Re: Re: Can we afford full disclosure of security holes?

[InfoSec News <isn () c4i org>]

Forwarded from: Aj Effin Reznor <aj () reznor com>

"InfoSec News was known to say....."
 
> Forwarded from: "Jay D. Dyson" <jdyson () treachery net>
>
> This is a note I posted to Bugtraq (which was rejected for unexplained
> reasons since it predated other messages prior to thread closure).
> Anyway, here's my thoughts on Mr. Smith's message.  Take it for what
> it's worth...

Greetings, Mr. Dyson.  Very clear words, similar in respect to what I
have also sent through this list.

A point to one of your points:

> > Wouldn't it have been much better for eEye to give the details of the
> > buffer overflow only to Microsoft?  They could have still issued a
> > security advisory saying that they found a problem in IIS and where to
> > get the Microsoft patch.  I realized that a partial disclosure policy
> > isn't as sexy as a full disclosure policy, but I believe that less
> > revealing eEye advisory would have saved a lot companies a lot of money
> > and grief. 

One thing Mr. Smith and his ilk are missing is that knowledge is
power.  While power for the black hats, it is also the same for the
white hats.  Given that a patch was out a month before the worm, it'd
be trivial for an admin to install the patch, vs. the time and effort
of someone(s) to code a worm.

In some nations, guns don't exist, and the police carry billyclubs.  
In nations where guns to exist, firearms protect both the populace as
well as the law enforcement.  Knowledge is the same way.  "Arming" the
populace with knowledge only levels the playing field as they square
off against the more unruly members of their community (in our case,
the net).

 
>       This is based on the presumption that *only* eEye Digital
> Security knew about the vulnerability.  While that may or may not
> be accurate, such is not always the case.  In every sector of
> human endeavor, there always exist secrets.  In security circles,
> these are known as "Zero Day"  exploits.  Consider the situation
> we'd been in if eEye hadn't made the full details known to one and
> all.  Microsoft would have certainly seen no rush to put out a fix
> for a vulnerability that -- for all intents and purposes -- wasn't
> publicly known.  Thus, the patch could have been on the backburner
> for weeks or months to come.  All the while, admins would be
> operating under the false presumption that their services are
> secure when in fact they aren't.  During such time, anyone else
> who might have discovered the vulnerability and wanted to use it
> to their advantage would have had a canonical field day.

I recall a few years ago when Dildog released a buffer overflow for
windows. MS released a patch (interestingly, released through
MARKETING.microsoft.com and not SECURITY).

During the development of this patch, MS actually found a second
overflow, but would not release the patch until someone outside MS
developed the overflow!

Why they did not release the patch is beyond me.  Or even build it in
with the first one.  Was it to maybe show their "fast" response time
in the event the second overflow was found?

What would have happened if it were found, and never made openly
public, but rather was just exploited, bringing down machine after
machine with no known trace or entry point?

How long would it have taken MS to release a patch should this have
occured?

Full disclosure can only server to *force* accountability upon the
freaking retarded corporations that spew out crappy code (and OSs for
that matter).  I mean, really, how many exploits in CART32.exe did we
have to see?

 
>       Code Red may have done $20 million in real damages, but the
> wisdom it hopefully imparted to its victims is priceless: when you
> receive notice that a service is vulnerable, take *immediate*
> steps to mitigate the threat.  Period.

That, or in general, be *proactive* about security.  The salary of one
security engineer is worthwhile business insurance when ya get right
down to it....
 
>       It's said that a little knowledge is a dangerous thing.  In
> terms of security, only full knowledge can truly mitigate that
> danger.

That, ladies and gentlemen, is the sound of the hammer hitting the
nail squarely on the head.

-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.