Re: Call to arms - INFORMATION ANARCHY
From: Luke Kenneth Casson Leighton (lkcl@SAMBA-TNG.ORG)Date: 11/03/01
- Previous message: Raymond Pritchett: "INFORMATION ANARCHY = As good as it gets?"
- In reply to: Carter Mobley: "Re: Call to arms - INFORMATION ANARCHY"
- Next in thread: hellNbak: "Re: Call to arms - INFORMATION ANARCHY"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20011103114309.D5271@samba-tng.org> Date: Sat, 3 Nov 2001 11:43:09 +0000 From: Luke Kenneth Casson Leighton <lkcl@SAMBA-TNG.ORG> Subject: Re: Call to arms - INFORMATION ANARCHY To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On Fri, Nov 02, 2001 at 08:45:37PM -0500, Carter Mobley wrote:
> If Microsoft would simply offer cash rewards to vulnerability discoverers,
> conditioned on the discoverer promising to never disclose to a third party,
> I think the problem is solved quite nicely. For Microsoft, it's a cost of
> doing business, they can add it to the price of the software. All we need is
> a price list. What about this one?
>
> A. $25,000.00 for bringing down a fully patched web server
> B. $50,000.00 for accessessing database records without setting off any
> alarms on a fully patched SQL server.
> C. $10,000.00 for accessing private information from a fully patched windows
> XP home edition.
> etc...
>
> If we assume that over the course of the next 5 years that 100 A type
> vulnerabilities and 100 B type vulnerabilities are found, reported
> responsibly, and fixed by Micorosoft, it cost Microsoft a total of 7.5
> million dollars in reward money to protect their customers, all
> vulnerabilities remaining 100 percent undisclosed.
>
> Any rational objections to this simple, inexpensive, yet effective plan?
yes, i have one and only one objection to this otherwise
very good plan: the undisclosure bit.
there's no guarantee that the information received will be
acted upon effectively or even at all.
sorry to put it quite so bluntly, but it's true.
the information so obtained could, instead, be used to...
say... simply delay releases of software.
let's imagine that several quite serious security problems were
found - twenty, all told.
one of them, the first one, was incredibly incredibly serious.
they're just about to release a hotfix, or a major new version,
with the problem fixed.
then there comes in the other nineteen other problems.
the hotfix and new version are delayed whilst these other
nineteen problems are analysed, for impacts upon the hotfix
and the rest of the OS, and the entire testing procedure has
to go round AGAIN.
in the mean-time, out on the internet, someone discovers
how to exploit Serious Problem No. 1.
too late!
so, no, i don't think that non-disclosure is a good idea.
oh, and for the record, i don't think that immediate disclosure
is a good idea _either_: that's just irresponsible.
[i worked for ISS, i know the procedure / algorithm for reporting
problems to vendors and working with vendors to get the
problem fixed quite well]
luke
- Previous message: Raymond Pritchett: "INFORMATION ANARCHY = As good as it gets?"
- In reply to: Carter Mobley: "Re: Call to arms - INFORMATION ANARCHY"
- Next in thread: hellNbak: "Re: Call to arms - INFORMATION ANARCHY"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
