Is responsible disclosure dead?
Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?”
I think the key assertion that I take issue with is bolded in the context below:
Unquestionably, zero-day vulnerabilities have an increasing real-world value to many different parties. We should expect more and more researchers to demand and receive payment from governments, software vendors, security vendors, enterprises or someone on the black market. It has already happened and will continue. The evolution is underway and it will become more prevalent in the next few years as it becomes routine for our systems to be compromised using unknown vulnerabilities. This environment will force us to evolve our thinking and mature our offensive and defensive security strategies – fueling the need for third-party patches, subscriptions to unreleased vulnerability information, and general underground industry intelligence. We’re already seeing these services being offered on the fringe (legally and illegally) and slowly moving towards mainstream acceptance as the business models are better understood. So it’s not a matter of if, but when.
We will need to evolve, yes, but I don’t see that the direction suggested is the one we’ll need to take. In particular, operationally using 0day is a tricky business. You risk discovery and losing a valuable asset by exposing it to a target. So maybe you use something a bit more commonplace. As I recall the Verizon Breach Report, they say that roughly 75% of vulns exploited have been public for a year or more. Yes, there’s a rapidly growing volume of underground stuff, but that’s easy when such things are a tiny fraction of attacks, vulnerabilities, or root causes of bad outcomes.
So I’m curious where is the evidence that undisclosed vulns will come to dominate? Oh, and a second question. Jerimiah, your title seems to imply that this is the most important thing for businesses to realize. Is that really what you meant?
My employer spends a lot of energy on building things to make exploiting unknown vulns harder, but if I wanted to speak for them, I’d do so on my work blog.
[Ooops! Mis-spelt Jeremiah’s name. Sorry!]
The issue I take with Grossman’s article is that he ignores the inconvenient branches of his logical tree. This is not an either-or debate.
Sure, there is increasing State-Sponsored vulnerability research (see http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf for China-specific examples of this) as governments become more attuned to the need for both offensive as well as defensive computer security capabilities. But that’s not evidence of a Crowding Out effect–exactly the opposite, actually.
Stereotypical “Mom’s Basement” hackers are not going away just because governments are funding vulnerability research, they’re just increasing their odds of making a buck from the comfort of their dungeon lairs.
Third parties, often in the Grey Hat world or just flat-out Black Hats are being hired or commissioned to do this work. Soldiers are being trained in how to utilize these tools. The technical capabilities and available labor pool is being expanded in, I fear, the worst ways possible.
My personal opinion is that we are seeing growing pools of people for whom this kind of work is a legitimate living, and they will work for whomever is willing to pay them to do it. This is dramatically increasing the risk of running a a typically-insecure corporate network if the company has any information or intellectual property assets at all (as opposed to, say, being nothing but a dinosaur existing on rents ensured by legislative carve-outs).
The most interesting (frustrating?) aspect of this is watching what happens when soft (corporate) networks, where cost saving is king, are targeted with military-grade tools and techniques, a function of governments and corporations now sharing a common information platform.
It’s exciting, but doesn’t leave one with much hope for the future.
In the civilized world, responsible disclosure will continue so long as lawyers exist. If you have any financial assets worth suing, you should consider disclosing responsibly, not disclosing at all, or be prepared to suffer the natural consequences of foolish behavior.