Schneier On Full Disclosure

Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ^? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.

Grace Period

[Exmet+Paff+Daxx]

From the powerpoint slide:

Grace Period
Purpose: Give users a reasonable interval during which to protect their systems against newly reported vulnerabilities
- Begins with public notice of vulnerability, and lasts for 30 days
- Is immediately curtailed if vulnerability becomes actively exploited

Do I read this correctly? Does this mean that when an exploit is shown to exist in the wild, then they immediately switch to "full disclosure" mode? This means that there is now an incentive to put an exploit in the wild: it means you can publish your work. Even if you leak the exploit surreptitously.

I know I must be preaching to the choir here, but, this seems exceedingly stupid. Am I missing something?

Re:I am for full disclosure but...

[sphealey]

would you extend these arguments to support it in non-virtual security? Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"?

Unfortunately, it isn't that simple. Read the history of the Manhatten Project. The FBI actually succeeded in its goal of not allowing a single leak of information out of the project [1]. It was the lack of published information on atomic research in the US in 1940 and 1941 that told Kurchatov that something was "up" and motiviated him to write a letter to Stalin suggesting that the Soviet Union get moving on atomic bomb research.

So just hiding information doesn't necessarily make you more secure.

sPh

[1] OK, the Soviet Union had spies inside the project before it started, but that doesn't count!