[22196] in bugtraq
Re: Can we afford full disclosure of security holes?
daemon@ATHENA.MIT.EDU (Scott Blake)
Fri Aug 10 20:12:29 2001
Date: Fri, 10 Aug 2001 16:30:42 -0400
From: Scott Blake <blake@homeport.org>
To: "Richard M. Smith" <rms@privacyfoundation.org>,
"BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@securityfocus.com>
Message-ID: <1028630100.997461042@RUNABOUT>
In-Reply-To: <00b001c121c0$a1161160$0f01a8c0@tiac.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hi folks-
We should all consider the following scenario: Microsoft released their
bulletin with the "right" amount of information. Someone with malicious
intent reverse engineered the patch to determine the source of the problem
(in violation of the license agreement) and began systematically exploiting
the security flaw for his/her own nefarious purposes -- installing
backdoors, stealing credit card numbers, leverage web server access into
more complete network access, whatever.
There would have been no media hype, probably no coverage at all. How many
people would have installed the patch? Certainly, some administrators are
very concientious and install all security patches, but how many? I think
Microsoft would support the proposition that far more patches were
downloaded for this issue than most (any?) other.
So we must ask ourselves if the affected servers would be more or less
secure without full disclosure, indeed, without Code Red. I submit that
the answer is that full disclosure and the media hype resulted in *better*
security because more people installed the patch than would have otherwise.
Would we have had Code Red without eEye's disclosure? Probably not, but we
probably would have the flaw being exploited without anyone's knowledge.
There are many more vulnerabilities disclosed than are widely exploited.
So many, in fact, that a good case can be made that administrators in
currently in vulnerability overload. They have become jaded to the dire
warnings of those of us in the security community because so often our
predictions do not come to pass.
The problem is not full disclosure. The problem is failure to act on
either the disclosure or the release of the patch. Whatever solutions we
suggest must address the problem of patches not being installed. If
everyone installed the patch, it wouldn't matter how much information was
disclosed. If no one installs the patch, it still doesn't matter how much
information is disclosed.
Let's think about fixing the right problem.
Scott Blake
Director of Security Strategy
BindView Corporation
PS - Please note that Mr. Smith's argument rests on the premise that
vulnerabilities will only be exploited if they are disclosed. Mine rests
on the premise that vulnerabilities may or may not be exploited if
disclosed, but that it is prudent to assume that they will be exploited
even if no fully disclosed.
