| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: juliao.duartenn at esdata.pt (Juliao Duartenn) Subject: it's all about timing I propose an exercise: Why do people look for vulnerabilities? Why do people publish vulnerabilities? If you take the broken window example Evrim Ulu has proposed, it is clear that most of us do not walk around the streets carefully examining windows to see if they are broken. Sometimes we spot a broken window, but we don't actively look for them. Unless, of course, we are the shop owner. Or a burglar. People look for vulnerabilities for the following reasons: - They want to stress the code they are running on their systems to make sure it is safe (shop owner) - They are looking for possible ways to abuse a system they do not own (would-be burglar) - They feel that they have a moral "duty" to use their skills and time for other's good (concerned citizen) - They have nothing else to do and think this is fun (vulnerability hobbyist) - They look for vulnerabilities because they are responsible for the vulnerable product (vendors) - They look for vulns with the express intention of publishing them and make themselves noticed (karma whores) On the other hand, people publish vulnerability information for the following reasons: - They publish vuln info to make themselves noticed (karma whores) - They publish vuln info because they have customers that pay (or otherwise produce revenue) for that service (watch dog) - They publish vuln info because they are responsible for the vulnerable code (vendors) - They feel that they have a moral "duty" to publish this information once they have it, since it may be a global risk (concerned citizen) - They have nothing else to do and think this is fun (why nots) Professional security staff and vulnerability seekers are a special case of the karma-whore/watch-dog combination. You find vulnerabilities in order to have them published and have your name metioned, bacause that is the basis for your revenue model. In turn, you have paying customers that profit by either having early access to the vuln info or premium access to patches and/or related security services. The whole DMCA vs. Full Disclosure issue must take into account the deeper reasons I have mentioned. Why do people search for vulns, and why do they publish them? Shop-owners: Shop-owners that look for vulns on the products they use already have the "right" attitude about this issue. They either contact vendors or create their own patches and submit them to the vendors. Shop-owners are not interested in early disclosure, since it might further expose their systems. Enforcing any kind of n-day disclosure or no-disclosure law would have no impact on their behavior. Except, of course, in the event that the vendor does not fix their product and the shop-owner has to create a patch to protect himself, and only them will he be willing do publicly disclose the vuln. Would-be Burglars: Burglars don't disclose vulnerabilities, just like in the real world they don't go around telling other burglars about this nice broken window they found. Burglars actively exploit vulns and will continue to do so, regardless of any law on the subject. Vulnerability Hobbyists: Hobbyists look for vulns because it's a challenge, and they would probably continue to do so. But any challenge must have a reward, and peer-recognition is part of that reward. If disclosure is banned, part of the reward is gone and hobbyists will be less inclined to seek vulns, directing their efforts to other things. Hobbyists thrive in recognition from the established security industry, so they are likely to be responsible in their disclosure procedure. Having an n-day policy would not change the way they act. Having a no-disclosure policy would probably lead them to diclose vulns in private forums, where it might easily leak to would-be burglars before it reaches the white-hat community and the affected system owners. Concerned Citizens: Concerned Citizens (aka the white hat community) would be severely affected by any restrictions of full disclosure. Most citizens already report vulns primarily to the vendor, in the hope that the vendor will solve the issue. If the vendor fails to comply, they look for a forum where to advise their peers about the problem, the failure to comply, and a possible fix. If such forums are outlawed, the citizens will still feel the moral need to search for flaws and to warn others. Remember that it is the concerned citizen attitude that is in the origin of every neighbourhood watch and popular militia group in the world. If the means to perform this "duty" in a responsible manner are banned, the citizens will be pressured into finding other ways of spreading this information. What is not volunteer work, white hat work, done for the global community, may turn into commercial activities, if the citizen is so pressured in his need to be "responsible" that he finds it in himself to affiliate with a professional security company. It may turn into an underground activity, if the citizen is forced to create an "underground", "illegal" list in order to publish what he has found. Or it may turn into an activity known to few, inside a members-only mailing list for a small group of like.minded people that the citizens personally know. Either way, any disclosure control law other than what is now current practice (vendor first, CERT if you want to, back off 30 days, then all hell breaks loose) will limit the activity of concerned citizens and diminish global security. Karma Whores: The karma whores are in it for the glitz. They look for vulns in order to publish them, and publish them in order to get peer recognition. Vulns are like hunting trophies. They will eventually report to the vendor, if and only if the vendor will acknowledge what they report and give them appropriate credit when it finally discloses the vuln, along with the patch. If it is not like this, they will disclose the information independently. The damage done by karma whores can only be mitigated with better vendor responsiveness. And that is something that no law can achieve. If any law requires vendors to be notified ahead of time, the karma whores will still publish the vuln if the vendor does not respond in appropriate time. And the next time a vuln comes along in another product by the same vendor, karma whores are likely to disclose on day 0, "just to show them". Having a law will not change this. This is human nature at work. Today, karma whores disclose on the public lists, and everyone benefits from that. If <n-day is banned, or if disclosure is banned, the karma whores will move into the black hat lists, into private forums, into the irc networks. The effort required by the white hat community in order to track all disclosed vulnerabilities will be greatly increased. Vendors: Many vendors only disclose if they have to, if they are forced to disclosure by full or partial disclosure by third parties. Increasing the non-disclosure timeout period only gives vendors more time to react. But the time already given is more than enough. Any vulnerability that cannot be fixed in 30 days is not likely to be fixed in 45 or in 60 days. And if the vendor contacts the vuln finder and asks for more time before disclosure, most finder will gladly comply. The problem is that many vendors don't respond when they are contacted. And no law is going to fix that. The vendors that only respond after the vuln is public, and after an exploit is in the wild, their customers are not going to benefit from a delayed non-disclosure period. Furthermore, the longer one waits after reporting to a vendor and before full disclosure, the more chances that a separate, independent researcher will fin the same vuln and disclose it into a black hat forum, making all customers vulnerable. Vendors will not benefit from a further delayed disclosure law. And customers will be hurt. Defense is very different from offense. Defense must cover all the fronts, offense needs to concern with only one. Black hats will continue to thrive if the public, general forums are outlawed. No blackhat ever needs all the information about all the products. He just needs one flaw in one product that he can exploit in order to get into wherever he wants. If disclosure is harmed, they won't suffer. The private forums and mailing lists and irc and icq and instant messenger black-hat clubs will continue to exist and information will continue to flow there. If anything, the law will help them, by moving what would otherwise be responsible disclosure by citizens and hobbyists into the blackhat zones. White hats, on the other hand, will be forced to roam the blackhat zones looking for information. They will need to pay much more attention to their IDS systems. They will need much more people in their departments to help with auditing and identifying potential attack attempts. If they do not know about the vulnerabilities, they cannot protect themselves. I do not wish to propose full 0-day disclosure as a rule. 30-days is appropriate. Even if it was 20 days, it would still be appropriate. But any effort to delay the timeout period, or to limit the amout of information that can be disclosed, is bad for the industry, bad for the users, bad for the system administrators. And, in fact, good for the burglars. Juli?o Duartenn
Powered by blists - more mailing lists