FC: More on Microsoft security, and can we afford disclosure of holes?

From: Declan McCullagh (declanat_private)
Date: Wed Nov 14 2001 - 06:48:34 PST

  • Next message: Declan McCullagh: "FC: Texas mall tries to close critical website with similar name"

    Date: Wed, 14 Nov 2001 11:31:23 -0200
    From: pedro <rezendeat_private>
    To: Declan McCullagh <declanat_private>,
             "politechat_private" <politechat_private>
    Subject: reply to posting
    Dear Declan,
    I'm a fan of your list. I think it is becoming more important by the
    I've submitted several replies which never got to the list. One of them
    was about full disclosure.
    With the recent events regarding the subject, when several large
    companies agreed on a negotiating platform to block full disclosure, I
    think one of these replies has gain new relevance. I've reedited it, and
    am submitting it again, in the hope that it can be posted.
     > From: rmsat_private (Richard M. Smith)
             > Subject: Can we afford full disclosure of security holes?
             > Date: Fri, 10 Aug 2001 14:39:06 -0400
             > Hello,
             > The research company Computer Economics is calling Code Red
             > the most expensive computer virus in the history of the
             > They put the estimated clean-up bill so far at $2 billion.
             > I happen to think the $2 billion figure is total hype,
             > but clearly a lot of time and money has been spent cleaning up
             > Code Red.
             > For the sake of argument, let's say that Computer Economics
             > is off by a factor of one hundred. That still puts the
             > clean-up costs at $20 million.
             > This $20 million figure begs the question was it really
             > necessary for eEye Digital Security to release full details
             > of the IIS buffer overflow that made the Code Red I and II
             > possible?  I think the answer is clearly no.
             > Wouldn't it have been much better for eEye to give the details
             > of the buffer overflow only to Microsoft?  They could have
             > issued a security advisory saying that they found a problem in
             > and where to get the  Microsoft patch.  I realized that a
             > disclosure policy isn't as sexy as a full disclosure policy,
             > I believe that less revealing eEye advisory would have saved a
             > companies a lot of money and grief.
             > Unlike the eEye advisory, the Microsoft advisory on the IIS
             > security hole shows the right balance.  It gives IIS customers
             > enough information about the buffer overflow without giving a
             > to virus writers of how to exploit it.
    Those working on computer security in the internet are painfully aware
    of the futility of the suggestion offered by Mr. Smith. Companies like
    MS and others in the proprietary software business, specially those with
    monopolistic power,
    don't bother to pay attention to vulnerability reports submited directly
    and privately to them. The pattern is very well known, and inescapable.
    Like a hockey game, this business of reporting vulnerabilities in
    proprietary software unravels in three parts.
         In the first stage into a proprietary software product's evolution
    game, the producer begins by ignoring private vulnerability reports. Why
    bother with the hassle, if action to patch up the product only incurs in
    extra costs, in the possibility of negative publicity, with no increase
    in revenue? Besides, the budget for its testing cycle has allready blown
    out. So long as nobody else knows about the problem, it is not a
    problem. As George W. Bush has said very well, when he dumped the Kyoto
    protocol, the effort to clean up "doesn't make economic sense".
         Then, while the issue resists dying away, and before its
    consequences hit big media in a big way, generating bad publicity for
    the product, the producer enters into the second stage of the game. The
    posture moves away from ignoring the reports, into questioning its
    nature: "It's not a bug, it's a feature!".
         A classic example of this second stage happened around the Melissa
    virus. MS's project decision to ignore 8 year old RFCs on MIME and
    implement, on new versions of its emailer, default configuration
    triggering automatic interpretation of scripts in MIME attachments, was
    not the issue. And worse, of a script language which also controls
    communication processes within its native's operating system! That was
    not considered, yet, the source of the problem. They got away with the
    strategy of sweeping dirt under the rug, steering the debate to the bug
    versus feature smokescreeen controversy, because before Joel Klein
    everyone in the media was very much affraid of pointing fingers towards
    sacred cows ruminating in Redmond.
         Melissa was not enough of a warning about the company's arrogance
    and self righteousness. We had to wait until the ILoveYou debacle, for
    the company to wake up and humble itself a little, admitting to the very
    remote possibility of having made unwise decisions in their software
    projects, exposing most costumers to unjustified risks. I remember
    seeing somewhere a report estimating that only 4% of MS costumers could
    benefit from that automatic script interpretation "feature", and another
    one about a widely disclosed vulnerability that took MS 13 months to
         The third stage, is when the game is decided. This is the stage
    where full disclosure writes the bottom line. Full disclosure is the
    only effective path towards the evolution of any software, proprietary
    or free, in the direction of better quality. Only the prospect of
    negative media exposure about careless conduct in development and
    testing, can drive software into and trhough a healthy natural selection
    process. It is the only tool able to keep software developers in the
    honesty path
         This is why free software is, on the average, of better quality than
    proprietary counterparts. Where full disclosure is the norm, darwinian
    forces act on the software evolutionary process unhindered. Full
    disclosure is the only force that can drive proprietary software agents
    to steer their products into the evolutionary course toward higher
    quality altitude. That is the correct pact from the user's standpoint,
    running a colision course with the manging path steered by expectations
    of stockholders of proprietary model software companies. It's Economic
    versus ecological sense.
          Therefore, if society chooses to tag a bumpy price on such
    steering, with the choice it makes on what software business model it
    prefers, while driving software through its evolutionary process, the
    responsibility for full disclosure's consequences has to be ascribed to
    consumer's choice, and not to second-guessed political or ideological
    standings of agents in the computer security field. Softwares, like
    biological species, have to evolve, one way or another. Yelling at the
    umpire to wistle the end of the game out, when the game gets tough
    before the clock runs out is not really sexy, we all have to admit.
         Internet Information Server is a fundamenatally flawed project, for
    its architectural features are incompatible with the security demands of
    its global operating enviroment. It is ultimately, hopelessly
    unpatchable, for in it the line between public and private has been
    blured by a decision to make its platform's process control language an
    "active content" scripting language. That decision seems based on greed,
    towards turning DOS programmers into webmasters, and not on prudent
    engineering. A language cannot be all things to all people, without
    putting them in a babel tower. And to propose the banning of full
    disclosure at this point becomes an attempt to sweep bad decisions under
    the rug. Full disclosure is with us, whether or not bumpy to the point
    of blowing tires at high speed, because this is the only road for
    software to evolve, in the ecossystem it is set up to evolve. The system
    where economic logic, consumer choice patterns and social expectations
    about software reliability weave its course. If we dont like its bumps,
    we have to give up one of these three guiding threads. It is up to
    consumers to decide.
         To blame the computer security community for the way full disclosure
    enters into software's evolutionary scene, and the way it announces
    social costs, is an instance of human nature's tendency to try to shoot
    the messenger, whenever bad news arrive. Shooting the messenger won't
    balance what ultimately will have to be balanced by software's
    evolutionary process, only what Mr. Smith wants to see balanced.
    However, at the cost of breeding one more monopoly, this time in the
    computer security field. With all the bad consequences that make its
    necessity arguable, with sofisms from those who can only reason with
    greed logic.
    Prof. Pedro Antonio Dourado de Rezende
    Ciencia da Computacao (61) 3072702-212
    Universidade de Brasilia - Brasilia DF
    MetaCertificate Group member http://www.mcg.org.br
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/

    This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 07:57:20 PST