On Wed, Dec 03, 2003 at 08:59:17AM -0500, JoeHill wrote:

On Wed, 3 Dec 2003 09:16:11 -0500 John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:

...

Immediate public disclosure does not provide more eyes for a bug in MS code, just more eyes in the cracker community.

That is a myth, propagated by MS and other proprietary vendors, to avoid embarassment and having to do actual work to improve security.

Immediate public disclosure of an MS bug provides zero additional eyes for fixing it. Guaranteed. Possibly, it might provide zero additional cracker eyes, but perhaps it might not. The best possibility there is for immediate disclosure to break even, more likely it loses. Let's toss coins for a while - heads you pay me $50, tails we call it a draw. Hey, you might not lose.

Witness the recent case of Diebold and their voting machines. If it were not for the work of students and activists at Swarthmore College, no one would ever have known of the security flaws. Diebold certainly showed no interest in fixing the problem, even though internal memos showed they were aware of those flaws. It was only after said students published the internal memos online that enough pressure is being brought to bear on Diebold to fix the vulnerabilities. Now what software were those machines running agian...? Oh, that's right, MS.

That's not affected by this argument. Delayed public disclosure, to give them a chance to fix the problem, followed by automatic public disclosure a suitable time afterward will show up the cases that are showing no interest. In fact, it makes it far more obvious - they had a chance to fix the problem and just ignored it hoping no-one would ever notice. Immediate public disclosure denies them any opportunity to show the proper level of concern.

...

Telling MS of a bug, and then telling the world later of the bug (and that MS was told a month earlier so that people can judge whether their response was adequate) provide more than ample pressure, and may reduce the number of exploits carried out against victims who have never had any warning or chance to apply a fix because there wasn't one. If MS responds prompty (which they are doing better at these days - they've learned that they have to), then when the public announcement goes out any attacks prompted by the announcement can only be applied against people who have not yet applied the fix.

Again, facts and reality fly in the face of this argument. Hackers are usually, if not always, aware of these vulnerabilities before the security "establishment", and certainly before software designers can come up with a patch. Full public disclosure is one way to give the vast majority of users a head start, before a patch can even be issued, so that they can at least be aware of the risk. In fact, following this logic, it could be proposed that disclosure be even *more* widespread, as soon and as widely as possible. Security issues are not solved by a patch, they are mitigated by awareness.

Some crackers might already know of the problem, but that is not affected by either choice (delay or immediate publication). The issue is whether disclosure will cause any more crackers to learn of (it's not likely to make any of the ones that already know of it to forget, so we're back to at best breaking even and anything other than the best possibility is losing).

Finally, there is no way to develop an enforceable "policy" in this regard, so it is not realistic to expect that, even if you assume this "myth" is true, people will not go on publicly releasing info on exploits. It's more realistic to find a way to deal with the *expectation* that the exploits are already widely known, and to work from there.

You're choosing between throwing out the baby with the bathwater or never bathing the baby. Automatic public disclosure is a good thing. Immediate public disclosure before a fix is available is sometimes no worse than delayed but could easily be worse. It is never better.

If you read the full account of the Debian incident, you will see that that is exactly what happened, and exactly the attitude that was taken. Nothing radical here! In fact, if you do a quick google on this topic, you will find that nothing I'm saying is particularly original, this is the opinion of much bigger fish than you or I.

I read it. It appeared after they had a fix for the kernel and even so, it does not provide specific details of the mechanism used, not the binary of the program used. That is in no way "public disclosure in advance of informing the affected parties". It fits my model of appropriate behaviour perfectly well and provides no reason to choose your model instead. -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml