lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3D4A9AC3.4080404@esdata.pt>
From: juliao.duartenn at esdata.pt (Juliao Duartenn)
Subject: it's all about timing

I propose an exercise:

Why do people look for vulnerabilities?
Why do people publish vulnerabilities?

If you take the broken window example Evrim Ulu has proposed, it is 
clear that most of us do not walk around the streets carefully examining 
windows to see if they are broken. Sometimes we spot a broken window, 
but we don't actively look for them. Unless, of course, we are the shop 
owner. Or a burglar.

People look for vulnerabilities for the following reasons:

- They want to stress the code they are running on their systems to make 
sure it is safe (shop owner)
- They are looking for possible ways to abuse a system they do not own 
(would-be burglar)
- They feel that they have a moral "duty" to use their skills and time 
for other's good (concerned citizen)
- They have nothing else to do and think this is fun (vulnerability 
hobbyist)
- They look for vulnerabilities because they are responsible for the 
vulnerable product (vendors)
- They look for vulns with the express intention of publishing them and 
make themselves noticed (karma whores)

On the other hand, people publish vulnerability information for the 
following reasons:

- They publish vuln info to make themselves noticed (karma whores)
- They publish vuln info because they have customers that pay (or 
otherwise produce revenue) for that service (watch dog)
- They publish vuln info because they are responsible for the vulnerable 
code (vendors)
- They feel that they have a moral "duty" to publish this information 
once they have it, since it may be a global risk (concerned citizen)
- They have nothing else to do and think this is fun (why nots)

Professional security staff and vulnerability seekers are a special case 
of the karma-whore/watch-dog combination. You find vulnerabilities in 
order to have them published and have your name metioned, bacause that 
is the basis for your revenue model. In turn, you have paying customers 
that profit by either having early access to the vuln info or premium 
access to patches and/or related security services.

The whole DMCA vs. Full Disclosure issue must take into account the 
deeper reasons I have mentioned. Why do people search for vulns, and why 
do they publish them?

Shop-owners:
Shop-owners that look for vulns on the products they use already have 
the "right" attitude about this issue. They either contact vendors or 
create their own patches and submit them to the vendors. Shop-owners are 
not interested in early disclosure, since it might further expose their 
systems. Enforcing any kind of n-day disclosure or no-disclosure law 
would have no impact on their behavior. Except, of course, in the event 
that the vendor does not fix their product and the shop-owner has to 
create a patch to protect himself, and only them will he be willing do 
publicly disclose the vuln.

Would-be Burglars:
Burglars don't disclose vulnerabilities, just like in the real world 
they don't go around telling other burglars about this nice broken 
window they found. Burglars actively exploit vulns and will continue to 
do so, regardless of any law on the subject.

Vulnerability Hobbyists:
Hobbyists look for vulns because it's a challenge, and they would 
probably continue to do so. But any challenge must have a reward, and 
peer-recognition is part of that reward. If disclosure is banned, part 
of the reward is gone and hobbyists will be less inclined to seek vulns, 
directing their efforts to other things. Hobbyists thrive in recognition 
from the established security industry, so they are likely to be 
responsible in their disclosure procedure. Having an n-day policy would 
not change the way they act. Having a no-disclosure policy would 
probably lead them to diclose vulns in private forums, where it might 
easily leak to would-be burglars before it reaches the white-hat 
community and the affected system owners.

Concerned Citizens:
Concerned Citizens (aka the white hat community) would be severely 
affected by any restrictions of full disclosure. Most citizens already 
report vulns primarily to the vendor, in the hope that the vendor will 
solve the issue. If the vendor fails to comply, they look for a forum 
where to advise their peers about the problem, the failure to comply, 
and a possible fix. If such forums are outlawed, the citizens will still 
feel the moral need to search for flaws and to warn others. Remember 
that it is the concerned citizen attitude that is in the origin of every 
neighbourhood watch and popular militia group in the world. If the means 
to perform this "duty" in a responsible manner are banned, the citizens 
will be pressured into finding other ways of spreading this information. 
What is not volunteer work, white hat work, done for the global 
community, may turn into commercial activities, if the citizen is so 
pressured in his need to be "responsible" that he finds it in himself to 
affiliate with a professional security company. It may turn into an 
underground activity, if the citizen is forced to create an 
"underground", "illegal" list in order to publish what he has found. Or 
it may turn into an activity known to few, inside a members-only mailing 
list for a small group of like.minded people that the citizens 
personally know. Either way, any disclosure control law other than what 
is now current practice (vendor first, CERT if you want to, back off 30 
days, then all hell breaks loose) will limit the activity of concerned 
citizens and diminish global security.

Karma Whores:
The karma whores are in it for the glitz. They look for vulns in order 
to publish them, and publish them in order to get peer recognition. 
Vulns are like hunting trophies. They will eventually report to the 
vendor, if and only if the vendor will acknowledge what they report and 
give them appropriate credit when it finally discloses the vuln, along 
with the patch. If it is not like this, they will disclose the 
information independently. The damage done by karma whores can only be 
mitigated with better vendor responsiveness. And that is something that 
no law can achieve. If any law requires vendors to be notified ahead of 
time, the karma whores will still publish the vuln if the vendor does 
not respond in appropriate time. And the next time a vuln comes along in 
another product by the same vendor, karma whores are likely to disclose 
on day 0, "just to show them".
Having a law will not change this. This is human nature at work. Today, 
karma whores disclose on the public lists, and everyone benefits from 
that. If <n-day is banned, or if disclosure is banned, the karma whores 
will move into the black hat lists, into private forums, into the irc 
networks. The effort required by the white hat community in order to 
track all disclosed vulnerabilities will be greatly increased.

Vendors:
Many vendors only disclose if they have to, if they are forced to 
disclosure by full or partial disclosure by third parties. Increasing 
the non-disclosure timeout period only gives vendors more time to react. 
But the time already given is more than enough. Any vulnerability that 
cannot be fixed in 30 days is not likely to be fixed in 45 or in 60 
days. And if the vendor contacts the vuln finder and asks for more time 
before disclosure, most finder will gladly comply.
The problem is that many vendors don't respond when they are contacted. 
And no law is going to fix that. The vendors that only respond after the 
vuln is public, and after an exploit is in the wild, their customers are 
not going to benefit from a delayed non-disclosure period.
Furthermore, the longer one waits after reporting to a vendor and before 
full disclosure, the more chances that a separate, independent 
researcher will fin the same vuln and disclose it into a black hat 
forum, making all customers vulnerable. Vendors will not benefit from a 
further delayed disclosure law. And customers will be hurt.

Defense is very different from offense.
Defense must cover all the fronts, offense needs to concern with only one.
Black hats will continue to thrive if the public, general forums are 
outlawed. No blackhat ever needs all the information about all the 
products. He just needs one flaw in one product that he can exploit in 
order to get into wherever he wants. If disclosure is harmed, they won't 
suffer. The private forums and mailing lists and irc and icq and instant 
messenger black-hat clubs will continue to exist and information will 
continue to flow there. If anything, the law will help them, by moving 
what would otherwise be responsible disclosure by citizens and hobbyists 
into the blackhat zones.
White hats, on the other hand, will be forced to roam the blackhat zones 
looking for information. They will need to pay much more attention to 
their IDS systems. They will need much more people in their departments 
to help with auditing and identifying potential attack attempts. If they 
do not know about the vulnerabilities, they cannot protect themselves.

I do not wish to propose full 0-day disclosure as a rule. 30-days is 
appropriate. Even if it was 20 days, it would still be appropriate. But 
any effort to delay the timeout period, or to limit the amout of 
information that can be disclosed, is bad for the industry, bad for the 
users, bad for the system administrators.
And, in fact, good for the burglars.

Juli?o Duartenn




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ