Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier On Full Disclosure

Posted by Hemos on from the interesting-reading dept.

Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.

9 of 232 comments (clear)

  1. Grace Period by Exmet+Paff+Daxx · · Score: 5, Interesting

    From the powerpoint slide:

    Grace Period
    Purpose: Give users a reasonable interval during which to protect their systems against newly reported vulnerabilities
    - Begins with public notice of vulnerability, and lasts for 30 days
    - Is immediately curtailed if vulnerability becomes actively exploited

    Do I read this correctly? Does this mean that when an exploit is shown to exist in the wild, then they immediately switch to "full disclosure" mode? This means that there is now an incentive to put an exploit in the wild: it means you can publish your work. Even if you leak the exploit surreptitously.

    I know I must be preaching to the choir here, but, this seems exceedingly stupid. Am I missing something?

    --
    If guns kill people, then CmdrTaco's keyboard misspells words.
    1. Re:Grace Period by morcheeba · · Score: 3, Interesting

      Is immediately curtailed if vulnerability becomes actively exploited

      How exactly do they know if the vulnerability has been exploited? A box owner may not realize they've been exploited, and even then may not know the exact exploit used. What are the chances of this information getting back to microsoft before boxes #2-#200,000 are exploited?

      Second, think of the attitude this takes towards customers: They won't give full disclosure until one of their customers is compromised? Sounds like a hostage sitatuion to me.

      And, for the obligitory "if microsoft was a car company" comparison:

      Partial disclosure: "one of the 4 seatbelts in your car can fail. Don't worry, there is a 80% chance that its not the seat you're sitting in."
      Full disclosure: "Don't sit in the rear passanger seat until you get the belt replaced."

      Would you like your car company to say not give full disclosure for 30 days or until someone died?

      --
      HIV Crosses Species Barrier... into Muppets
  2. Re:I am for full disclosure but... by sphealey · · Score: 5, Interesting
    would you extend these arguments to support it in non-virtual security? Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"?
    Unfortunately, it isn't that simple. Read the history of the Manhatten Project. The FBI actually succeeded in its goal of not allowing a single leak of information out of the project [1]. It was the lack of published information on atomic research in the US in 1940 and 1941 that told Kurchatov that something was "up" and motiviated him to write a letter to Stalin suggesting that the Soviet Union get moving on atomic bomb research.

    So just hiding information doesn't necessarily make you more secure.

    sPh

    [1] OK, the Soviet Union had spies inside the project before it started, but that doesn't count!

  3. Re:I am for full disclosure but... by iabervon · · Score: 3, Interesting

    The CIA and such are, in this case, in the position of the vendors: it is their responsibility to fix the vulnerabilities.

    The disclosure should be done by people who identify the vulnerablities. If you know where you can cross a border undetected, you ought to let someone know. Particularly in that case, the hole would probably get closed pretty quickly. And if some random person notices a hole, it would be pretty easy for someone actually looking for a vulnerability to find it.

    For example, if in August (or before) someone had said to the general public something like, "You can probably hijack an airplane with legal objects and then destroy a building with it", the passengers wouldn't have let the hijacking get anywhere, and the hijackers probably wouldn't have tried. There's obviously the risk that some groups that wouldn't have thought of it would get the idea, but it would have gotten fixed in policy before anyone could do anything to exploit it.

  4. Re:I am for full disclosure but... by ChaosDiscordSimple · · Score: 2, Interesting

    would you extend these arguments to support it in non-virtual security?

    Yup.

    Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"? "This is where you can cross the border undetected", "This is how to make a Fake ID?"

    That's not quite the same. I no more expect the CIA to use full disclosure than Microsoft. Full disclosure is about third parties pointing out problems.

    A better analogy would be "Should anyone who wants be able to publish things like, "Guide to Lock Picking"? Sure enough, you can find works on picking locks, defeating car and home alarms, hotwiring cars, making fake ids, and a host of other real world security issues. And these works are good things. Individuals affected by these risks can use this information make their own judgements on how to protect themselves.

  5. You're right that it's a marketing decision by complexmath · · Score: 2, Interesting

    but by the same token, releasing information about a vulnerability is admitting that your application is flawed. This also harms the reputation of your product among some user groups. With Windows XP Microsoft has conclusively proven that their target market is People Who Don't Know What A Mouse Is; these are the same people who would react most negatively to MS security alerts.

  6. technet security slight by Anonymous Coward · · Score: 1, Interesting
    Anybody seen this?
    http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/security/bulletin/MS01-055.asp


    Frequently asked questions

    Why isn?t there a patch available for this issue?

    The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
  7. Re:I am for full disclosure but... by Fencepost · · Score: 3, Interesting
    I've heard reports that one of the things that raised questions was "Where did all the silver go," but while it's clear that it was used I haven't found any notes about what impact (if any) this might have had on market prices.

    Copper was being used elsewhere in the war effort, so:

    At one point during the Manhattan Project, they needed a lot of copper. They were going to build plants in Utah to manufacture uranium and needed an estimated 10,000 to 15,000 metric tons of copper. Unfortunately, due to other war requirements, this much copper was not available. Someone suggested that the Manhattan Project go to the United States Treasury and ask for silver. Which they did.
    and
    For the record we should note two things about our story. First, the Manhattan Project eventually used somewhere around 13,000 metric tons of silver. A current valuation would be about $6,000,000,000. Second, they gave it all back.
    Swiped from http://members.aol.com/fmcguff/dwmodel/intro.htm

    --
    fencepost
    just a little off
  8. Counterpane conflict of interest by sigwinch · · Score: 3, Interesting
    In fact, if anything, Schneier has a conflict of interest in that the less secure the Internet is, the easier it will be for him to sell his services.
    OTOH, the more secure the Internet is, the less work Counterpane has to do to provide a particular level of service. It analogous to insurance companies that require certain fire countermeasures as a condition of providing insurance (extinguishers, real firewalls, sprinklers, ...). It is not obvious where the line between conflict of interest and public service is drawn though.
    --

    --
    Kuro5hin.org: where the good times never end. ;-)