Re: [fw-wiz] recent disclosure debates

From: Paul D. Robertson (
Date: 12/16/02

From: "Paul D. Robertson" <>
To: Adam Shostack <>
Date: Mon Dec 16 21:30:01 2002

On Mon, 16 Dec 2002, Adam Shostack wrote:

> Ok, well this is my opinion, and I'll happily sell it to the highest
> bidder. ;)


This'll be the end of it from my end- but I wanted to hit a couple of

> I didn't say that that happened this time, I said that there's a
> flurry of activity as you release, and people make mistakes.

But you're automatically accepting the premise that a public release by
the discoverer at the moment a patch is available is a good thing. If
you're going to start with that premise, then you have to accept that an
incredible number of victims are automatically created- not only when
things go wrong, as they did in this case, but when folks do everything
coordinated well, any major infrastructure issue like is is going to
create victims.

I'm not going to rehash the disclosure debate here- but just understand
that choices like this impact people and more negatively than positively
when it comes to infrastructure like BIND.

Ponder what the negative impact would have been to anyone attacked had ISS
not done a release, but had they let ISC handle the release since they
were cooperating fully according to all sources. In that case, we'd all
be 100% focused on ISC's actions. That'd be a much more fun point to rail

> Regarding your second point, errors are inevitable. We must start

Yes, and when you insist on a coordinated anything, you magnify the chance
of error significantly.

The way they chose to proceede isn't as much of an issue as the fact that
they seemed to violate the disclosure policies they'd agreed to. So,
let's dodge the full/limited disclosure bullet by directing back on that.

> designing systems to be resilient when errors happen, because in the
> real world, errors happen. I don't think its right to overly blame

Shouldn't that include designing disclosure systems? ;)


> Again, I respectfully disagree. The marketing decision was not what
> put anyone at risk, an error in execution was what put people at
> risk. And yes, ISS ought to do better. They ought to have checklists
> of how to do this stuff, and "check that the patches are available and
> fix the problem" ought to be on that checklist.

You're in a squad that's part of a two squad action- you have to travel
120 km to your objective and engage the enemy. The enemy forces are
balaced such that if your squad alone opens fire, they'll likely be
decimated, but the other squad is more heavily armed- you have two
choices- Plan A is let the heavily armed squad open up first, then for
your squad to provide supporting crossfire, and Plan B is to coordinate
opening fire at 03:00 for your squad and 03:01 for the other squad once
the enemy is engaged. In Plan A, you get a supporting role, and in Plan
B, you get to claim to have initiated the attack.

Which plan do you vote for[1]?

> I'll buy that its an AND, but I really don't agree that ISS deserves
> to be dragged through the mud. (When I was competing with them, I
> might have said differently ;) The reason I don't think so is ISS is

We do compete with them. Our business model often imposes a less
dangerous disclosure model on our company. You want their vulnerability
code- there's enough partisanship to go around here. I'm not dragging
them through the mud though- I'm pointing out that Russ' article was about
the discord between the disclosure policy they agreed to when joining an
organization and their actions, as well as the inherent instability in
their chosen method of handling such issues. But it's definitely a
marketing issue- our "moral high ground" is that we err on the
side of not causing attacks, even at the risk of losing some of our
market. That's not just a good marketing message, but something that
matches my philosophy about handling vulnerabilities.

I'm going to avoid the twisty maze of disclosure issues entirely and stop

[1] Bzzzt! There's no voting! Fall in! ;)
Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: Hands up who think Sven-Goran Eriksson is a twat?
    ... > The concept of TEAM seems to play little part in his thinking or picks. ... It is also a problem that friendlies are not used to create a Plan B or try ... That us why you get to pick a 23-man squad not just a first-11. ... > Will Crouch play in the WC? ...
  • Re: 2006 NW mixed regionals
    ... Danny will have the squad clicking. ... He has a plan. ... young talent known only as "Cash". ... The Coltrane - I've watched them play, many of them for a number of ...
  • Re: European BCP Regulations?
    ... Hum, by "have a plan", I assume that does not include "have my resume ... not the intended recipient, you are hereby notified that any disclosure, ... For IBM-MAIN subscribe / signoff / archive access instructions, ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ...
  • Re: Generate your own screenplay!!
    ... Squad Goes Crazy Ape Bonkers With His Drill and Press Set ... Squad must stop the plan for the good of mankind and the survival of the human species. ... When Squad realizes the cause of the destruction of the Republican party is a one party system, he can finally defeat Ann Coulter because Libertarians kick-out the k00ks and become a viable 3rd party. ...