| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Dec 2004 01:29:32 -0800 From: Crispin Cowan <crispin@...unix.com> To: "D. J. Bernstein" <djb@...yp.to> Cc: bugtraq@...urityfocus.com Subject: Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein wrote: >Crispin starts from these three examples of intrusions occurring _after_ >full disclosure, and---applying the principle ``post hoc, ergo propter >hoc''---leaps to the astounding conclusion that the intrusions were >_caused_ by full disclosure, i.e., that avoiding disclosure would have >prevented the intrusions. > > You are right, it is circumstantial evidence. But it is mighty strong circumstantial evidence. Brown et al only study three vulnerabilities, but it is not an uncommon result. Reportedly a primary reason that Microsoft switched to monthly disclosures is that they were seeing a bloom of malware attacks following every single disclosure, and they wanted to batch them up to get control of those blooms. >Crispin's conclusion is obviously incorrect. We've all seen reports of >extensive damage caused by attackers exploiting security holes that >_weren't_ publicly known before the attacks. Clearly the attackers are >capable of reading software and finding security holes for themselves. >This isn't rocket science. > > That you can find instances of something other than full disclosure causing a bloom of attacks does not invalidate the inference that full and *abrupt* disclosure can cause a bloom of attacks. It just means that full disclosure is not the *only* cause of a bloom. The above logic is obviously faulty, even if it does include Latin words :) However, if I may offer a different criticism of my own claim, there is a question of the evidence of positive benefits of responsible disclosure. Rescola presents data http://www.usenix.org/events/sec03/tech/rescorla.html that even with a well-timed responsible disclosure of a major vulnerability (OpenSSL chunking bug) many many people just never bothered to patch. However, this study concerns only a single vulnerability, and it is possible that OpenSSL was not widely patched because it is reputed to be a difficult upgrade to perform correctly. >There is, by the way, a more subtle problem with the argument against >full disclosure: the argument focuses entirely on short-term effects and >ignores long-term effects. > Forcible disclosure with a time like as specified in the RFPolicy http://www.wiretrip.net/rfp/policy.html would seem to have nearly identical long-term effects with much less damaging short-term effects. Is it your contention that a "patch up or else" disclosure policy like the RFPolicy does *not* cause programmers to clean up their act? Can you justify how abrupt disclosure encourages any better behavior than timed disclosure at the discretion of the bug-finder? > But the basic problem with the argument is >that it's out of whack with reality. If you think that hiding security >information keeps us safe, you're deluding yourself. > > But I *do not* think that hiding security information keeps us safe. Rather, I think that disclosing vulnerability information has impact on attackers and defenders, and the *timing* of that disclosure, especially with respect to the availability of a patch, has critical impact on who it impacts and how much. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Powered by blists - more mailing lists