[Full-Disclosure] it's all about timing

From: Juliao Duartenn (full-disclosure@lists.netsys.com)
Date: 08/02/02

From: full-disclosure@lists.netsys.com (Juliao Duartenn)
Date: Fri, 02 Aug 2002 15:44:19 +0100

I propose an exercise:

Why do people look for vulnerabilities?
Why do people publish vulnerabilities?

If you take the broken window example Evrim Ulu has proposed, it is
clear that most of us do not walk around the streets carefully examining
windows to see if they are broken. Sometimes we spot a broken window,
but we don't actively look for them. Unless, of course, we are the shop
owner. Or a burglar.

People look for vulnerabilities for the following reasons:

- They want to stress the code they are running on their systems to make
sure it is safe (shop owner)
- They are looking for possible ways to abuse a system they do not own
(would-be burglar)
- They feel that they have a moral "duty" to use their skills and time
for other's good (concerned citizen)
- They have nothing else to do and think this is fun (vulnerability
- They look for vulnerabilities because they are responsible for the
vulnerable product (vendors)
- They look for vulns with the express intention of publishing them and
make themselves noticed (karma whores)

On the other hand, people publish vulnerability information for the
following reasons:

- They publish vuln info to make themselves noticed (karma whores)
- They publish vuln info because they have customers that pay (or
otherwise produce revenue) for that service (watch dog)
- They publish vuln info because they are responsible for the vulnerable
code (vendors)
- They feel that they have a moral "duty" to publish this information
once they have it, since it may be a global risk (concerned citizen)
- They have nothing else to do and think this is fun (why nots)

Professional security staff and vulnerability seekers are a special case
of the karma-whore/watch-dog combination. You find vulnerabilities in
order to have them published and have your name metioned, bacause that
is the basis for your revenue model. In turn, you have paying customers
that profit by either having early access to the vuln info or premium
access to patches and/or related security services.

The whole DMCA vs. Full Disclosure issue must take into account the
deeper reasons I have mentioned. Why do people search for vulns, and why
do they publish them?

Shop-owners that look for vulns on the products they use already have
the "right" attitude about this issue. They either contact vendors or
create their own patches and submit them to the vendors. Shop-owners are
not interested in early disclosure, since it might further expose their
systems. Enforcing any kind of n-day disclosure or no-disclosure law
would have no impact on their behavior. Except, of course, in the event
that the vendor does not fix their product and the shop-owner has to
create a patch to protect himself, and only them will he be willing do
publicly disclose the vuln.

Would-be Burglars:
Burglars don't disclose vulnerabilities, just like in the real world
they don't go around telling other burglars about this nice broken
window they found. Burglars actively exploit vulns and will continue to
do so, regardless of any law on the subject.

Vulnerability Hobbyists:
Hobbyists look for vulns because it's a challenge, and they would
probably continue to do so. But any challenge must have a reward, and
peer-recognition is part of that reward. If disclosure is banned, part
of the reward is gone and hobbyists will be less inclined to seek vulns,
directing their efforts to other things. Hobbyists thrive in recognition
from the established security industry, so they are likely to be
responsible in their disclosure procedure. Having an n-day policy would
not change the way they act. Having a no-disclosure policy would
probably lead them to diclose vulns in private forums, where it might
easily leak to would-be burglars before it reaches the white-hat
community and the affected system owners.

Concerned Citizens:
Concerned Citizens (aka the white hat community) would be severely
affected by any restrictions of full disclosure. Most citizens already
report vulns primarily to the vendor, in the hope that the vendor will
solve the issue. If the vendor fails to comply, they look for a forum
where to advise their peers about the problem, the failure to comply,
and a possible fix. If such forums are outlawed, the citizens will still
feel the moral need to search for flaws and to warn others. Remember
that it is the concerned citizen attitude that is in the origin of every
neighbourhood watch and popular militia group in the world. If the means
to perform this "duty" in a responsible manner are banned, the citizens
will be pressured into finding other ways of spreading this information.
What is not volunteer work, white hat work, done for the global
community, may turn into commercial activities, if the citizen is so
pressured in his need to be "responsible" that he finds it in himself to
affiliate with a professional security company. It may turn into an
underground activity, if the citizen is forced to create an
"underground", "illegal" list in order to publish what he has found. Or
it may turn into an activity known to few, inside a members-only mailing
list for a small group of like.minded people that the citizens
personally know. Either way, any disclosure control law other than what
is now current practice (vendor first, CERT if you want to, back off 30
days, then all hell breaks loose) will limit the activity of concerned
citizens and diminish global security.

Karma Whores:
The karma whores are in it for the glitz. They look for vulns in order
to publish them, and publish them in order to get peer recognition.
Vulns are like hunting trophies. They will eventually report to the
vendor, if and only if the vendor will acknowledge what they report and
give them appropriate credit when it finally discloses the vuln, along
with the patch. If it is not like this, they will disclose the
information independently. The damage done by karma whores can only be
mitigated with better vendor responsiveness. And that is something that
no law can achieve. If any law requires vendors to be notified ahead of
time, the karma whores will still publish the vuln if the vendor does
not respond in appropriate time. And the next time a vuln comes along in
another product by the same vendor, karma whores are likely to disclose
on day 0, "just to show them".
Having a law will not change this. This is human nature at work. Today,
karma whores disclose on the public lists, and everyone benefits from
that. If <n-day is banned, or if disclosure is banned, the karma whores
will move into the black hat lists, into private forums, into the irc
networks. The effort required by the white hat community in order to
track all disclosed vulnerabilities will be greatly increased.

Many vendors only disclose if they have to, if they are forced to
disclosure by full or partial disclosure by third parties. Increasing
the non-disclosure timeout period only gives vendors more time to react.
But the time already given is more than enough. Any vulnerability that
cannot be fixed in 30 days is not likely to be fixed in 45 or in 60
days. And if the vendor contacts the vuln finder and asks for more time
before disclosure, most finder will gladly comply.
The problem is that many vendors don't respond when they are contacted.
And no law is going to fix that. The vendors that only respond after the
vuln is public, and after an exploit is in the wild, their customers are
not going to benefit from a delayed non-disclosure period.
Furthermore, the longer one waits after reporting to a vendor and before
full disclosure, the more chances that a separate, independent
researcher will fin the same vuln and disclose it into a black hat
forum, making all customers vulnerable. Vendors will not benefit from a
further delayed disclosure law. And customers will be hurt.

Defense is very different from offense.
Defense must cover all the fronts, offense needs to concern with only one.
Black hats will continue to thrive if the public, general forums are
outlawed. No blackhat ever needs all the information about all the
products. He just needs one flaw in one product that he can exploit in
order to get into wherever he wants. If disclosure is harmed, they won't
suffer. The private forums and mailing lists and irc and icq and instant
messenger black-hat clubs will continue to exist and information will
continue to flow there. If anything, the law will help them, by moving
what would otherwise be responsible disclosure by citizens and hobbyists
into the blackhat zones.
White hats, on the other hand, will be forced to roam the blackhat zones
looking for information. They will need to pay much more attention to
their IDS systems. They will need much more people in their departments
to help with auditing and identifying potential attack attempts. If they
do not know about the vulnerabilities, they cannot protect themselves.

I do not wish to propose full 0-day disclosure as a rule. 30-days is
appropriate. Even if it was 20 days, it would still be appropriate. But
any effort to delay the timeout period, or to limit the amout of
information that can be disclosed, is bad for the industry, bad for the
users, bad for the system administrators.
And, in fact, good for the burglars.

Julião Duartenn