Schneier On Full Disclosure

Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ^? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.

Grace Period

[Exmet+Paff+Daxx]

From the powerpoint slide:

Grace Period
Purpose: Give users a reasonable interval during which to protect their systems against newly reported vulnerabilities
- Begins with public notice of vulnerability, and lasts for 30 days
- Is immediately curtailed if vulnerability becomes actively exploited

Do I read this correctly? Does this mean that when an exploit is shown to exist in the wild, then they immediately switch to "full disclosure" mode? This means that there is now an incentive to put an exploit in the wild: it means you can publish your work. Even if you leak the exploit surreptitously.

I know I must be preaching to the choir here, but, this seems exceedingly stupid. Am I missing something?

Re:Grace Period

[morcheeba]

Is immediately curtailed if vulnerability becomes actively exploited

How exactly do they know if the vulnerability has been exploited? A box owner may not realize they've been exploited, and even then may not know the exact exploit used. What are the chances of this information getting back to microsoft before boxes #2-#200,000 are exploited?

Second, think of the attitude this takes towards customers: They won't give full disclosure until one of their customers is compromised? Sounds like a hostage sitatuion to me.

And, for the obligitory "if microsoft was a car company" comparison:

Partial disclosure: "one of the 4 seatbelts in your car can fail. Don't worry, there is a 80% chance that its not the seat you're sitting in."
Full disclosure: "Don't sit in the rear passanger seat until you get the belt replaced."

Would you like your car company to say not give full disclosure for 30 days or until someone died?

Re:I am for full disclosure but...

[sphealey]

would you extend these arguments to support it in non-virtual security? Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"?

Unfortunately, it isn't that simple. Read the history of the Manhatten Project. The FBI actually succeeded in its goal of not allowing a single leak of information out of the project [1]. It was the lack of published information on atomic research in the US in 1940 and 1941 that told Kurchatov that something was "up" and motiviated him to write a letter to Stalin suggesting that the Soviet Union get moving on atomic bomb research.

So just hiding information doesn't necessarily make you more secure.

sPh

[1] OK, the Soviet Union had spies inside the project before it started, but that doesn't count!

Re:I am for full disclosure but...

[iabervon]

The CIA and such are, in this case, in the position of the vendors: it is their responsibility to fix the vulnerabilities.

The disclosure should be done by people who identify the vulnerablities. If you know where you can cross a border undetected, you ought to let someone know. Particularly in that case, the hole would probably get closed pretty quickly. And if some random person notices a hole, it would be pretty easy for someone actually looking for a vulnerability to find it.

For example, if in August (or before) someone had said to the general public something like, "You can probably hijack an airplane with legal objects and then destroy a building with it", the passengers wouldn't have let the hijacking get anywhere, and the hijackers probably wouldn't have tried. There's obviously the risk that some groups that wouldn't have thought of it would get the idea, but it would have gotten fixed in policy before anyone could do anything to exploit it.

Re:I am for full disclosure but...

[Fencepost]

I've heard reports that one of the things that raised questions was "Where did all the silver go," but while it's clear that it was used I haven't found any notes about what impact (if any) this might have had on market prices.

Copper was being used elsewhere in the war effort, so:

At one point during the Manhattan Project, they needed a lot of copper. They were going to build plants in Utah to manufacture uranium and needed an estimated 10,000 to 15,000 metric tons of copper. Unfortunately, due to other war requirements, this much copper was not available. Someone suggested that the Manhattan Project go to the United States Treasury and ask for silver. Which they did.

and

For the record we should note two things about our story. First, the Manhattan Project eventually used somewhere around 13,000 metric tons of silver. A current valuation would be about $6,000,000,000. Second, they gave it all back.

Swiped from http://members.aol.com/fmcguff/dwmodel/intro.htm

Counterpane conflict of interest

[sigwinch]

In fact, if anything, Schneier has a conflict of interest in that the less secure the Internet is, the easier it will be for him to sell his services.

OTOH, the more secure the Internet is, the less work Counterpane has to do to provide a particular level of service. It analogous to insurance companies that require certain fire countermeasures as a condition of providing insurance (extinguishers, real firewalls, sprinklers, ...). It is not obvious where the line between conflict of interest and public service is drawn though.