Slashdot Mirror
On The Costs of Full Security Disclosure
sasha328 writes "I found reference to this email on the LWN.NET site which was sent to the SecurityFocus mailing list. It asks a very valid question about how much you can disclose before malicious virii can be possible."
I'm all in favor of full, detailed exposure of exploits - how they're done, why they're possible, and possible steps to fix them.
Just because the exploit only hits MS systems doesn't mean that ONLY MS and "blackhats" should know the details. The more people that know the details of HOW these exploits are possible, the better - as these people will not only put more pressure on MS to actually FIX the problem, but they will also be exposed to the reasons WHY the MS product was vulnerable in the first place.
Some of them might even suggest ways of improving the situation. But that's in a perfect world, and this world is far from perfect.
Just telling people "There's an exploit in IIS that allows malicious intruders to use your system(s) to infect others, install a backdoor, and potentially use your system(s) for other purposes" isn't enough. I know as a system administrator, I'd want to know what port the backdoor was put into, so I could secure it at the firewall. I'd want to know how the exploit was executed, so I could potentially filter out the infection requests. I'd want to know exactly WHAT was making my system insecure, and where, so that in the absence of an official fix, I could work my own fixes, to secure my own system(s) against known intrusions.
security through obscurity is a fallacy, but it can delay the inevitable..
seriously.. maybe a stepped grace-period would be an idea?
step 1: Bug is found, creator is notified
step 2: 2 weeks later. if bug is fixed, go to step 3. disclose existence of a bug, not much details yet
step 3: full disclosure
just shooting off the hip here...
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
And it's viruses, not virii.