********** Date: Wed, 14 Nov 2001 11:31:23 -0200 From: pedro <rezendeat_private> To: Declan McCullagh <declanat_private>, "politechat_private" <politechat_private> Subject: reply to posting Dear Declan, I'm a fan of your list. I think it is becoming more important by the day. I've submitted several replies which never got to the list. One of them was about full disclosure. With the recent events regarding the subject, when several large companies agreed on a negotiating platform to block full disclosure, I think one of these replies has gain new relevance. I've reedited it, and am submitting it again, in the hope that it can be posted. Sincerely, > From: rmsat_private (Richard M. Smith) > Subject: Can we afford full disclosure of security holes? > Date: Fri, 10 Aug 2001 14:39:06 -0400 > > Hello, > > The research company Computer Economics is calling Code Red > the most expensive computer virus in the history of the Internet. > They put the estimated clean-up bill so far at $2 billion. > I happen to think the $2 billion figure is total hype, > but clearly a lot of time and money has been spent cleaning up after > Code Red. > > For the sake of argument, let's say that Computer Economics > is off by a factor of one hundred. That still puts the > clean-up costs at $20 million. > This $20 million figure begs the question was it really > necessary for eEye Digital Security to release full details > of the IIS buffer overflow that made the Code Red I and II worms > possible? I think the answer is clearly no. > > Wouldn't it have been much better for eEye to give the details > of the buffer overflow only to Microsoft? They could have still > issued a security advisory saying that they found a problem in IIS > and where to get the Microsoft patch. I realized that a partial > disclosure policy isn't as sexy as a full disclosure policy, but > I believe that less revealing eEye advisory would have saved a lot > companies a lot of money and grief. > > Unlike the eEye advisory, the Microsoft advisory on the IIS > security hole shows the right balance. It gives IIS customers > enough information about the buffer overflow without giving a recipe > to virus writers of how to exploit it. Those working on computer security in the internet are painfully aware of the futility of the suggestion offered by Mr. Smith. Companies like MS and others in the proprietary software business, specially those with monopolistic power, don't bother to pay attention to vulnerability reports submited directly and privately to them. The pattern is very well known, and inescapable. Like a hockey game, this business of reporting vulnerabilities in proprietary software unravels in three parts. In the first stage into a proprietary software product's evolution game, the producer begins by ignoring private vulnerability reports. Why bother with the hassle, if action to patch up the product only incurs in extra costs, in the possibility of negative publicity, with no increase in revenue? Besides, the budget for its testing cycle has allready blown out. So long as nobody else knows about the problem, it is not a problem. As George W. Bush has said very well, when he dumped the Kyoto protocol, the effort to clean up "doesn't make economic sense". Then, while the issue resists dying away, and before its consequences hit big media in a big way, generating bad publicity for the product, the producer enters into the second stage of the game. The posture moves away from ignoring the reports, into questioning its nature: "It's not a bug, it's a feature!". A classic example of this second stage happened around the Melissa virus. MS's project decision to ignore 8 year old RFCs on MIME and implement, on new versions of its emailer, default configuration triggering automatic interpretation of scripts in MIME attachments, was not the issue. And worse, of a script language which also controls communication processes within its native's operating system! That was not considered, yet, the source of the problem. They got away with the strategy of sweeping dirt under the rug, steering the debate to the bug versus feature smokescreeen controversy, because before Joel Klein everyone in the media was very much affraid of pointing fingers towards sacred cows ruminating in Redmond. Melissa was not enough of a warning about the company's arrogance and self righteousness. We had to wait until the ILoveYou debacle, for the company to wake up and humble itself a little, admitting to the very remote possibility of having made unwise decisions in their software projects, exposing most costumers to unjustified risks. I remember seeing somewhere a report estimating that only 4% of MS costumers could benefit from that automatic script interpretation "feature", and another one about a widely disclosed vulnerability that took MS 13 months to patch. The third stage, is when the game is decided. This is the stage where full disclosure writes the bottom line. Full disclosure is the only effective path towards the evolution of any software, proprietary or free, in the direction of better quality. Only the prospect of negative media exposure about careless conduct in development and testing, can drive software into and trhough a healthy natural selection process. It is the only tool able to keep software developers in the honesty path This is why free software is, on the average, of better quality than proprietary counterparts. Where full disclosure is the norm, darwinian forces act on the software evolutionary process unhindered. Full disclosure is the only force that can drive proprietary software agents to steer their products into the evolutionary course toward higher quality altitude. That is the correct pact from the user's standpoint, running a colision course with the manging path steered by expectations of stockholders of proprietary model software companies. It's Economic versus ecological sense. Therefore, if society chooses to tag a bumpy price on such steering, with the choice it makes on what software business model it prefers, while driving software through its evolutionary process, the responsibility for full disclosure's consequences has to be ascribed to consumer's choice, and not to second-guessed political or ideological standings of agents in the computer security field. Softwares, like biological species, have to evolve, one way or another. Yelling at the umpire to wistle the end of the game out, when the game gets tough before the clock runs out is not really sexy, we all have to admit. Internet Information Server is a fundamenatally flawed project, for its architectural features are incompatible with the security demands of its global operating enviroment. It is ultimately, hopelessly unpatchable, for in it the line between public and private has been blured by a decision to make its platform's process control language an "active content" scripting language. That decision seems based on greed, towards turning DOS programmers into webmasters, and not on prudent engineering. A language cannot be all things to all people, without putting them in a babel tower. And to propose the banning of full disclosure at this point becomes an attempt to sweep bad decisions under the rug. Full disclosure is with us, whether or not bumpy to the point of blowing tires at high speed, because this is the only road for software to evolve, in the ecossystem it is set up to evolve. The system where economic logic, consumer choice patterns and social expectations about software reliability weave its course. If we dont like its bumps, we have to give up one of these three guiding threads. It is up to consumers to decide. To blame the computer security community for the way full disclosure enters into software's evolutionary scene, and the way it announces social costs, is an instance of human nature's tendency to try to shoot the messenger, whenever bad news arrive. Shooting the messenger won't balance what ultimately will have to be balanced by software's evolutionary process, only what Mr. Smith wants to see balanced. However, at the cost of breeding one more monopoly, this time in the computer security field. With all the bad consequences that make its necessity arguable, with sofisms from those who can only reason with greed logic. -- ----------------------------------------------------- Prof. Pedro Antonio Dourado de Rezende Ciencia da Computacao (61) 3072702-212 Universidade de Brasilia - Brasilia DF http://www.cic.unb.br/docentes/pedro/segdadtop.htm MetaCertificate Group member http://www.mcg.org.br ---------------------------------------------------- ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 07:57:20 PST