Slashdot Mirror
Schneier On Full Disclosure
Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.
This could be the start of the end for MS. Since Full Disclosure is obviously the only way to go, and seeing as MS's software is pretty buggy and not very secure (mainly out of the box), they are proving to the world that they don't want people to know just exactly how buggy their software is.
would you extend these arguments to support it in non-virtual security? Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"? "This is where you can cross the border undetected", "This is how to make a Fake ID?"
-pyrrho
Oh, does this mean the software vendors will establish some *real* Quality Assurance in their development process and produce software without bugs?? :*)
blurring out...
Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:
"Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....
"Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...
Let's not stir that bag of worms...
vendors didn't have any motivation to fix vulnerabilities. CERT wouldn't publish until there was a fix, so there was no urgency. It was easier to keep the vulnerabilities secret. There were incidents of vendors threatening researchers if they made their findings public, and smear campaigns against researchers who announced the existence of vulnerabilities (even if they omitted details). And so many vulnerabilities remained unfixed for years.
Perhaps it was pointed out that codered et al had patches a month ahead of time.
But, in the same breath/stroke it was mentioned by MS that their meathod of informing, distributing about patches/vulnerability was/is "confusing".
And the article by Culp almost says in effect "we don't want vulnerabilities known so we can stop writing patches and bugfixes or do it when "we" feel like it".
The whole "rely solely on the vendor" schtick is coming full circle it seems.
The author pointed out that is the way "it used to be" and it seems Microsoft is pushing for it to be that way again.
If it is not on fire, it is a software problem.
Wow, what a troll. The CIA being an "international organization" is a dead give away. The other is the fantastic false analogy between buggy PC software and nuclear bombs. No orgainization currently mass produces nuclear weapons for daily use on every desktop. No one here would recomend such things.
At the same time, some countries like the USA, recognize that free thought is needed for scientific development and that full disclosure and broad education are in the public interest. While the particular techincal details of how to build bombs is kept secret, the physical priciples are trumpeted and encouraged. Indeed public debate on priciples are encouraged as free dicourse leads to knowledge. "Freedom is the ability to say two plus two is four, all else follows", said George Orwells sad character in 1984. While the Department of Energy and their employees might not tell us details, they will not keep you or me from talking about it. With sufficient study at any good US University, a person can learn all they need to know about bomb design. Knowledge is not yet viewed as evil. The truth will set you free and only the free can be sure they know the truth.
M$, Adobe, RIAA, MPAA and other private interests are going a step further than cold warriors with their "information anarchy" campaign. Such blatant censorship is un-American and against the public interest. They will be defeated in the long run, as will trolls like you.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
- Code RedMicrosoft worm.
- LionLinux worm
- SadmindSolaris worm that affected Microsoft OS's (*ack* if you can call them OS's!)
- RamenLinux worm
- NimdaMicrosoft worm
Now that means that a "representative" list of worms would contain 50% Microsoft worms, 40% Linux worms, and 10% Solaris worms. It's good to see Microsoft presenting a legitimate picture of what's going on. C'mon!! Windows practically breeds worms! Linux has had how many? 4, 5? Morris, Ramen, Lion, Adore. That's all I can come up with. Now, do I start listing the Microsoft worms (not to mention virii)?...-------------
All your sig are belong to us.
IWARS.
People, in general, disappoint me. Politicians even more so.
Well, not really.
If you're a responsible researcher who discovered the exploit, your work will eventually be published upon the release of a patch.
The reason, I'd assume, that "full disclosure" mode is enacted upon seeing the exploit be out in the wild is to put some fire under the ass of those responsible to get a patch out. It hightens the level of urgency. I think this makes sense actually, since in most cases a patch will be released during the grace period (theoretically) before the exploit is actually seen in the wild.
I was actually going to propose a grace period as a "solution" to the problem, before I realized Microsoft was pushing for a grace period. I'm not fond of the month long period though, I'd expect it to be more like a week and a half to two weeks. Having hack-able boxes sitting open for a month when someone out there knows how to get into them is irresponsible. Giving manufaturers two weeks to get themselves together before the script kiddies come full on though seems like a good idea to me.
--
The argument that you can't just shout "fire" in a crowded theater entered the law in Schenck v. United States, 249 U.S. 47, 52 (1919). This was a Supreme Court case concerning whether the government may suppress pamphlets encouraging people to resist the draft. Although I think that case may have been correctly decided (with the distinction being expressing opposition to the draft versus encouraging people to violate the draft law), I wonder if the Court realized they were treading on, or near thin ice, when they used the "Fire" analogy.
So it is with people who use the analogy today. Whenever someone start comparing some kind of speech to shouting "Fire" in a crowded theater, don't get carried away by the emotional appeal but keep an eye on your rights, lest someone try to make off with them.
While it is certainly up to the vendor to release as bug free code as possible, I disagree with his exoneration here. "If you don't know how to use it, don't" holds true regardless of what OS we're talking about. A Unix sysadmin that doesn't patch his/her boxe(s) is as much to blame as an MS sysadmin who fails to do so as well.
Whether or not the amount of exploits for IIS are a direct result of how widely it is used outside of the "heavy metal" internet server arena is anybody's guess. But to even suggest that the sysadmins should say "oh, fuck it. It's the vendor's fault" is a bit like putting one's network in the hands of God... maybe it will be OK, and most likely it won't.
No. It means that if there is a known exploit in the wild then it is legitimate to post information about the vulnerability that it pertains to.
Let's say for a second that I'm a network administrator (which I have been) or in a related position. Would I want to know about how someone will be able to break into my network or servers? You bet I would. What if it was possible to avoid being affected by the exploit by changing default settings or shutting down services temporarily? I think whatever inconvience that might cause would be outweighed by keeping my network secure.
Obviously you haven't had to deal with this sort of stuff before. I'd suggest you do a quick search through the Bugtraq archives for informed discussions on vulnerability disclosure. In the information security world it's a topic which has (almost) been flogged to death.
Some companies' qualification time takes longer than two weeks. Unless you think unqualified patches are a good idea, giving them time to make the process work is not a bad idea. As it is 30 days is a hard accelleration of most patch qual times.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
For example the auto-industry. If you buy a new/used car and it is a lemon or has massive faults that can cause serious damage the vendor is expected to state those faults
I have two children and ANYTIME there is even the slightest risk of problems with the products we have bought for them, the vendor says don't use it any more.
You would think that Microsoft would have learned from Firestone/Ford....
Almost every piece of commercial software you install these days has something in the license like (taken from the Red Hat legalese):
"There is no warantee for the program, to the extent permitted by applicable law. Except when otherwise stated in writing by the copyright holders and/or other parties provide the program "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warantees of merchantability and fitness for a particular purpose. The entire risk of as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair, or correction."
Now someone explain to me why, when software vendors disavow all responsibility for their products, they should be granted some special status with regards to information about those products' misbehavior.
To be more accurate, Culp's analogy is that it is as acceptable to curtail the free speech of someone yelling "security hole!" as it is to curtail the free speech of someone yelling "fire" in a crowded theatre when there is none.
Bruce's continuation of the analogy is to show that this simply doesn't work, because those yelling "security hole!" are doing it because there is, in fact, a security hole.
That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze
The issues of Full Disclosure, and using DCMA to hide or not honour consumer rights needs to be discussed, as in all care.. no responsibility style wimp outs. Forget full disclosure - often any disclosure is withheld. This needs discussion. Sadly, the computer software industry has got laws passed that the cigarrette/nicotine industry would die for.
Check this story about finding a serious cookie vulnerability in Microsoft Internet Explorer and MS policy dealing with it.
From Culp's piece at http://www.microsoft.com/technet/treeview/default. asp?url=/technet/columns/security/noarch.asp:
"Providing a recipe for exploiting a vulnerability doesn?t aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin."
This is Microsoft's opinion in a nutshell: Don't worry about the details, we'll take care of you. That doesn't surprise me for end-users, but for administrators? When I see a bug announcement with a detailed example, such as the ftp_conntrack bug in iptables, it is tremendously advantageous to actually understand the bug and how to deal with it. In that case, several workarounds suggested themselves, because the bug only afected RELATED connections.
Now take the MS paradigm: I wait until they release a patch, or detailed instructions which I should follow by rote. Of course, I am affected by the vulnerability longer; furthermore, I get no transferable knowledge from the experience. Next time there's a similar bug, I just have to wait, again, instead of being able to invent a workaround.
Sure, it's _possible_ to implement a workaround when I don't understand the vulnerability, but I sure feel a lot better when I understand the problem AND the solution. I simply don't understand how this MS scheme (where everyone is an unenlightened end-user, waiting for cryptically-named patches which they don't understand) could appeal to any business OR home user. By assuming that even its administrators are unqualified to do manual reconfiguration by themselves, or even really understand what they're doing with the OS, MS has effectively crippled their fleet of administrators. And this, ultimately, is why the NT(2k/xp, whatever)platform is the huge, gaping security hole it is.
I simply can't believe the arrogance and stupidity of the statement above.
"...an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin."
I think that speaks for itself.