Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability Disclosure Conference at Stanford

Posted by michael on from the emperor-has-no-clothes dept.

Jennifer Granick writes "Stanford Law School Center for Internet and Society, headed by Lawrence Lessig and Jennifer Granick, is hosting a day long conference on vulnerability disclosure on November 22, 2003. The point is to get all sorts of people interested in vulnerability disclosure in the same room to discuss the issues and to come up with a clear definition of the problems and the costs and benefits of various solutions. This conference is really a workshop, and security researchers, vendor security teams, and system administrators should all consider attending and participating. For more information: http://cyberlaw.stanford.edu/security/"

2 of 6 comments (clear)

  1. Hmm by Anonymous Coward · · Score: 1, Insightful

    The point is to get all sorts of people interested in vulnerability disclosure in the same room... ... shut the door, call FBI and arrest everyone present under some UCITA/Patriot/DMCA provision that allows the Feds to detain people for the intention of disclosing a vulnerability, not actually disclosing it.

  2. Do no harm by Anonymous Coward · · Score: 2, Insightful

    Doctors take an oath swearing to not use their medical knowledge to do harm. This is a philosophy the security community should follow.

    There is no need to publish the full details of security flaw, including working exploit code, until after the vendor has fixed it and some time has gone by to give people time to apply the fix.

    Some people believe they should immediately publish full details and exploit code without bothering with the vendor or without giving them time to fix the problem. That is irresponsible no matter how you look at it. Some people believe they should publish full details and exploit code the instant the vendor publishes the patch. This is also irresponsible as no one has had time to fix the problem.

    My web site was hacked one night because some moron posted to a mailing list with exploit code for a flaw in the message board software I used at the time. The vendor of that software was not notified. The mailing list post was made in the middle of the night, so even if a patch were available at that instant, it would have done no good to anyone in North or South America. All the crackers on that list were provided with full instructions on how to exploit the problem conveniently mailed to their inbox. Someone tell me how that served any useful security purpose.

    Remember the Blaster worm? It was based on exploit code posted to a mailing list. One group of hackers released the original exploit, but it wasn't destructive enough to fit one person's taste, so he "fixed it" to make it worse, then released it to the world. Blaster and Nachia came out shortly afterward. http://news.com.com/2100-1002_3-5055759.html

    My own belief is that people should restrain themselves from providing detailed instructions about how to exploit a flaw until the vendor has fixed it and people have had enough time to apply the fix. Your privelege to tinker with the exploit yourself or to collect geek points for discovering the flaw is outweighed by the need to give people time to install the patch. After 30 days or so, it's their own fault if they're not patched.

    If the vendor is doing nothing about the problem, disclosure should be a threat to get them moving. However, that is an empty threat if disclosure is going to be made anyway the instant they make a patch.