Wednesday, August 16, 2006

"Faux" Disclosure

Adam takes Bruce to task on "Faux" Disclosure.

I agree with Adam here. Full Disclosure is sometimes a necessary tool. In the early 1990s most O/S vendors had a shockingly negligent approach to security and in some cases the only way to get a response was to embarrass the vendor with full public disclosure.

My personal situation at the time was that I worked closely with the security groups at the companies concerned and did not want to jeopardize that relationship.

The situation today is completely different. Most vendors have security religion and they will make serious attempts to correct security bugs when they are notified that they exist and the problem can be reproduced. Computers are complex and as the Iranian situation demonstrates ascribing cause can be difficult, it is not practical for someone outside Israel to determine the authenticity of an attack that is predicated as only being directed at IP addresses in Israel.

What concerns me is that Full Disclosure has real costs. Releasing information has benefits but the benefits are not guaranteed to outweigh the costs. Most of the purported benefits of full disclosure are met by partial disclosure that only reaches a select number of parties with significant assets to protect and strong economic leverage over the vendors to pressure them to comply. If a vendor is not being responsive to a security issue I do not need to tell anyone other than the CIOs and CISOs of their top 10 customer accounts.

Giving exploit information to the bad guys does not make us more secure. It may be an acceptable price in certain situations but giving the bad guys weapons does not make us more safe.

The other aspect of full disclosure that concerns me is the fact that it seems to be rather too effective as a career move. I don't do full disclosure, if the bad guys haven't thought about something yet I am not going to be the first person to talk about it in public. Its somewhat frustrating when someone gets several pages of press coverage for reporting a vulnerability I discovered and reported to the vendor earlier. On the plus side the long term benefits of discretion seem to be greater.

Bringing the problem to general attention without revealling a full exploit appears to me to be a completely sensible approach.

No comments: