Re: [vor] Re: Can we afford full disclosure of security holes?

From: Richard Forno (rforno@infowarrior.org)
Date: 08/10/01


Date: Fri, 10 Aug 2001 19:50:01 +0000
Subject: Re: [vor] Re: Can we afford full disclosure of security holes?
From: Richard Forno <rforno@infowarrior.org>
To: "Jay D. Dyson" <jdyson@treachery.net>, Bugtraq <bugtraq@securityfocus.com>
Message-ID: <B799EB69.1216B%rforno@infowarrior.org>


Security through obscurity does not work.

Folks need to understand that vendors will not openly fix problems in a
timely fashion unless brought to the community attention first, thus
spurring a concern to fix the problem to avoid future problems in general,
and also reduce the chances of new ones once word of the exploit gets out.
It's not a smooth process, but a necessary evil and an acceptable de facto
compromise between the two.

Those that make the Gloom-And-Doom position that the public discussion of
vulnerabilities is bad for the Internet are living in a fantasy world. Just
because the "politically-correct" method is to fork over large sums to be
part of a Vunerability Club of vendors - or ONLY tell the vendor - does not
mean that such information will not get out into the world. I don't need to
go into the social ramifications that the Internet has brought to the world
of communications.

Think of software as a subscription - you pay for it up front, but you're at
the mercy of the vendor's schedule and decision whether or not to address
any problems that are reported to them. In such a case - which is what
several propose - unless external pressure is placed on the vendor - through
the community's common concern and discussion in forums free from vendor
control and subjectivity - I wager most of the problems would never get
addressed, the exploits will remain, and folks will carry on none the wiser,
but still at risk. Software vendors would LOVE such a situation.

How many sites were impacted by a vulnerability between the time CERT or a
vendor received word of the exploit until the time they actually release a
public warning? Most system administrators I wager, would prefer to know
about potential problems IMMEDIATELY so they can monitor or take preventive
measures to protect themselves......and not "fiddle while Rome burns" and
their networks get compromised. Once news of a vulnerability is public
knowledge, it is incumbent on system admins to act on that analysis and
patch their systems.

More to the point, community discussion of security vulnerabilities and
exploits is perhaps the public's best guarantee that someone is looking out
for THEIR interests and not just corporate profits....the peer review of
products outside of the vendor's control - through any number of open,
interactive, free lists, forums, and sites - provides a "check and balance"
to vendor claims that their products are secure, stable, and reliable. Once
word of a problem spreads, the community consensus (and media reports of
such) typically spurs the vendor to address the issue.

Otherwise, we're forced to trust the vendor's word that their products are
secure, reliable, and safe.......and we all know that major software
companies are more concerned with making money and insuring their
marketplace positions than they are on producing secure, robust, and
reliable software. The real world has Underwriters' Labs, Consumers Reports,
and any number of third-party test and evaluation organizations......in the
intertwined world of the internet and software, we have full disclosure
discussion lists not under the thumb of software vendors.....sort of a
"peer-review Underwriters' Lab" for software and network technologies.

That's why UCITA and DMCA are so popular with the software industry. Rather
than actually do good QA on products before they go out the door, or take
responsibility for a product's fallacies when it's discovered in the world,
they prefer to litigate the problem away, at the expense of the US taxpayers
and the public's safety.

Security through obscurity doesn't work, and any attempt to develop
exclusive fee-based exclusive membership Vulnerability Clubs will only
obfuscate, not clarify and assist, the examination and resolution of
security issues.

Just my 2 cents....

rf

Richard Forno
infowarrior.org / incidentresponse.com



Relevant Pages

  • Administrivia: Response to OIS Draft on "Security Vulnerability and Response Process"
    ... vulnerability or not. ... to see what they can expect, at each Vendor, or for each Coordinator, ... and possibly a lot longer if the Finder doesn't pester ... security of users, critical infrastructures, and the Internet"...and ...
    (NT-Bugtraq)
  • Re: [Full-Disclosure] Vulnerability Disclosure Debate
    ... You see, with a lock, the primary purpose of it is ... or of other requirements than personal security. ... there is only one vendor that I'm aware of that can do that -- Microsoft ... code for every vulnerability eliminates the notion of difficulty to exploit, ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] Vulnerability Disclosure Debate
    ... You see, with a lock, the primary purpose of it is ... or of other requirements than personal security. ... there is only one vendor that I'm aware of that can do that -- Microsoft ... code for every vulnerability eliminates the notion of difficulty to exploit, ...
    (Full-Disclosure)
  • Re: Using 0days as part of pen-test?
    ... the client the option to determine how the vendor gets notified. ... vulnerability information you discover during ... The legal issue isn't the disclosure process, you can act as "legal entity" ... security threats until the vendor release a patch. ...
    (Pen-Test)
  • Re: Call to arms - INFORMATION ANARCHY
    ... Its one thing to prove to a Vendor they have a problem in their code. ... and its not resolved by keeping "Full Disclosure" alive. ... > the Vendor for a vulnerability without accepting responsibility for your ... > feed the feature versus security mentality of many Vendors. ...
    (NT-Bugtraq)