Wed 30 Jun 2010
Full Disclosure is Irresponsible
Posted by andyitguy under information security, responsible disclosure
[8] Comments
I’ve tried and tired to avoid getting into the Tavis Ormandy debacle and the whole Irresponsible Disclosure Issue. I’ve voiced my opinion before and it hasn’t changed much but as I continued to think about this I just had to put my 2 dollars into the ring again. I ranted a bit last night when Martin, Steve and I recorded episode 18 of the Southern Fried Security Podcast and then just a few minutes ago I ran across this from the Register. I’ve always said that Full Disclosure is irresponsible and usually hurts more people than it helps and I still believe that is the case. The full disclosure crowd says that it is the only way to get the vendors to respond and release a patch and from time to time they are right but by and far today that is NOT the case. Most vendors, especially the big ones, will work with the researcher and release a patch in a timely manner. If they don’t then I’m much more amiable about releasing PoC or even a full exploit but even then there has to be responsibility. Releasing vulnerability details puts people in danger of having their lives screwed with by others in ways that can drastically impact them in negative ways. Researchers are NOT the gods of the internet and they don’t have the right to say what vulnerabilities should and should not be released regardless of whether or not a patch is available.
Another argument that the full disclosure fans like to make is that the bad guys probably already know about it and are using it. That may be so but in a vast majority of the cases IF they have exploit code it is probably not being used except in limited cases. If it was then there would be noise on the internet that would point to it. It’s better that it be used in limited cases than it to be used on a large scale against anyone who happens to be unlucky enough to go to the wrong web site or click on the wrong link. Not to mention the fact that now instead of being in the hands of a very few it’s now in the hands of anyone who wants it and worse available to every script kiddie who wants to make a name for himself.
Also the argument that many in IT use saying that by knowing the details prior to a patch allows them to be able to test their systems and put controls in place doesn’t hold much water either. Why? Because many if not most companies don’t do this. They don’t even know that the details are available and they don’t have the resources to use the information to protect themselves. So while a select few may be a little better protected the vast majority (including almost 100% of consumers) are left wide open to attack. Is this the best way to secure the internet? I don’t think so.
Peoples finances, reputations and ability to use the internet for legitimate purposes are at stake. When exploit code, PoC code and full details about vulnerabilities are released in an irresponsible manner then you are increasing the threat landscape and not helping it like you claim to be doing. You are putting them in danger that most likely they would not face if you had acted in a responsible manner. Are you willing to reimburse them for the money that is taken out of their account? Are you willing to go to jail for them b/c their infected system (thanks to you) is not housing child porn? Are you willing to explain to their wife why all of a sudden porn is being shown to the kids when they try to go to pbskids.com? Are you willing to pay them the salary they lost because their compromised computer caused them to lose their job? I didn’t think so. And don’t give me the argument about good forensics being able to clear them b/c in most cases that is not going to happen. Most individuals are not going to hire and forensic expert to prove to their wife that they weren’t looking at porn. Most won’t even know it’s an option. I’d venture to say that most companies, especially small ones, aren’t going to hire a forensics expert to see if what you were doing was you or malware.
In today’s world where much of what happens happens in electronic format and happens on computers that are connected to most every other computer in the world you are messing with peoples lives when you release this kind of information in an irresponsible manner. So what is irresponsible? I can’t define that completely but I can say that when you don’t give a vendor an opportunity to get a patch out you are practicing irresponsible disclosure.
[Let me start out by saying that I totally respect you Andy and write the comments below with nothing but love (but not like that)]
“Full Disclosure is irresponsible and usually hurts more people than it helps and I still believe that is the case.”
What evidence do you have to support the above statement? First of all, define hurt? Who does it really hurt and how? If a vendor makes a mistake and has to feel a little “hurt” in order to fix it, this is a good thing. What if the vendor never intended to fix it and the public never found out? Isn’t that worth a little bit of hurt? Of course, take this on a case-by-case basis, I don’t think we can treat all vulnerabilities and vendors the same as there are so many variables.
“Most vendors, especially the big ones, will work with the researcher and release a patch in a timely manner.”
Lets not forget the vendors that threaten researchers with lawsuits, launch smear campaigns, and flat out ignore researchers. What about them?
“Releasing vulnerability details puts people in danger of having their lives screwed with by others in ways that can drastically impact them in negative ways.”
You are completely ignoring the positive affects and trade-offs. Having more details about a vulnerability allows work-arounds to be published, IDS/IPS signatures to be developed, and even potentially more problems with the same code to be uncovered. So, there are two sides to the coin.
“Also the argument that many in IT use saying that by knowing the details prior to a patch allows them to be able to test their systems and put controls in place doesn’t hold much water either. Why? Because many if not most companies don’t do this.”
I totally disagree (and wonder where you got the above information). I’ve personally participated in collaborative efforts (crossing multiple organizations) to develop workarounds and signatures prior to a patch.
Sorry to play devils’ advocate, but I couldn’t resist (you bring that out in me!
Cheers,
Paul Asadoorian
http://pauldotcom.com
I’ve been trying (and failing) to avoid this trap, too. In this case, there are a couple of things which haven’t received the attention I think they deserve.
First, the fiasco broke a couple of days before a “patch Tuesday”- bad timing for a quick response. Coincidence, or conspiracy? ( I actually think coincidence, and maybe naivete).
Second- the “could already be in the wild” argument. Too bad there isn’t something like the largest collection of data ever assembled in human history, already index and with built-in search capabilities. If that existed, a researcher might be able to look for signs of exploitation in the wild.
Well my two cents….
**Researchers are NOT the gods of the internet and they don’t have the right to say what vulnerabilities should and should not be released regardless of whether or not a patch is available.**
Ok then I am the God of internet…lol..
On a serious not..this means that the researcher should sit on the vulnerability waiting for the vendor to decide that whether it should be released publicly or not?? And what for..? A small credit section in the vulnerability notification?? Or wait for the credit to be taken away by another researcher??
I support this form of disclosure because this uncovers the irresponsible behavior of vendor not the researcher..
Nikhil,
If a researcher is in it for the glory then I think their priorities are wrong. But I do think that they need to work with the vendor. Tavis did not do this. 5 days is NOT working with Microsoft. If the vendor won’t talk then a deadline of at least 60 days should be set. If the patch isn’t available by then or at least VERY close then maybe releasing is the answer. But releasing after 5 days b/c you don’t like the fact that MS said that it would take longer than 5 days is pompous and irresponsible.
It is a two way street. Vendors and Researchers need to act in a responsible manner.
Paul, Why do you have to be a hater?
Just kidding. Don’t worry about hurting my feelings. I write these things so that good conversations can happen. All of your comments are taken in the spirit of love that you delivered them and my response is also full of love (but not like that). 
My evidence is that now systems are being compromised via this vulnerability that were not being compromised prior to it being made public. As you state there are lots and lots of “ifs” involved in this and there are no absolutes but you have to admit that when someones PC is compromised it increases the likelihood that they will be hurt via their bank account being cleaned out, their CC being run up, their ID being stolen. What about the case recently where the guy compromised his neighbors wireless and sent threatening emails to the VP and others. He sent (I believe) Porn to the guys boss and a perverted email to the wife of a friend. This could have really hurt this guy. Similar things can and do happen when PC’s are compromised. Julie Amaro(?) comes to mind.
As for vendors that won’t work with the researchers then I say releasing the vuln details are about all that is left. Yes, it does hurt some innocent people but there are times when causalities are an unfortunate fact of life. This case with Tavis in NOT one of those times though. As for smear campaigns by vendors I say we go after them w/ our wallets. This is one of the reasons that I’m so anti Apple.
As for your “trade offs” I don’t see where the trade offs out way the damage done. If the vuln is unknown or only known by a select few then having sigs will only protect those who deploy them and those who are targeted by the attack. This is going to be a much smaller foot print than when every script idiot in the world has access the the attack.
I still stand by my comments about many if not most don’t do the positive things that can come from knowing the details. There are lots of SMBs who do these things but there are lots of them who don’t. I’ve worked for and with bunches of them myself and know lots and lots of people who work for companies that have NO security staff and who deploy no security tech beyond a firewall.
Thanks for the great comments and keep them coming. I’m sure we won’t ever agree completely but maybe one of us will sway the other a little to think a bit differently about things.
Maybe you and I can put the “magical” DB together and get rich off of it.
Dear all,
What he done was cyber terrorism. I’m in the middle of lobbying industry and the government agencies to launch a crackdown.
I’ve already called for him to be arrested, however laws need to be changed to fully address the issue.
Andrew
http://sites.google.com/site/n3td3v/
“So what is irresponsible?”
dunno if you’ve seen it, but i posted some thoughts on the matter of responsibility that might be of interest to you.
http://anti-virus-rants.blogspot.com/2010/07/responsibility-whats-that.html