Slashdot Mirror
Schneier On Full Disclosure
Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.
Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:
"Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....
"Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...
Let's not stir that bag of worms...
Full disclosure is meant to help increase security in dynamicly changing and (supposedly) supported software.
You will note that if you read the article and this is probably the only time where "bug secrecy" is necessary, that is it extremely bad to publish a bug for non-fixable systems(like air traffic control computers). It is good in one sense that the exploit is known (so that they avoid it the next time) but it is bad to let it loose if the system is still deployed and can not be changed and aren't going away soon.
So the continue the allogy, it isn't good to disclose vulnerabilities of nuclear stockpiles because you can't fix them.
Wow, what a troll. The CIA being an "international organization" is a dead give away. The other is the fantastic false analogy between buggy PC software and nuclear bombs. No orgainization currently mass produces nuclear weapons for daily use on every desktop. No one here would recomend such things.
At the same time, some countries like the USA, recognize that free thought is needed for scientific development and that full disclosure and broad education are in the public interest. While the particular techincal details of how to build bombs is kept secret, the physical priciples are trumpeted and encouraged. Indeed public debate on priciples are encouraged as free dicourse leads to knowledge. "Freedom is the ability to say two plus two is four, all else follows", said George Orwells sad character in 1984. While the Department of Energy and their employees might not tell us details, they will not keep you or me from talking about it. With sufficient study at any good US University, a person can learn all they need to know about bomb design. Knowledge is not yet viewed as evil. The truth will set you free and only the free can be sure they know the truth.
M$, Adobe, RIAA, MPAA and other private interests are going a step further than cold warriors with their "information anarchy" campaign. Such blatant censorship is un-American and against the public interest. They will be defeated in the long run, as will trolls like you.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
- Code RedMicrosoft worm.
- LionLinux worm
- SadmindSolaris worm that affected Microsoft OS's (*ack* if you can call them OS's!)
- RamenLinux worm
- NimdaMicrosoft worm
Now that means that a "representative" list of worms would contain 50% Microsoft worms, 40% Linux worms, and 10% Solaris worms. It's good to see Microsoft presenting a legitimate picture of what's going on. C'mon!! Windows practically breeds worms! Linux has had how many? 4, 5? Morris, Ramen, Lion, Adore. That's all I can come up with. Now, do I start listing the Microsoft worms (not to mention virii)?...-------------
All your sig are belong to us.
IWARS.
People, in general, disappoint me. Politicians even more so.
Well, not really.
If you're a responsible researcher who discovered the exploit, your work will eventually be published upon the release of a patch.
The reason, I'd assume, that "full disclosure" mode is enacted upon seeing the exploit be out in the wild is to put some fire under the ass of those responsible to get a patch out. It hightens the level of urgency. I think this makes sense actually, since in most cases a patch will be released during the grace period (theoretically) before the exploit is actually seen in the wild.
I was actually going to propose a grace period as a "solution" to the problem, before I realized Microsoft was pushing for a grace period. I'm not fond of the month long period though, I'd expect it to be more like a week and a half to two weeks. Having hack-able boxes sitting open for a month when someone out there knows how to get into them is irresponsible. Giving manufaturers two weeks to get themselves together before the script kiddies come full on though seems like a good idea to me.
--
The argument that you can't just shout "fire" in a crowded theater entered the law in Schenck v. United States, 249 U.S. 47, 52 (1919). This was a Supreme Court case concerning whether the government may suppress pamphlets encouraging people to resist the draft. Although I think that case may have been correctly decided (with the distinction being expressing opposition to the draft versus encouraging people to violate the draft law), I wonder if the Court realized they were treading on, or near thin ice, when they used the "Fire" analogy.
So it is with people who use the analogy today. Whenever someone start comparing some kind of speech to shouting "Fire" in a crowded theater, don't get carried away by the emotional appeal but keep an eye on your rights, lest someone try to make off with them.
No. It means that if there is a known exploit in the wild then it is legitimate to post information about the vulnerability that it pertains to.
Let's say for a second that I'm a network administrator (which I have been) or in a related position. Would I want to know about how someone will be able to break into my network or servers? You bet I would. What if it was possible to avoid being affected by the exploit by changing default settings or shutting down services temporarily? I think whatever inconvience that might cause would be outweighed by keeping my network secure.
Obviously you haven't had to deal with this sort of stuff before. I'd suggest you do a quick search through the Bugtraq archives for informed discussions on vulnerability disclosure. In the information security world it's a topic which has (almost) been flogged to death.
Some companies' qualification time takes longer than two weeks. Unless you think unqualified patches are a good idea, giving them time to make the process work is not a bad idea. As it is 30 days is a hard accelleration of most patch qual times.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Almost every piece of commercial software you install these days has something in the license like (taken from the Red Hat legalese):
"There is no warantee for the program, to the extent permitted by applicable law. Except when otherwise stated in writing by the copyright holders and/or other parties provide the program "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warantees of merchantability and fitness for a particular purpose. The entire risk of as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair, or correction."
Now someone explain to me why, when software vendors disavow all responsibility for their products, they should be granted some special status with regards to information about those products' misbehavior.