Re: Call to arms - INFORMATION ANARCHY

From: Goencz, Otto (OGoencz@GREENWICHTECH.COM)
Date: 11/03/01 

Message-ID:  <005201c16406$cd059100$1100000a@giants11>
Date:         Fri, 2 Nov 2001 20:28:10 -0500
From: "Goencz, Otto" <OGoencz@GREENWICHTECH.COM>
Subject:      Re: Call to arms - INFORMATION ANARCHY
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

----- Original Message -----
From: "Russ" <Russ.Cooper@RC.ON.CA>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Friday, November 02, 2001 17:39
Subject: Re: Call to arms - INFORMATION ANARCHY

> 1. Its one thing to prove to a Vendor they have a problem in their code.
Its
> another to be the reason that the Vendor's customers are subjected to
> malicious attacks that take advantage of your disclosure. This is the
heart
> of the issue, and its not resolved by keeping "Full Disclosure" alive.

That most certainly has been quite evident this year, starting back in May
with Code Red. With some interesting coincidents in the timeframe of
disclosure, patch release, and the worm showing up on the horizon.

> 2. Acknowledging that there is a majority of people in the world who
choose
> to use software which they cannot modify themselves (to avoid a disclosed
> vulnerability) should translate into a responsibility on behalf of the
> discloser. *IT DOESN'T*. Its all too easy to lay the blame at the feet of
> the Vendor for a vulnerability without accepting responsibility for your
> proof-of-concept code or detailed description.

The bigger the vendor the easier and more effective it is to do so.

> 3. A dramatic minority of people who use software pay any attention to
> vulnerability announcements. They find out about the attack, without ever
> hearing about the vulnerability (or even the patch/workaround). This must
> not be under-estimated, but it is frequently. People don't care much about
> what we say, they care about what the Vendor says. If the Vendor doesn't
> alert them (and Microsoft's Security Bulletins go to, maybe, 1% of their
> customers), customers will go merrily along without a care in the world.

And the majority of the customers use default installation of the vendor's
software. Need I remind people, that a secured installation was not
vulnerable to CR, Nimda, Ramen, etc?

> Ergo, your disclosure leads to them being exploited rather than them being
> fixed, pretty much guaranteed.
>
> So, a couple of things need to change for *anything* to be effective;
>
> a) The media has to do a better job of informing *the masses* of
> vulnerabilities. If the average person was more aware of how insecure
their
> computers were, and why it mattered to them, it might trickle up the food
> chain and translate into purchasing decisions by OEM's and Corporations
that
> feed the feature versus security mentality of many Vendors.

The media will do what they do best, blowing things out of proportion.
Security companies supplying catchy names for their "discovery" and the
subsequent use of it in a worm doesn't help either.

> b) There needs to be a great emphasis placed on researchers doing things
to
> prevent "script kiddiez". The average consumer doesn't need to be
portscan'd
> daily, have a trojan dropped on their system, or have their machine's
> rendered unusable in order to convince Microsoft to provide better
security.
> It doesn't work. It hasn't worked. It's not going to work. All it does is
> make everyone ticked off at security research in general.

Researches should not need to worry about script kiddiez, they aren't
knowledgable enough to use the source code of the exploit and create a
script, or tools out of it. Some of the researchers should stop hiding
behind "the public has the right to know" slogan and stop making proof of
concept tools available at their sites.

> c) There needs to be far less talk in the press about vulnerabilities
> leading to privacy disclosures. Face it folks, the average person doesn't
> care about privacy disclosures unless it has to do with Health or Legal
> issues. The constant harping on privacy issues has led to an antipathy
> towards security issues in general for the public.

Which actually has a reverse effect on security in general and quite evident
even in this mailing list. What was missed by most people in Scott Culp
statements is, that Microsoft isn't the only one which has exploits for a
default installation.

> d) There needs to be some method of Vendors and Security Researchers to
some
> sort of responsible expectations. An RFC isn't going to do that, and
neither
> will massive disclosures of vulnerabilities. An independent party,
> Governmental or Private, acting in an oversight and authoritative focal
> point is the only way. Problem is that most of those researchers who've
> become quiet are trying to make money from their work (a Good Thing) and
> need to be seen as better than everyone else. So the Security Industry
would
> be against any sort of governing body as that would make their Angel
> Investors lose interest...

And there are researchers who try to make money by being noisy about their
discovery. And since money is involved, there isn't anything which will stop
either of the behavioral. Getting the government involved in software code
could easily backfire. Do we really want Uncle Sam telling us what suitable
for human consumption? Then there's the question, how would the government
regulate free operating systems? A private entity would have similar fate
and besides, does anyone believe that either of the entity would be able to
enforce bug-free software? Get real....

Otto

Relevant Pages