb. If I tell you
that you left your front door unlocked, that's a good thing.
If I tell your neighbors that you left your front door unlocked,
it's not necessarily helpful, but, it's not illegal, nor should it be.
OTOH, if you buy your lock from LockCo and I discover that
there is a key pattern that will open ALL LockCo locks, then,
it's good if I tell LockCo about that. It's better if I also tell
the public so that people who choose to can either have
their locks repaired or can replace them if they so choose.
If I tell the public the exact key pattern required, that's not
so good, but, it's not illegal and it shouldn't be illegal or
actionable. Now, if I used stolen LockCo engineering
diagrams to identify the key pattern in question, the use
of the stolen diagrams might be actionable and/or criminal.
Owen
--Apple-Mail-1--841013096
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Disposition: attachment;
filename=smime.p7s
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIERDCCBEAw
ggOpoAMCAQICARQwDQYJKoZIhvcNAQEFBQAwgaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTER
MA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoTEURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxE
ZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJ
KoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tMB4XDTA2MTIxNjE2MzcxN1oXDTE2MTIxMzE2MzcxN1ow
fTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzEP
MA0GA1UECxMGUGVyc29uMRQwEgYDVQQDEwtPd2VuIERlTG9uZzEeMBwGCSqGSIb3DQEJARYPb3dl
bkBkZWxvbmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7H7JBEUaAy56E6qY
0JoHKfI+6QT7hYjnc1JezeZOA5XxK7QERkx8rdcND47xeNXjw06ZMjfhrcGkxM+1PEatBxC1Aax1
V95fKtw0DkNMKRgH138E6mZhwuWsvcA1bhxJQQc++SumEX5Uyr5dX4jYy2WgmaLKc8TD/N5G+/zb
Rc1sLrznovNvv7daKfDFlufRkPnLpeG0gx/HIFa4csMNYH2rdLt2xUBAt4TSy3fjEbp0HFVRJI4G
QRHbMmb6tBMnT9vpUZrwMHydqHHTiGr2A8PgdQeQLNEknKynVFTjJIXhBUSINhCl2HtQA+TKv+gu
EF9HrIybZSDlhGym0JUgKwIDAQABo4IBIDCCARwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUzaaV8BC8
UhxaWk6IQTpqK9mLnSgwgdMGA1UdIwSByzCByIAU15gTZIxt8E1K2l0KkjrRFpdc5eyhgaykgakw
gaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoT
EURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxEZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJKoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tggEA
MBoGA1UdEQQTMBGBD293ZW5AZGVsb25nLmNvbTANBgkqhkiG9w0BAQUFAAOBgQCWRsD48eQfaNKH
K2lohMTD9voszp/GuoWTyi6RckNxW0b0V0gv7ZGH1BUmgq2Jt7SjIis7vTY3FCZUDcR9e7fpBXJL
/euk2pPEBSHbCWAYO+uFeZ17UHz0WtInBB7Yo2EHUrkf4jeJDL7rHOG5YOVQzoV1+vdFkmQvPCPX
zPyYyzGCA7cwggOzAgEBMIGsMIGmMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExETAPBgNVBAcT
CFNhbiBKb3NlMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzElMCMGA1UECxMcRGVMb25nIENl
cnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEAxMNY2EuZGVsb25nLmNvbTEcMBoGCSqGSIb3DQEJ
ARYNY2FAZGVsb25nLmNvbQIBFDAJBgUrDgMCGgUAoIIB3zAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wNzA0MjExOTAyNDZaMCMGCSqGSIb3DQEJBDEWBBT1v1kM7DBc
Tb+DlyVyTosaPhUsoDCBvQYJKwYBBAGCNxAEMYGvMIGsMIGmMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzElMCMG
A1UECxMcRGVMb25nIENlcnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEAxMNY2EuZGVsb25nLmNv
bTEcMBoGCSqGSIb3DQEJARYNY2FAZGVsb25nLmNvbQIBFDCBvwYLKoZIhvcNAQkQAgsxga+ggaww
gaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoT
EURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxEZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJKoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tAgEU
MA0GCSqGSIb3DQEBAQUABIIBAAu8/4Xe9bJk0KrvJaqQw6fXZUQ6yfk9dm+lY3vpD6n3HFlJK5jh
eMmREzD60MKI1JEfLkZcAqiiEM0XxL5SadUv6q/KVA0+StL95pCc0fD5F4YMcCa0qxLWkIU0ljLT
Xm/jqYiczNOZkyDn+pAJVnxHPotp7kJGaiuqQa+578GR6m2qZGlGE4BTJLacr/6o8y070NVUswt/
70JZOTHU4a9d+D2dHWM8oAGaw7pTMPWrg0dqADpYG2Cv9LhuxUlgTAxDtRfER6ok8Y5JKQkpjd8e
NBNEAyGX/Oo9+2QkS2jyEuJM+K88TzxYtKq6fbUJGgL8UmUvtTklAk4vsIHt9nEAAAAAAAA=
--Apple-Mail-1--841013096--
