Slashdot Mirror
Schneier On Full Disclosure
Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.
Full disclosure may be good, but full exposure will get you thrown in jail!
"People that quote themselves in their signatures bother me" - athakur999
This could be the start of the end for MS. Since Full Disclosure is obviously the only way to go, and seeing as MS's software is pretty buggy and not very secure (mainly out of the box), they are proving to the world that they don't want people to know just exactly how buggy their software is.
would you extend these arguments to support it in non-virtual security? Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"? "This is where you can cross the border undetected", "This is how to make a Fake ID?"
-pyrrho
Everybody seems to like "Full Disclosure," so here at Microsoft, we've decided to begin releasing all security vulnerabilities under a "Shared Disclosure" policy. Once the various NDAs are signed, you too can view and work with any security vulnerabilities that we know about.
Just another example of how Microsoft listens to and responds to customer requests. Have a nice day!
If a tree fell on a florist, and nobody was around to hear it, would he make a noise?
From the powerpoint slide:
Grace Period
Purpose: Give users a reasonable interval during which to protect their systems against newly reported vulnerabilities
- Begins with public notice of vulnerability, and lasts for 30 days
- Is immediately curtailed if vulnerability becomes actively exploited
Do I read this correctly? Does this mean that when an exploit is shown to exist in the wild, then they immediately switch to "full disclosure" mode? This means that there is now an incentive to put an exploit in the wild: it means you can publish your work. Even if you leak the exploit surreptitously.
I know I must be preaching to the choir here, but, this seems exceedingly stupid. Am I missing something?
If guns kill people, then CmdrTaco's keyboard misspells words.
When you see a fire in a crowded theatre, you:
(A) Shout "FIRE!" and get crushed in the panic.
(B) Walk out quietly...who cares about anyone else?
(C) Tell your closest neighbor and hope that they're a fireman.
(D) Pour on gasoline so everyone will get out faster.
Oh, does this mean the software vendors will establish some *real* Quality Assurance in their development process and produce software without bugs?? :*)
blurring out...
Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:
"Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....
"Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...
Let's not stir that bag of worms...
if and when I have a nuclear stockpile installed in my backyard I'd certainly want the CIA to notify me of any vulnerabilities.
But you analogy is seriously flawed. Governments, like all beaurocracies, strive first and foremost to avoid bad publicity and/or responsibility for their actions. That's why openness, accountability, and yes -- full disclosure are important. There is always a gray area in terms of giving the relevant corporation/agency advance notice and some limited exceptions for national security.
But you need not worry about the balance tilting too far. The CIA might publish a guidebook on torture, but it wouldn't publish a guide on getting a fake ID/passport. Hence it's so rare for teenagers or illegal aliens to get any fake documents at all.
When in doubt, have a man come through a door with a gun in his hand.
In his essay, Culp compares the practice of publishing vulnerabilities to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the vulnerabilities exist regardless.
Slam.
...is starting the widespread debate on issues that many people need to consider.
Computer/network/internet security issues have been around a long time; perhaps now it will be more of a factor in management decision making.
Why does this have a +5 Insightful? The author just took a quote from the article. He wrote nothing orginal. If SlashCode allowed you to moderate the article, then it should have gotten the +5. This comment should have gotten a -1 Redundant (with the article).
Come play Heroes of Might and Magic Mini online.
but by the same token, releasing information about a vulnerability is admitting that your application is flawed. This also harms the reputation of your product among some user groups. With Windows XP Microsoft has conclusively proven that their target market is People Who Don't Know What A Mouse Is; these are the same people who would react most negatively to MS security alerts.
vendors didn't have any motivation to fix vulnerabilities. CERT wouldn't publish until there was a fix, so there was no urgency. It was easier to keep the vulnerabilities secret. There were incidents of vendors threatening researchers if they made their findings public, and smear campaigns against researchers who announced the existence of vulnerabilities (even if they omitted details). And so many vulnerabilities remained unfixed for years.
Perhaps it was pointed out that codered et al had patches a month ahead of time.
But, in the same breath/stroke it was mentioned by MS that their meathod of informing, distributing about patches/vulnerability was/is "confusing".
And the article by Culp almost says in effect "we don't want vulnerabilities known so we can stop writing patches and bugfixes or do it when "we" feel like it".
The whole "rely solely on the vendor" schtick is coming full circle it seems.
The author pointed out that is the way "it used to be" and it seems Microsoft is pushing for it to be that way again.
If it is not on fire, it is a software problem.
1. Discover the vulnerability.
2. Write code to exploit the vulnerability.
3. Arrange with an industry journalist to demonstrate the exploit.
Then it comes down to MS PR vs. journalistic integrity.
P.S. Don't even THINK about doing this unless you're cool with MS buying all the trade rags...
Wow, what a troll. The CIA being an "international organization" is a dead give away. The other is the fantastic false analogy between buggy PC software and nuclear bombs. No orgainization currently mass produces nuclear weapons for daily use on every desktop. No one here would recomend such things.
At the same time, some countries like the USA, recognize that free thought is needed for scientific development and that full disclosure and broad education are in the public interest. While the particular techincal details of how to build bombs is kept secret, the physical priciples are trumpeted and encouraged. Indeed public debate on priciples are encouraged as free dicourse leads to knowledge. "Freedom is the ability to say two plus two is four, all else follows", said George Orwells sad character in 1984. While the Department of Energy and their employees might not tell us details, they will not keep you or me from talking about it. With sufficient study at any good US University, a person can learn all they need to know about bomb design. Knowledge is not yet viewed as evil. The truth will set you free and only the free can be sure they know the truth.
M$, Adobe, RIAA, MPAA and other private interests are going a step further than cold warriors with their "information anarchy" campaign. Such blatant censorship is un-American and against the public interest. They will be defeated in the long run, as will trolls like you.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
- Code RedMicrosoft worm.
- LionLinux worm
- SadmindSolaris worm that affected Microsoft OS's (*ack* if you can call them OS's!)
- RamenLinux worm
- NimdaMicrosoft worm
Now that means that a "representative" list of worms would contain 50% Microsoft worms, 40% Linux worms, and 10% Solaris worms. It's good to see Microsoft presenting a legitimate picture of what's going on. C'mon!! Windows practically breeds worms! Linux has had how many? 4, 5? Morris, Ramen, Lion, Adore. That's all I can come up with. Now, do I start listing the Microsoft worms (not to mention virii)?...-------------
All your sig are belong to us.
IWARS.
People, in general, disappoint me. Politicians even more so.
The argument that you can't just shout "fire" in a crowded theater entered the law in Schenck v. United States, 249 U.S. 47, 52 (1919). This was a Supreme Court case concerning whether the government may suppress pamphlets encouraging people to resist the draft. Although I think that case may have been correctly decided (with the distinction being expressing opposition to the draft versus encouraging people to violate the draft law), I wonder if the Court realized they were treading on, or near thin ice, when they used the "Fire" analogy.
So it is with people who use the analogy today. Whenever someone start comparing some kind of speech to shouting "Fire" in a crowded theater, don't get carried away by the emotional appeal but keep an eye on your rights, lest someone try to make off with them.
While it is certainly up to the vendor to release as bug free code as possible, I disagree with his exoneration here. "If you don't know how to use it, don't" holds true regardless of what OS we're talking about. A Unix sysadmin that doesn't patch his/her boxe(s) is as much to blame as an MS sysadmin who fails to do so as well.
Whether or not the amount of exploits for IIS are a direct result of how widely it is used outside of the "heavy metal" internet server arena is anybody's guess. But to even suggest that the sysadmins should say "oh, fuck it. It's the vendor's fault" is a bit like putting one's network in the hands of God... maybe it will be OK, and most likely it won't.
This seems to me to kind of parallel biology. In an environment where exploits are not discussed, there is a smaller penalty for buggy software. With increased discussion, the software that remains will be the software that is more secure, or that evolves to be made more secure.
So how does Microsoft survive? Is it a virus?
JET Program: see Japan, meet intere
> By analogy, this isn't a call for
> people for give up freedom of speech;
> only that they stop yelling fire in
> a crowded movie house.
Another wonderful analogy!
Security professionals have been yelling "fire" in crowded movie houses for years. Most of the actual patrons fail to pay any attention, despite the fact that the seats are made of explosively flammable materials, the management allows patrons to smoke cigarettes in the theatre, and occasionally the movie is interrupted by ushers dousing patrons with fire hoses if they are noticeably ablaze. Patrons who do catch fire are not offered a refund, nor a credit for those parts of the movie that they miss, nor even so much as an apology.
--- Zygo Blaxell (zblaxell, feedme.hungrycats.org)
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
For example the auto-industry. If you buy a new/used car and it is a lemon or has massive faults that can cause serious damage the vendor is expected to state those faults
I have two children and ANYTIME there is even the slightest risk of problems with the products we have bought for them, the vendor says don't use it any more.
You would think that Microsoft would have learned from Firestone/Ford....
Almost every piece of commercial software you install these days has something in the license like (taken from the Red Hat legalese):
"There is no warantee for the program, to the extent permitted by applicable law. Except when otherwise stated in writing by the copyright holders and/or other parties provide the program "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warantees of merchantability and fitness for a particular purpose. The entire risk of as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair, or correction."
Now someone explain to me why, when software vendors disavow all responsibility for their products, they should be granted some special status with regards to information about those products' misbehavior.
When software vendors become liable for data loss, and the associated costs, then they have a very strong financial incentive to fix bugs.
In the current model, even with full disclosure, the most they risk is sales loss due to bad PR, and to modernize the old saw, "nobody ever got fired for buying Microsoft".
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
It's not just what he says; it's how he says it. For some reason, the above sentence makes me think of a particular vendor.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Now, I know I am opening myself to people making fun of my name, and over the years, many have done so. But, it is just too easy...
Since Mr. Culp is Microsoft's appoligist, might his title at MS be Mea, that would make his full title ther Mea Culpa?
Or, since they have found MS guilty of being a Monopoly, would that make this person in charge of culpablity for MS?
ttyl
Farrell (running, ducking and hinding...)
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Can someone explain the benifits of "Full Disclosure" in a closed-source scenario such as bugs in IIS in Windows?
I'm not interested in arguments about open-source systems, or how vendors should be liable for bugs, etc...
I simply want to know why it makes sense to publicise the code for a vulnerability as opposed to saying "there a bug in this area, we're working on a patch". What are the benifits?
I wonder: should we send Osama Bin Laden precise instructions for making Anthrax, Small-Pox, or Nuclear Weapons?
-- ;-)
Kuro5hin.org: where the good times never end.
> Since full disclosure has become the norm, the computer industry has transformed itself from a group of companies that ignores security and belittles vulnerabilities into one that fixes vulnerabilities as quickly as possible. A few companies are even going further, and taking security seriously enough to attempt to build quality software from the beginning: to fix vulnerabilities before the product is released.
And Microsoft doesn't like fixing problems, let alone building quality in from the start. Those activities don't add anything to their bottom line; it's a waste of resources.
Microsoft doesn't like the new norm, therefore it doesn't like full disclosure. (Where's the surprise?)
To say nothing of the bad PR that hits the world's presses twice a week when the latest MS-specific exploit shows up at the disclosure site.
Sheesh, evil *and* a jerk. -- Jade
The latter technique, of course, worked admirably on flight 93, reducing losses by at least tens of millions of dollars, and possibly by billions. (If they'd been a little luckier they could have reduced the flight 93 loss to nearly nothing.) Flight 93 didn't rely on a single gov't action : private individuals and companies closed the information loop and then attempted to counteract the threat, while the gov't response had barely started. There are lessons here on how to build a civil defense infrastructure to better handle the future attacks.
Information security attacks are just as expensive as the direct costs of the 9-11 attacks, costing billions of dollars a year in direct financial losses (and billions more from disclosure of sensitive information). The only difference is that infosec attacks are diffuse and don't draw much attention, while an equivalent military attack is spectacular and extremely photogenic. (Attacking the first WTC tower was a military action. The second was a publicity stunt designed to increase indirect losses.)And don't anybody tell me that it's a poor comparison, that computer viruses don't cost lives and how can I be so insensitive. Suppose infosec attacks cost each American an average of one hour of their time each year. (Which is probably within an order of magnitude of being correct.) That's a total loss of 250 million man-hours. Assuming that the total work a person can do is 150000 hours/lifetime, that's 1700 human lifetimes squandered by infosec attacks each year. And that's not considering attacks against military and medical databases, and against industrial equipment, which can and do directly kill people.
People who think there cannot be an "Electronic Pearl Harbor" are in for quite a surprise, just as people who thought foreign affairs don't affect the modern American lifestyle were surprised on 9-11. Most current guerrillas lack the competence to carry out severe infosec attacks, but ignorance and religion are not necessary prerequisites for anger and extremism.
-- ;-)
Kuro5hin.org: where the good times never end.
... your job is to look after the Nuclear stockpile, if you are a border guard, or if you have to check passports as part of your job.
As much as you OY YAY FREE SPEECH YAY proponents would like to babble on, it doesn't matter about these other things. It isn't your damn business.
I run a computer, yes, I need computer security information. But no, I am not a border guard.
The real threat is someone who goes looking for security holes, finds them, and quietly uses them to steal information or money. It's the people who are stealing credit card numbers, bank account info, and military information that are threats. Serious attackers will often work to obtain inside information, and may be willing to combine physical attacks with computer attacks.
Vulnerabilities left open but not publicized open doors for the real attackers. Non-disclosure shuts down only the more inept script kiddies.
Well that is Bruce for you, he is kinda random. A while back he published a 'Schniergram' listing a whole rack of problems he had identified in IPSEC. Then after the group explained to him why he had entirely failed to understand the problem he didn't withdraw the paper, but it did disappear from the index on the counterpane site and kinda faded from view. Every so often someone reads back issues of cryptogram and rushes to the list to debate the issues raised by the 'expert'.
So when it comes to false alarms Bruce is not exactly whiter than the driven snow.
The balance between full disclosure and partial disclosure is very hard to draw. The problem is in large measure often on the side of the vendors. But security 'experts' are not always exactly blameless. Quite often the exploit scripts are written by people who have no connection with the discovery of the bug and after it has been acknowledged and is being worked on.
The basic problem is that the easiest method of getting press attention is to claim credit for the discovery of some security bug or other. 'Full disclosure' is often no more than a convenient excuse for being a media-whore. Those of us who are responsible for actually designing security systems do not in general spend much (or indeed any) of our time returning journalist's phone calls with nifty quotes.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
(also on The Register).
"The Natural Laws of Digital Content" on November 15 at 7:00 at the University of Minnesota Minneapolis campus.
The subject of the talk is related to the topic of this story - how legislation such as DMCA interact with computer security issues. So if you're interested in this topic and live near Minneapolis click the link above to find out details about this talk.
Also, we hope to tape Bruce's talk and put up video and audio of the talk on our web site at a later date.
Preventive War is like committing suicide for fear of death. - Otto Von Bismarck
Imagine a world in which software companies are criminally and/or civilly liable for ill effects resulting from successful attacks on their products.
I think that in such a world, software quality would improve dramatically, and software manufacturers would be at least as motivated to fix bugs as they are in a world with full disclosure.
From Culp's piece at http://www.microsoft.com/technet/treeview/default. asp?url=/technet/columns/security/noarch.asp:
"Providing a recipe for exploiting a vulnerability doesn?t aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin."
This is Microsoft's opinion in a nutshell: Don't worry about the details, we'll take care of you. That doesn't surprise me for end-users, but for administrators? When I see a bug announcement with a detailed example, such as the ftp_conntrack bug in iptables, it is tremendously advantageous to actually understand the bug and how to deal with it. In that case, several workarounds suggested themselves, because the bug only afected RELATED connections.
Now take the MS paradigm: I wait until they release a patch, or detailed instructions which I should follow by rote. Of course, I am affected by the vulnerability longer; furthermore, I get no transferable knowledge from the experience. Next time there's a similar bug, I just have to wait, again, instead of being able to invent a workaround.
Sure, it's _possible_ to implement a workaround when I don't understand the vulnerability, but I sure feel a lot better when I understand the problem AND the solution. I simply don't understand how this MS scheme (where everyone is an unenlightened end-user, waiting for cryptically-named patches which they don't understand) could appeal to any business OR home user. By assuming that even its administrators are unqualified to do manual reconfiguration by themselves, or even really understand what they're doing with the OS, MS has effectively crippled their fleet of administrators. And this, ultimately, is why the NT(2k/xp, whatever)platform is the huge, gaping security hole it is.
I simply can't believe the arrogance and stupidity of the statement above.
"...an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin."
I think that speaks for itself.