On Fri, 10 Aug 2001, Richard M. Smith wrote: > For the sake of argument, let's say that Computer Economics > is off by a factor of one hundred. That still puts the > clean-up costs at $20 million. > > This $20 million figure begs the question was it really > necessary for eEye Digital Security to release full details > of the IIS buffer overflow that made the Code Red I and II worms > possible? I think the answer is clearly no. So if someone publishes true information about a company, and that company gets a class-action suit against them, the person who publishes the information should pay for it? Given an industry that doesn't force their users to waive the ability to sue, of course. > Wouldn't it have been much better for eEye to give the details > of the buffer overflow only to Microsoft? They could have still > issued a security advisory saying that they found a problem in IIS > and where to get the Microsoft patch. This begs the question of will Microsoft do The Right Thing if they could cover it up. A few years ago, the answer was, no they wouldn't do the right thing, they would cover it up. And it is not just Microsoft, lets be fair. Almost every single software vendor has tried to do a cover up & slipstream or ignore the problem at some point in time. It is a learning process they almost all seem to go through. Please explain why you think they won't all revert if they have the chance. > I realized that a partial > disclosure policy isn't as sexy as a full disclosure policy, but > I believe that less revealing eEye advisory would have saved a lot > companies a lot of money and grief. There is no such thing as partial disclosure. If you try to release nearly no details, then someone else will smell blood, and figure out the original hole, or find a new one in the same area that they will assume is the original hole. Go read about the RDS hole. If you try no public disclosure, and only release to the Right People, it will leak. Check out the history of MS99-022. This only took a couple of days: http://www.securityfocus.com/archive/1/17519 Finally, I know a guy who's favorite trick was to break into the machine of a security expert at a given company, and make off with their private exploits. Then he would take the new holes, and break into a new expert's machine. Rinse, lather, repeat. > Unlike the eEye advisory, the Microsoft advisory on the IIS > security hole shows the right balance. It gives IIS customers > enough information about the buffer overflow without giving a recipe > to virus writers of how to exploit it. Take a careful look at the Code Red disassembly. The guy(s) who wrote that didn't need any help from eEye. If the eEye advisory had been helpful to the people who needed it, then we would have seen a slew of exploits published to Bugtraq the next day. All that eEye did was show us a bug a month before the worm did. The whole debate is really simple: The research will take place. You get to see, or you don't. And by "you", I mean people who appear to be against full disclosure. Don't kid yourself and think that you won't be the first to be cut out of the loop, if full disclosure goes away. Ryan
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 17:11:53 PDT