On Wed, 3 Dec 2003 09:16:11 -0500 John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:
Immediate public disclosure does not provide more eyes for a bug in MS code, just more eyes in the cracker community.
That is a myth, propagated by MS and other proprietary vendors, to avoid embarassment and having to do actual work to improve security. Witness the recent case of Diebold and their voting machines. If it were not for the work of students and activists at Swarthmore College, no one would ever have known of the security flaws. Diebold certainly showed no interest in fixing the problem, even though internal memos showed they were aware of those flaws. It was only after said students published the internal memos online that enough pressure is being brought to bear on Diebold to fix the vulnerabilities. Now what software were those machines running agian...? Oh, that's right, MS.
Telling MS of a bug, and then telling the world later of the bug (and that MS was told a month earlier so that people can judge whether their response was adequate) provide more than ample pressure, and may reduce the number of exploits carried out against victims who have never had any warning or chance to apply a fix because there wasn't one. If MS responds prompty (which they are doing better at these days - they've learned that they have to), then when the public announcement goes out any attacks prompted by the announcement can only be applied against people who have not yet applied the fix.
Again, facts and reality fly in the face of this argument. Hackers are usually, if not always, aware of these vulnerabilities before the security "establishment", and certainly before software designers can come up with a patch. Full public disclosure is one way to give the vast majority of users a head start, before a patch can even be issued, so that they can at least be aware of the risk. In fact, following this logic, it could be proposed that disclosure be even *more* widespread, as soon and as widely as possible. Security issues are not solved by a patch, they are mitigated by awareness. Finally, there is no way to develop an enforceable "policy" in this regard, so it is not realistic to expect that, even if you assume this "myth" is true, people will not go on publicly releasing info on exploits. It's more realistic to find a way to deal with the *expectation* that the exploits are already widely known, and to work from there. If you read the full account of the Debian incident, you will see that that is exactly what happened, and exactly the attitude that was taken. Nothing radical here! In fact, if you do a quick google on this topic, you will find that nothing I'm saying is particularly original, this is the opinion of much bigger fish than you or I. -- JoeHill ++ ICQ # 280779813 Registered Linux user #282046 Homepage: www.orderinchaos.org +++++++++++++++++++++++++++ "The modern conservative is engaged in one of man's oldest exercises in moral philosophy; that is, the search for a superior moral justification for selfishness."-- John Kenneth Galbraith -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml