"Faux" Disclosure
I wasn’t going to join the debate on relative merits of Dave Maynor/Johnny Cache’s disclosure of vulnerabilities in device drivers at Black Hat 2006, but Bruce Schneier’s post calling it Faux Disclosure, has annoyed me enough that I feel obliged to comment now. In particular he says:
Full disclosure is the only thing that forces vendors to fix security problems. The further we move away from full disclosure, the less incentive vendors have to fix problems and the more at-risk we all are.
I think Bruce is missing a vital thought here that being, it is the threat of full disclosure and the effect that that disclosure will have on their customers that forces vendors to fix problems. Full disclosure without a remedy, when a vendor is working in a timely fashion to resolve the issue does nothing but hurt the end user. The fact of the matter is that given that patches were not yet available from the vendor, that it would have been incredibly irresponsible of Maynor and Cache to disclose the exact details of the vulnerability.
That’s my take on it at least.
Clearly, the issue of when and how much to disclose is still a hugely open topic.
I know several of our readers were at Blackhat and at least one participated on the Vulnerability Disclosure Panel, what did you think of what was said there? Has your opinion changed in light of the disclosure at Blackhat of yet another Cisco vulnerability?
[Edit: Fixed broken link. Also see Brian Kreb’s interview with David Maynor]
Thanks, Arthur, for saying exactly what I wanted to, but couldn’t seem to without starting to say “Hulk SMASH!” instead.
Anyone who has read the papers submitted to the WEIS conferences (which includes Bruce, obviously) knows that full disclosure is hardly the “only” thing inducing vendors to fix their stuff.
Ross Anderson’s page contains a decent selection of pointers to academic work on this topic (search for ‘Economics of Vulnerabilities’: http://www.cl.cam.ac.uk/~rja14/econsec.html
Bruce, writing for a popular medium, has seemingly oversimplified. Hopefully, his rather significant throw-weight won’t dissuade folks from reading up on the issue.
As is so often the case with Bruce, there’s just enough truth to sneak in the sensational nonsense. Let us deconstruct.
“Full disclosure is the only thing that forces vendors to fix security problems.” This is a true statement. The key word here is “forces.” Vendors sometimes (often?) fix problems without being forced. How can that be?
“The further we move away from full disclosure, the less incentive vendors have to fix problems…” This is also a true statement, if incomplete. While disclosure of problems is certainly a powerful motivator of companies it is not the only motivator. Some customers do their own, private security research and demand fixes. Some vendors look for security problems in their own software and fix those problems without disclosure.
“…and the more at-risk we all are.” Pure, unadulterated nonsense. We are all “at-risk” from the vulnerability regardless of whether it is disclosed or not. Arguably, we are more “at-risk” in between the disclosure and the fix if the disclosure happens before the fix. Also arguably, we are at still greater risk if the vulnerability is never disclosed. Personally, I worry a lot more about the vulnerabilities that haven’t been discovered (whether disclosed or not) that the ones that have.
The problem with any half-way house is that it becomes a chance to pervert the eventual goal, which is to fix the problem with a real solution.
Any sense of compromise or delay opens the door to negotiations and various strategies to avoid the real issue. Many of the arguments advanced by the vendors are generally unfounded — like Arthur’s about it being generally irresponsible to disclose a vulnerability without a remedy. That falls when we realise that the approach doesn’t work for a real attacker, who exploits the vulnerability, and still leaves the vendor with no incentive to fix it because there remains no disclosure.
As the researcher is often much smaller and less powerful than the vendor, negotiations will go against research and the consumer interest. On balance, it seems to me that the very simply mechanism of “disclose it all, now” trumps all others, albeit with some costs. Vendors get attacked by researchers, and by attackers. Get over it; work for the solution, not against the problem.
Although, as a caveat — I have not “read up” on it as Chris suggests.