I Am So A Dinosaur…
…and I was one before it was cool. Crit Jarvis responds to my comment that my views on disclosure have ossified by claiming that I’m evolving. The trouble is, I have documented proof it’s not true. From my homepage:
Apparent Weaknesses in the Security
Dynamics Client Server Protocol. This paper was presented at the
DIMACS workshop on Network
Threats, and describes a substantial weakness in the Security
Dynamics client server model, which was apparently fixed in versions
of the software later than the ones I was working with. Security Dynamics responded to my work before publication. I’m very pleased that they will be publishing their protocols in the future. The postscript file submitted to DIMACS is available, as is an html version, but the html version is missing two diagrams.
The DIMACS workshop was Dec 4-6, 1996. I spoke to some folks about the flaw at Crypto, in Santa Barbara that summer, and they encouraged me to publish. I spent a while talking to a lawyer about the issues, concerned that I might be sued, and pulled source code for the F2 hash from the paper. I contacted Security Dynamics only after the paper had gone to press, to make it harder for them to pressure me to pull it. It turned out that John Brainard and Vin McLellan were utter gentlemen in dealing with me, and SDI never brandished a threatening word. But in the word of vulnerability disclosure back then, I didn’t think I was being unreasonably fearful.
The landscape is somewhat different today (although Guillermito* would doubtless beg to differ, as would Niels Ferguson ). Companies, by and large, seem to be responding better to security reports. (I know someone whose bug report sat at Sun and CERT for a full two years in the early 90s, despite rampant evidence of attacker use.) But my position is about the same. Over time, disclosure is better than trying to sweep vulnerabilities under the rug. We should tweak to minimize the current pain that disclosure entails.
*(via Freedom To Tinker Clips)