[Full-Disclosure] Vulnerability Disclosure Debate

[gridrun <gridrun@likes.smart-girlies.org>]

Vulnerability Disclosure Debate
by gridrun on 8/07/03

The security alliance around Microsoft is trying to push its "reasonable 
vulnerability disclosure guidelines", which seeks to prevent security 
researchers from publishing proof-of-concept code alltogether, and wants 
them to make only limited, next to useless, information about security 
flaws available to the public.
In my humble, personal opinion, this step seeks to maximize income of 
several large security firms, as they would release any detailed 
information only to paying groups of subscribers... An inherently 
dangerous plan, and the argumentation behind it is severely flawed.

They state that those releasing proof-of-concept code to the public are 
responsible for the creation of various malware, virii and worms, 
exploiting the discovered vulnberabilities.
Let me tell you one thing: If you believe that you are the only ones 
finding vulnerabilities, then you are to be considered a bunch of 
arrogant, self deceited stupid ignorant bitches. Do you really think you 
are the only ones "31337" enough to find sec vulns??? Latest example: 
The people here at spacebitch.com noticed intrusions using the RPC/DCOM 
vulnerability at least a month before any information about it was 
published at all. Now that its published, everyone goes BIG NEWS about 
it, and predicts the advent of the next "internet destroying" worm which 
will take over all our systems. It doesnt matter to these people, that 
the most effective worms and trojans are far more low profile then for 
example "slammer" worm was (an inherently dumb program, raising 
immediate attention just by the exorbitant amount of bandwidth consumed 
by it). They dont even mention that there are so many worms and trojans 
making their ways thru cyberspace, mostly undetected and unnoticed, 
spreading slowly and in a limited manner only.

Hackers, Crackers and Script Kiddies alike are known to engage in 
exploit trading and often, they are discovering and exploiting 
vulnerabilities without going BIG NEWS about it... Do you really 
believe, people are sending all their 0day to @stake & co in advance, 
just to let them make money of the news?? Would you not rather believe 
that crackers finding new vulnerabilities would keep them 0day as long 
as possible, exploiting them undiscovered, because the majority doesnt 
even know the hole exists?? To me, it would seem perfectly logical for 
hackers and crackers alike to ONLY publish their findings after the 
problem was initially noticed by the public? Would it not make sense to 
you? To keep 0day for fun and profit as long as possible, and then 
releasing a modified variant of the 0day as "proof-of-concept" code, as 
soon as the public is noticed, and credits and publicity are to be 
gained by releasing the exploit code to the public?

To me, full disclosure makes perfect sense. Tell people about the 
vulnerability as soon as you notice it exists, you'll see 
"proof-of-concept" code appearing within days - essentially a proof that 
there were other people knowing about the vulnerability already.
Also, full disclosure, including exploit code, frees you from the 
obligation to believe in software vendor advisories and patches - 
another critical issue, demonstrated again by the RPC/DCOM flaw: 
Apparently, M$' fix doesnt really fix the problem to its full extent, 
and in some cases, is believed to leave machines vulnerable to the 
attack. Again, something which was to be discovered by END USERS loading 
proof-of-concept exploits and trying them on their own systems. To me, 
it makes no sense to blindly trust in a software vendor's patch, when it 
has repeately been shown that software vendor's patches often do not 
fully provide the anticipated security fixes.

Obviously, time has NOT yet come to say goodbye to full disclosure, and 
doing so would leave end users at the fate of some sotware producers' 
industry consortium to take care of OUR security - which they have 
repeatedly shown to be incapable of.

Spread the knowledge, take resposibility, take care!
- gridrun


http://softlabs.spacebitch.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html