Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier On Full Disclosure

Posted by Hemos on from the interesting-reading dept.

Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.

9 of 232 comments (clear)

  1. Microsoft's answer to Full Disclosure by Phydoux · · Score: 5, Funny

    Everybody seems to like "Full Disclosure," so here at Microsoft, we've decided to begin releasing all security vulnerabilities under a "Shared Disclosure" policy. Once the various NDAs are signed, you too can view and work with any security vulnerabilities that we know about.

    Just another example of how Microsoft listens to and responds to customer requests. Have a nice day!

    --
    If a tree fell on a florist, and nobody was around to hear it, would he make a noise?
  2. Grace Period by Exmet+Paff+Daxx · · Score: 5, Interesting

    From the powerpoint slide:

    Grace Period
    Purpose: Give users a reasonable interval during which to protect their systems against newly reported vulnerabilities
    - Begins with public notice of vulnerability, and lasts for 30 days
    - Is immediately curtailed if vulnerability becomes actively exploited

    Do I read this correctly? Does this mean that when an exploit is shown to exist in the wild, then they immediately switch to "full disclosure" mode? This means that there is now an incentive to put an exploit in the wild: it means you can publish your work. Even if you leak the exploit surreptitously.

    I know I must be preaching to the choir here, but, this seems exceedingly stupid. Am I missing something?

    --
    If guns kill people, then CmdrTaco's keyboard misspells words.
  3. Re:I am for full disclosure but... by sphealey · · Score: 5, Interesting
    would you extend these arguments to support it in non-virtual security? Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"?
    Unfortunately, it isn't that simple. Read the history of the Manhatten Project. The FBI actually succeeded in its goal of not allowing a single leak of information out of the project [1]. It was the lack of published information on atomic research in the US in 1940 and 1941 that told Kurchatov that something was "up" and motiviated him to write a letter to Stalin suggesting that the Soviet Union get moving on atomic bomb research.

    So just hiding information doesn't necessarily make you more secure.

    sPh

    [1] OK, the Soviet Union had spies inside the project before it started, but that doesn't count!

  4. Re:Sometimes you should shout "Fire" by squidfood · · Score: 5, Funny

    When you see a fire in a crowded theatre, you:

    (A) Shout "FIRE!" and get crushed in the panic.
    (B) Walk out quietly...who cares about anyone else?
    (C) Tell your closest neighbor and hope that they're a fireman.
    (D) Pour on gasoline so everyone will get out faster.

  5. Re:I am for full disclosure but... by jmauro · · Score: 5, Informative

    This is the vulnerability of our Nuclear Piles

    This is where you can cross the border undetected

    This is how to make a Fake ID?

    Well maybe I didn't say every single tiny little syllable but basically I said em, basicly.

  6. What Culp actually said... by JMZero · · Score: 4, Insightful

    Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:

    "Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....

    "Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...

    --
    Let's not stir that bag of worms...
  7. That innocent little list o' worms by carambola5 · · Score: 5, Insightful
    Anyone else notice the peculiarity of the list at the beginning of Culp @ Microsoft? Let's see....
    • Code RedMicrosoft worm.
    • LionLinux worm
    • SadmindSolaris worm that affected Microsoft OS's (*ack* if you can call them OS's!)
    • RamenLinux worm
    • NimdaMicrosoft worm
    Now that means that a "representative" list of worms would contain 50% Microsoft worms, 40% Linux worms, and 10% Solaris worms. It's good to see Microsoft presenting a legitimate picture of what's going on. C'mon!! Windows practically breeds worms! Linux has had how many? 4, 5? Morris, Ramen, Lion, Adore. That's all I can come up with. Now, do I start listing the Microsoft worms (not to mention virii)?...
    -------------
    All your sig are belong to us.
    --
    IWARS.
    People, in general, disappoint me. Politicians even more so.
  8. Beware of the "Fire" argument by kingdon · · Score: 4, Insightful

    The argument that you can't just shout "fire" in a crowded theater entered the law in Schenck v. United States, 249 U.S. 47, 52 (1919). This was a Supreme Court case concerning whether the government may suppress pamphlets encouraging people to resist the draft. Although I think that case may have been correctly decided (with the distinction being expressing opposition to the draft versus encouraging people to violate the draft law), I wonder if the Court realized they were treading on, or near thin ice, when they used the "Fire" analogy.

    So it is with people who use the analogy today. Whenever someone start comparing some kind of speech to shouting "Fire" in a crowded theater, don't get carried away by the emotional appeal but keep an eye on your rights, lest someone try to make off with them.

  9. Re:Regardless by rodgerd · · Score: 5, Informative

    You sound suspiciously like someone who doesn't have sufficient experience in the NT world.

    Windows patches and hotfixes are a whole world of pain. SP2 for NT4 erased filesystems. SP6 crippled people running Notes. Hotfixes regularly blow each other away. They're a *mess*, and a good Windows admin will be *very* cautious about applying either hotfixes or service packs for NT/W2K/XP because the QA on them seems to be so low, so often.