Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

[manson () pattyr acs ohio-state edu (Bob Manson)]

I believe this discussion isn't appropriate for this list, for a very
simple reason: Bugtraq is about full disclosure. If you're on the
list, and you have a problem with full disclosure, I'd suggest having
yourself removed from it, or at the very least ending this futile
discussion.

It's not a question about "having my beliefs challenged", I rather believe
it's a pointless, endless argument that can't be resolved. There are numerous
issues involved here:
        * "freedom of information"--does anyone have the right to
          withhold information from anyone else because it's too "dangerous"?
        * Whether or not full disclosure is really more effective than partial
          disclosure or "waiting for the magic fix from the Gods"
        * Who decides who is trustworthy enough to receive this information
        * Does "security through obscurity" really work
and a bunch of others, I'm sure...

Both sides will have "proven answers" for these questions, but I
daresay most of these are merely opinion, unless someone has real
concrete examples.

Here are the basic arguments that I've seen on the list:

1) Full disclosure is wrong because the "bad people" get ahold of the
   information and use it to their advantage before the "good people"
   have a chance to fix the problems. Only telling the "good people"
   avoids this issue. Plus, since we don't live in a world where it's
   easy to tell all the "good people" about the problems, the "bad
   people" can take advantage of this. And, announcing it right away
   pressures vendors into releasing software fixes before they've been
   verified. (Witness the latest round of fixes from Sun for the
   /bin/mail problems).

2) Partial disclosure is wrong because the "good people" have little
   motivation to fix the problems--it's "obscure" now, and only the
   "good people" know about it, so they can fix it at their leisure
   (meaning never). Also, some "good people" can't rely on their
   vendor to fix the problem because the vendor's out of business or
   no longer supporting their system, or they're not using vendor-
   suppliied software. And, many people are perfectly willing, able,
   and capable of fixing software problems without waiting for their
   vendor to do Q&A or whatever they do to pretend that their
   software's fixed. This can be very important when your system's
   already been broken into via a previously-unknown hole or one that's
   still waiting for a fix from the vendor.

I keep thinking of the "internet worm" somehow--wasn't the DEBUG hole
known for quite a while before the worm was run?

I used to be in a position where I would often write replacements for
system utilities. Partial disclosure was usually useless to me, unless
it contained enough information to figure out what the real security
hole was in the first place. So I definitely was (and still am) on the
side of full disclosure, merely for that reason (and others too, but
this is probably the most important one).

A great example was the discussion on /bin/mail: it was very useful to
me to see the problems that Sun and other vendors were having and
enabled me to make sure that these problems didn't exist in my own
software. The statement "/bin/mail has a security hole, get a patch"
would've been quite useless. Many times the types of bugs that I've
seen are natural ones that any programmer could've made that's writing
programs for Unix, and knowing what they are and how to avoid them is
a great help.

I have a basic problem with partial disclosure: who decides who is
"eleeet" enough to receive the full disclosure? If you're not in the
"in crowd", you lose. And that's fine with me, ultimately--if 8lgm
decides they don't want to do full disclosure, that's up to them. But
that doesn't mean the rest of us can't and won't disclose everything
that we know in a free environment.

I'm not sure I like the idea of "partial eventually going to full
disclosure" either. That doesn't solve a lot of the problems with
partial disclosure, particularly the problem of: what do folks do that
don't have vendor support, and aren't in the "eeleeeet crowd" that
receives the full disclosure before the "general public"?

I doubt that anyone's going to have their minds changed by this note,
nor is this endless discussion going to end, but I thought I'd throw
in my $.02 anyway.
                                        Bob