Forwarded from: Aj Effin Reznor <ajat_private> "InfoSec News was known to say....." > Forwarded from: "Jay D. Dyson" <jdysonat_private> > > This is a note I posted to Bugtraq (which was rejected for unexplained > reasons since it predated other messages prior to thread closure). > Anyway, here's my thoughts on Mr. Smith's message. Take it for what > it's worth... Greetings, Mr. Dyson. Very clear words, similar in respect to what I have also sent through this list. A point to one of your points: > > Wouldn't it have been much better for eEye to give the details of the > > buffer overflow only to Microsoft? They could have still issued a > > security advisory saying that they found a problem in IIS and where to > > get the Microsoft patch. I realized that a partial disclosure policy > > isn't as sexy as a full disclosure policy, but I believe that less > > revealing eEye advisory would have saved a lot companies a lot of money > > and grief. One thing Mr. Smith and his ilk are missing is that knowledge is power. While power for the black hats, it is also the same for the white hats. Given that a patch was out a month before the worm, it'd be trivial for an admin to install the patch, vs. the time and effort of someone(s) to code a worm. In some nations, guns don't exist, and the police carry billyclubs. In nations where guns to exist, firearms protect both the populace as well as the law enforcement. Knowledge is the same way. "Arming" the populace with knowledge only levels the playing field as they square off against the more unruly members of their community (in our case, the net). > This is based on the presumption that *only* eEye Digital > Security knew about the vulnerability. While that may or may not > be accurate, such is not always the case. In every sector of > human endeavor, there always exist secrets. In security circles, > these are known as "Zero Day" exploits. Consider the situation > we'd been in if eEye hadn't made the full details known to one and > all. Microsoft would have certainly seen no rush to put out a fix > for a vulnerability that -- for all intents and purposes -- wasn't > publicly known. Thus, the patch could have been on the backburner > for weeks or months to come. All the while, admins would be > operating under the false presumption that their services are > secure when in fact they aren't. During such time, anyone else > who might have discovered the vulnerability and wanted to use it > to their advantage would have had a canonical field day. I recall a few years ago when Dildog released a buffer overflow for windows. MS released a patch (interestingly, released through MARKETING.microsoft.com and not SECURITY). During the development of this patch, MS actually found a second overflow, but would not release the patch until someone outside MS developed the overflow! Why they did not release the patch is beyond me. Or even build it in with the first one. Was it to maybe show their "fast" response time in the event the second overflow was found? What would have happened if it were found, and never made openly public, but rather was just exploited, bringing down machine after machine with no known trace or entry point? How long would it have taken MS to release a patch should this have occured? Full disclosure can only server to *force* accountability upon the freaking retarded corporations that spew out crappy code (and OSs for that matter). I mean, really, how many exploits in CART32.exe did we have to see? > Code Red may have done $20 million in real damages, but the > wisdom it hopefully imparted to its victims is priceless: when you > receive notice that a service is vulnerable, take *immediate* > steps to mitigate the threat. Period. That, or in general, be *proactive* about security. The salary of one security engineer is worthwhile business insurance when ya get right down to it.... > It's said that a little knowledge is a dangerous thing. In > terms of security, only full knowledge can truly mitigate that > danger. That, ladies and gentlemen, is the sound of the hammer hitting the nail squarely on the head. -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 08:34:27 PDT