On Wed, Dec 03, 2003 at 11:02:47AM -0500, JoeHill wrote:

On Wed, 3 Dec 2003 09:59:43 -0500 (EST) Robert Brockway <robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org> wrote:

...

Software vulnerabilities are normally fixed by patches but I'll agree that security overall is more a function of awareness. I think this sentence mixes up too different concepts (specific security issues vs security procedures and knowledge).

Not at all. You are again assuming that "script-kiddies" gain somehow from the widespread "awareness" of vulnerabilities, an assumption to which I do not subscribe, mainly for lack of evidence.

Straw man. It doesn't matter whether script-kiddies learn about a hole, but whether they are fed with new exploit scripts. The exploit writers are the ones to worry about. If you can prove that exploit writers always know of vulnerabilities before any public disclosure; or else they always ignore any vulnerability that they learn of from a public disclosure, then you can argue that disclosure has not hurt. I think that you could not possibly prove those assertions, which means that you have to acknowledge that disclosure might possibly cause damage.

...

From Security Focus:

"A successful attacker requires three things: the opportunity to launch an attack, the capacity to successfully execute the attack, and the motivation to attack. An opportunity to launch an attack requires a vulnerable system and an access path to the system. The capability to successfully execute the attack requires knowledge of the vulnerability and the tools to exploit it.

Proponents of the information dictatorship argument are targeting the second requirement of a successful attacker: his capability to launch an attack. This approach to the problem of computer security is flawed, and can only fail.

You seem to think that there are only two choices: immediate public disclosure or long term secrecy. You give arguments that the first might not cause problems and that the second is bad. The middle ground; public disclosure after either a fix is available or significant time has elapsed; is not disproved by the "long term secrecy is bad" argument because it is not requiring or depending upon long term secrecy. It is not disproved by "immediate disclosure might not be bad" argument because immediate disclosure is not even going to be better and might be worse.

First, we cannot stop some small number of malicious users from gaining knowledge of vulnerabilities, or access to the tools that exploit them. Vulnerability information and exploits have legitimate uses with the computer security field. They are part of research, are required in penetration testing, and used by system administrator to test their systems, mitigate the risks by gaining an in-depth understanding of the problem, and to verify that vendor fixes work as advertised."

Nope, we cannot stop them. But delayed disclosure will, in at least some cases, reduce the number of malicious users with such knowledge before a fix is available. -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml