Re: [ISN] Re: Can we afford full disclosure of security holes?

From: InfoSec News (isnat_private)
Date: Tue Aug 14 2001 - 02:59:41 PDT

  • Next message: InfoSec News: "[ISN] InfoSec News list information"

    Forwarded from: Aj Effin Reznor <ajat_private>
    
    "InfoSec News was known to say....."
     
    > Forwarded from: "Jay D. Dyson" <jdysonat_private>
    > 
    > This is a note I posted to Bugtraq (which was rejected for unexplained
    > reasons since it predated other messages prior to thread closure).
    > Anyway, here's my thoughts on Mr. Smith's message.  Take it for what
    > it's worth...
    
    Greetings, Mr. Dyson.  Very clear words, similar in respect to what I
    have also sent through this list.
    
    A point to one of your points:
    
    > > Wouldn't it have been much better for eEye to give the details of the
    > > buffer overflow only to Microsoft?  They could have still issued a
    > > security advisory saying that they found a problem in IIS and where to
    > > get the Microsoft patch.  I realized that a partial disclosure policy
    > > isn't as sexy as a full disclosure policy, but I believe that less
    > > revealing eEye advisory would have saved a lot companies a lot of money
    > > and grief. 
    
    One thing Mr. Smith and his ilk are missing is that knowledge is
    power.  While power for the black hats, it is also the same for the
    white hats.  Given that a patch was out a month before the worm, it'd
    be trivial for an admin to install the patch, vs. the time and effort
    of someone(s) to code a worm.
    
    In some nations, guns don't exist, and the police carry billyclubs.  
    In nations where guns to exist, firearms protect both the populace as
    well as the law enforcement.  Knowledge is the same way.  "Arming" the
    populace with knowledge only levels the playing field as they square
    off against the more unruly members of their community (in our case,
    the net).
    
     
    > 	This is based on the presumption that *only* eEye Digital
    > Security knew about the vulnerability.  While that may or may not
    > be accurate, such is not always the case.  In every sector of
    > human endeavor, there always exist secrets.  In security circles,
    > these are known as "Zero Day"  exploits.  Consider the situation
    > we'd been in if eEye hadn't made the full details known to one and
    > all.  Microsoft would have certainly seen no rush to put out a fix
    > for a vulnerability that -- for all intents and purposes -- wasn't
    > publicly known.  Thus, the patch could have been on the backburner
    > for weeks or months to come.  All the while, admins would be
    > operating under the false presumption that their services are
    > secure when in fact they aren't.  During such time, anyone else
    > who might have discovered the vulnerability and wanted to use it
    > to their advantage would have had a canonical field day.
    
    I recall a few years ago when Dildog released a buffer overflow for
    windows. MS released a patch (interestingly, released through
    MARKETING.microsoft.com and not SECURITY).
    
    During the development of this patch, MS actually found a second
    overflow, but would not release the patch until someone outside MS
    developed the overflow!
    
    Why they did not release the patch is beyond me.  Or even build it in
    with the first one.  Was it to maybe show their "fast" response time
    in the event the second overflow was found?
    
    What would have happened if it were found, and never made openly
    public, but rather was just exploited, bringing down machine after
    machine with no known trace or entry point?
    
    How long would it have taken MS to release a patch should this have
    occured?
    
    Full disclosure can only server to *force* accountability upon the
    freaking retarded corporations that spew out crappy code (and OSs for
    that matter).  I mean, really, how many exploits in CART32.exe did we
    have to see?
    
     
    > 	Code Red may have done $20 million in real damages, but the
    > wisdom it hopefully imparted to its victims is priceless: when you
    > receive notice that a service is vulnerable, take *immediate*
    > steps to mitigate the threat.  Period.
    
    That, or in general, be *proactive* about security.  The salary of one
    security engineer is worthwhile business insurance when ya get right
    down to it....
     
    > 	It's said that a little knowledge is a dangerous thing.  In
    > terms of security, only full knowledge can truly mitigate that
    > danger.
    
    That, ladies and gentlemen, is the sound of the hammer hitting the
    nail squarely on the head.
    
    -aj.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 08:34:27 PDT