Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability Disclosure Conference at Stanford

Posted by michael on from the emperor-has-no-clothes dept.

Jennifer Granick writes "Stanford Law School Center for Internet and Society, headed by Lawrence Lessig and Jennifer Granick, is hosting a day long conference on vulnerability disclosure on November 22, 2003. The point is to get all sorts of people interested in vulnerability disclosure in the same room to discuss the issues and to come up with a clear definition of the problems and the costs and benefits of various solutions. This conference is really a workshop, and security researchers, vendor security teams, and system administrators should all consider attending and participating. For more information: http://cyberlaw.stanford.edu/security/"

6 comments

  1. Hmm by Anonymous Coward · · Score: 1, Insightful

    The point is to get all sorts of people interested in vulnerability disclosure in the same room... ... shut the door, call FBI and arrest everyone present under some UCITA/Patriot/DMCA provision that allows the Feds to detain people for the intention of disclosing a vulnerability, not actually disclosing it.

  2. A Word from Superman by Anonymous Coward · · Score: 0

    In the interest of full disclosure, I guess I will have to mention that I am invulnerable unless you put some of those green ro.... Great Ceasar's Ghost, I think I've said too much already!

  3. i think.... by jeffy124 · · Score: 1

    this issue (full disclosure vs. cooperative disclosure vs. total secrecy) is one of those gun-control-type topics in software security. there's always gonna be people in each camp with opinions that just will not change no matter the argument or rationale presented.

    getting them together in this type of setting may convert a few people from one camp to another, make some knowledgable of the arguments at hand, but I doubt it'll do anything useful in the long term to solve the issue because of those who will stick to their guns (no pun intended).

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
  4. depends on the software. by mrsev · · Score: 2, Interesting

    I dont think there is one correct answer. If it is for a browser vunrebility then fine total disclosure . If however you find a vunrebility in the net at your firebrigade call center then maybe not. It all depends on if the software is for public consumption. At the end of the day we need quick patches but not so quick that they are poorly designed.

  5. net services disclosure remains a huge issue by ubiquitin · · Score: 2, Interesting

    Here's a plausible scenario: Mr. RemainNameless stumbles across a major sql injection vulnerability while browsing a WidgetCompany's site. He realizes that WidgetCompany now has his originating IP# and ISP information in their web server log files and could track him down to accuse him of an attack on their server. What to do? If he comes forward, they can accuse of him of an attack. If he remains silent, the problem isn't fixed, and he might (especially if he is a security professional) be in trouble for not alerting anyone about this vulnerability, and there is record in the log files that he knew about it.

    What's the best way to go about disclosing to a company that their network presence is vulnerable? What are the legal ramifications of doing so?

    --
    http://tinyurl.com/4ny52
  6. Do no harm by Anonymous Coward · · Score: 2, Insightful

    Doctors take an oath swearing to not use their medical knowledge to do harm. This is a philosophy the security community should follow.

    There is no need to publish the full details of security flaw, including working exploit code, until after the vendor has fixed it and some time has gone by to give people time to apply the fix.

    Some people believe they should immediately publish full details and exploit code without bothering with the vendor or without giving them time to fix the problem. That is irresponsible no matter how you look at it. Some people believe they should publish full details and exploit code the instant the vendor publishes the patch. This is also irresponsible as no one has had time to fix the problem.

    My web site was hacked one night because some moron posted to a mailing list with exploit code for a flaw in the message board software I used at the time. The vendor of that software was not notified. The mailing list post was made in the middle of the night, so even if a patch were available at that instant, it would have done no good to anyone in North or South America. All the crackers on that list were provided with full instructions on how to exploit the problem conveniently mailed to their inbox. Someone tell me how that served any useful security purpose.

    Remember the Blaster worm? It was based on exploit code posted to a mailing list. One group of hackers released the original exploit, but it wasn't destructive enough to fit one person's taste, so he "fixed it" to make it worse, then released it to the world. Blaster and Nachia came out shortly afterward. http://news.com.com/2100-1002_3-5055759.html

    My own belief is that people should restrain themselves from providing detailed instructions about how to exploit a flaw until the vendor has fixed it and people have had enough time to apply the fix. Your privelege to tinker with the exploit yourself or to collect geek points for discovering the flaw is outweighed by the need to give people time to install the patch. After 30 days or so, it's their own fault if they're not patched.

    If the vendor is doing nothing about the problem, disclosure should be a threat to get them moving. However, that is an empty threat if disclosure is going to be made anyway the instant they make a patch.