**********
Date: Wed, 14 Nov 2001 11:31:23 -0200
From: pedro <[EMAIL PROTECTED]>
To: Declan McCullagh <[EMAIL PROTECTED]>,
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Subject: reply to posting
Dear Declan,
I'm a fan of your list. I think it is becoming more important by the
day.
I've submitted several replies which never got to the list. One of them
was about full disclosure.
With the recent events regarding the subject, when several large
companies agreed on a negotiating platform to block full disclosure, I
think one of these replies has gain new relevance. I've reedited it, and
am submitting it again, in the hope that it can be posted.
Sincerely,
> From: [EMAIL PROTECTED] (Richard M. Smith)
> Subject: Can we afford full disclosure of security holes?
> Date: Fri, 10 Aug 2001 14:39:06 -0400
>
> Hello,
>
> The research company Computer Economics is calling Code Red
> the most expensive computer virus in the history of the
Internet.
> They put the estimated clean-up bill so far at $2 billion.
> I happen to think the $2 billion figure is total hype,
> but clearly a lot of time and money has been spent cleaning up
after
> Code Red.
>
> For the sake of argument, let's say that Computer Economics
> is off by a factor of one hundred. That still puts the
> clean-up costs at $20 million.
> This $20 million figure begs the question was it really
> necessary for eEye Digital Security to release full details
> of the IIS buffer overflow that made the Code Red I and II
worms
> possible? I think the answer is clearly no.
>
> Wouldn't it have been much better for eEye to give the details
> of the buffer overflow only to Microsoft? They could have
still
> issued a security advisory saying that they found a problem in
IIS
> and where to get the Microsoft patch. I realized that a
partial
> disclosure policy isn't as sexy as a full disclosure policy,
but
> I believe that less revealing eEye advisory would have saved a
lot
> companies a lot of money and grief.
>
> Unlike the eEye advisory, the Microsoft advisory on the IIS
> security hole shows the right balance. It gives IIS customers
> enough information about the buffer overflow without giving a
recipe
> to virus writers of how to exploit it.
Those working on computer security in the internet are painfully aware
of the futility of the suggestion offered by Mr. Smith. Companies like
MS and others in the proprietary software business, specially those with
monopolistic power,
don't bother to pay attention to vulnerability reports submited directly
and privately to them. The pattern is very well known, and inescapable.
Like a hockey game, this business of reporting vulnerabilities in
proprietary software unravels in three parts.
In the first stage into a proprietary software product's evolution
game, the producer begins by ignoring private vulnerability reports. Why
bother with the hassle, if action to patch up the product only incurs in
extra costs, in the possibility of negative publicity, with no increase
in revenue? Besides, the budget for its testing cycle has allready blown
out. So long as nobody else knows about the problem, it is not a
problem. As George W. Bush has said very well, when he dumped the Kyoto
protocol, the effort to clean up "doesn't make economic sense".
Then, while the issue resists dying away, and before its
consequences hit big media in a big way, generating bad publicity for
the product, the producer enters into the second stage of the game. The
posture moves away from ignoring the reports, into questioning its
nature: "It's not a bug, it's a feature!".
A classic example of this second stage happened around the Melissa
virus. MS's project decision to ignore 8 year old RFCs on MIME and
implement, on new versions of its emailer, default configuration
triggering automatic interpretation of scripts in MIME attachments, was
not the issue. And worse, of a script language which also controls
communication processes within its native's operating system! That was
not considered, yet, the source of the problem. They got away with the
strategy of sweeping dirt under the rug, steering the debate to the bug
versus feature smokescreeen controversy, because before Joel Klein
everyone in the media was very much affraid of pointing fingers towards
sacred cows ruminating in Redmond.
Melissa was not enough of a warning about the company's arrogance
and self righteousness. We had to wait until the ILoveYou debacle, for
the company to wake up and humble itself a little, admitting to the very
remote possibility of having made unwise decisions in their software
projects, exposing most costumers to unjustified risks. I remember
seeing somewhere a report estimating that only 4% of MS costumers could
benefit from that automatic script interpretation "feature", and another
one about a widely disclosed vulnerability that took MS 13 months to
patch.
The third stage, is when the game is decided. This is the stage
where full disclosure writes the bottom line. Full disclosure is the
only effective path towards the evolution of any software, proprietary
or free, in the direction of better quality. Only the prospect of
negative media exposure about careless conduct in development and
testing, can drive software into and trhough a healthy natural selection
process. It is the only tool able to keep software developers in the
honesty path
This is why free software is, on the average, of better quality than
proprietary counterparts. Where full disclosure is the norm, darwinian
forces act on the software evolutionary process unhindered. Full
disclosure is the only force that can drive proprietary software agents
to steer their products into the evolutionary course toward higher
quality altitude. That is the correct pact from the user's standpoint,
running a colision course with the manging path steered by expectations
of stockholders of proprietary model software companies. It's Economic
versus ecological sense.
Therefore, if society chooses to tag a bumpy price on such
steering, with the choice it makes on what software business model it
prefers, while driving software through its evolutionary process, the
responsibility for full disclosure's consequences has to be ascribed to
consumer's choice, and not to second-guessed political or ideological
standings of agents in the computer security field. Softwares, like
biological species, have to evolve, one way or another. Yelling at the
umpire to wistle the end of the game out, when the game gets tough
before the clock runs out is not really sexy, we all have to admit.
Internet Information Server is a fundamenatally flawed project, for
its architectural features are incompatible with the security demands of
its global operating enviroment. It is ultimately, hopelessly
unpatchable, for in it the line between public and private has been
blured by a decision to make its platform's process control language an
"active content" scripting language. That decision seems based on greed,
towards turning DOS programmers into webmasters, and not on prudent
engineering. A language cannot be all things to all people, without
putting them in a babel tower. And to propose the banning of full
disclosure at this point becomes an attempt to sweep bad decisions under
the rug. Full disclosure is with us, whether or not bumpy to the point
of blowing tires at high speed, because this is the only road for
software to evolve, in the ecossystem it is set up to evolve. The system
where economic logic, consumer choice patterns and social expectations
about software reliability weave its course. If we dont like its bumps,
we have to give up one of these three guiding threads. It is up to
consumers to decide.
To blame the computer security community for the way full disclosure
enters into software's evolutionary scene, and the way it announces
social costs, is an instance of human nature's tendency to try to shoot
the messenger, whenever bad news arrive. Shooting the messenger won't
balance what ultimately will have to be balanced by software's
evolutionary process, only what Mr. Smith wants to see balanced.
However, at the cost of breeding one more monopoly, this time in the
computer security field. With all the bad consequences that make its
necessity arguable, with sofisms from those who can only reason with
greed logic.
--
-----------------------------------------------------
Prof. Pedro Antonio Dourado de Rezende
Ciencia da Computacao (61) 3072702-212
Universidade de Brasilia - Brasilia DF
http://www.cic.unb.br/docentes/pedro/segdadtop.htm
MetaCertificate Group member http://www.mcg.org.br
----------------------------------------------------
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------
