RFPolicy
The RFPolicy describes a method to make manufacturers aware of security holes found in their software . It was originally written by the hacker and IT security consultant Rain Forest Puppy .
The procedure gives the manufacturer five working days to respond to the error. If the manufacturer does not contact the reporter during this time, the facts should be published. The reporter should help the manufacturer reproduce the error and provide a bug fix . If the manufacturer gives valid reasons why the problem could not be resolved, the publication should be delayed.
When closing the security gap, the manufacturer should appropriately mention the message or the bug fix.
The targeted exploitation of a security hole found by criminal ticks is called an exploit . As long as there is no bug fix or antidote it is a "zero-day exploit".
So-called white hat hackers use the RFPolicy (or similar) because they want to improve computer security. Black hat hackers, on the other hand, plan the most effective exploit possible after discovering a security hole.
Reasons against the RFPolicy
On the one hand, the subjective motives of individual hackers speak against reporting a security gap in accordance with the RFPolicy. These include, for example, the pursuit of attention, blackmail, espionage, sabotage, proof of concept or the profitable sale of knowledge about the exploit.
On the other hand, there are political reasons on the part of state institutions. Secret services use exploits for reconnaissance or sabotage (see cyber war ).
State secret services use the knowledge about security vulnerabilities specifically for their work and usually do not report them to the manufacturers. It is now considered certain that US intelligence agencies, in collaboration with Israeli agents , have developed Stuxnet , a combination of worm and rootkit . The program exploits innumerable security gaps in various systems in a direct and indirect way.
In 2017, the WannaCry ransomware worm exploited a bug in Windows operating systems . This was known to an American secret service for years, but was probably kept secret for its own use. Due to an information leak, details were eventually revealed, and Microsoft was notified. The security updates could not establish themselves fast enough, but WannyCry infected an estimated 230,000 computers. As a result, Microsoft's president and lawyer, Brad Smith, accused the NSA and the CIA of needing to be aware of the harm to civilians that intelligence agencies can do by accumulating and exploiting such software security problems. "We saw CIA-saved vulnerabilities appear in WikiLeaks. And now this NSA-stolen vulnerability has harmed our customers around the world." ("We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.")
Individual evidence
- ↑ Three Minutes with Rain Forest Puppy ( Memento of the original from January 5, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. - PC World, Sep 29, 2001
- ↑ https://www.sueddeutsche.de/digital/wanna-cry-microsoft-ssehen-regierungen-in-der-mitverendung-fuer-hackerangriff-1.3505871
- ↑ https://www.nbcnews.com/storyline/hacking-of-america/microsoft-comes-out-swinging-nsa-over-wannacry-hack-attack-n759726
- ↑ https://www.npr.org/sections/thetwo-way/2017/05/15/528439968/wannacry-ransomware-microsoft-calls-out-nsa-for-stockpiling-vulnerabilities?t=1591664819424
