Vulnerability Disclosure Debate by gridrun on 8/07/03
The security alliance around Microsoft is trying to push its "reasonable vulnerability disclosure guidelines", which seeks to prevent security researchers from publishing proof-of-concept code alltogether, and wants them to make only limited, next to useless, information about security flaws available to the public.
In my humble, personal opinion, this step seeks to maximize income of several large security firms, as they would release any detailed information only to paying groups of subscribers... An inherently dangerous plan, and the argumentation behind it is severely flawed.
They state that those releasing proof-of-concept code to the public are responsible for the creation of various malware, virii and worms, exploiting the discovered vulnberabilities.
Let me tell you one thing: If you believe that you are the only ones finding vulnerabilities, then you are to be considered a bunch of arrogant, self deceited stupid ignorant bitches. Do you really think you are the only ones "31337" enough to find sec vulns??? Latest example: The people here at spacebitch.com noticed intrusions using the RPC/DCOM vulnerability at least a month before any information about it was published at all. Now that its published, everyone goes BIG NEWS about it, and predicts the advent of the next "internet destroying" worm which will take over all our systems. It doesnt matter to these people, that the most effective worms and trojans are far more low profile then for example "slammer" worm was (an inherently dumb program, raising immediate attention just by the exorbitant amount of bandwidth consumed by it). They dont even mention that there are so many worms and trojans making their ways thru cyberspace, mostly undetected and unnoticed, spreading slowly and in a limited manner only.
Hackers, Crackers and Script Kiddies alike are known to engage in exploit trading and often, they are discovering and exploiting vulnerabilities without going BIG NEWS about it... Do you really believe, people are sending all their 0day to @stake & co in advance, just to let them make money of the news?? Would you not rather believe that crackers finding new vulnerabilities would keep them 0day as long as possible, exploiting them undiscovered, because the majority doesnt even know the hole exists?? To me, it would seem perfectly logical for hackers and crackers alike to ONLY publish their findings after the problem was initially noticed by the public? Would it not make sense to you? To keep 0day for fun and profit as long as possible, and then releasing a modified variant of the 0day as "proof-of-concept" code, as soon as the public is noticed, and credits and publicity are to be gained by releasing the exploit code to the public?
To me, full disclosure makes perfect sense. Tell people about the vulnerability as soon as you notice it exists, you'll see "proof-of-concept" code appearing within days - essentially a proof that there were other people knowing about the vulnerability already.
Also, full disclosure, including exploit code, frees you from the obligation to believe in software vendor advisories and patches - another critical issue, demonstrated again by the RPC/DCOM flaw: Apparently, M$' fix doesnt really fix the problem to its full extent, and in some cases, is believed to leave machines vulnerable to the attack. Again, something which was to be discovered by END USERS loading proof-of-concept exploits and trying them on their own systems. To me, it makes no sense to blindly trust in a software vendor's patch, when it has repeately been shown that software vendor's patches often do not fully provide the anticipated security fixes.
Obviously, time has NOT yet come to say goodbye to full disclosure, and doing so would leave end users at the fate of some sotware producers' industry consortium to take care of OUR security - which they have repeatedly shown to be incapable of.
Spread the knowledge, take resposibility, take care! - gridrun
http://softlabs.spacebitch.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
