I Am So A Dinosaur…
…and I was one before it was cool. Crit Jarvis responds to my comment that my views on disclosure have ossified by claiming that I’m evolving. The trouble is, I have documented proof it’s not true. From my homepage:
Apparent Weaknesses in the Security
Dynamics Client Server Protocol. This paper was presented at the
DIMACS workshop on Network
Threats, and describes a substantial weakness in the Security
Dynamics client server model, which was apparently fixed in versions
of the software later than the ones I was working with. Security Dynamics responded to my work before publication. I’m very pleased that they will be publishing their protocols in the future. The postscript file submitted to DIMACS is available, as is an html version, but the html version is missing two diagrams.
The DIMACS workshop was Dec 4-6, 1996. I spoke to some folks about the flaw at Crypto, in Santa Barbara that summer, and they encouraged me to publish. I spent a while talking to a lawyer about the issues, concerned that I might be sued, and pulled source code for the F2 hash from the paper. I contacted Security Dynamics only after the paper had gone to press, to make it harder for them to pressure me to pull it. It turned out that John Brainard and Vin McLellan were utter gentlemen in dealing with me, and SDI never brandished a threatening word. But in the word of vulnerability disclosure back then, I didn’t think I was being unreasonably fearful.
The landscape is somewhat different today (although Guillermito* would doubtless beg to differ, as would Niels Ferguson ). Companies, by and large, seem to be responding better to security reports. (I know someone whose bug report sat at Sun and CERT for a full two years in the early 90s, despite rampant evidence of attacker use.) But my position is about the same. Over time, disclosure is better than trying to sweep vulnerabilities under the rug. We should tweak to minimize the current pain that disclosure entails.
*(via Freedom To Tinker Clips)
Has anyone modelled in economics terms why disclosure is better than the alternate(s) ?
To evaluate economics at the point of disclosure is too late because by then it is out of our collective hands – that’s the whole problem to begin with, that we can’t control the process at that point. Discovery is where we should be placing more emphasis. See http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html for more info.
Here is a model for you: (LOCe (existing lines of code) + LOCd (new lines of code created daily)) x Vulnerability Density (5 per 1000 LOC? .1 per KLOC? doesn’t really matter) is much, much larger than the avg 10 vulns per day we are finding, and the gap is widening. Discovered vulnerabilities are “comfort food” and distracting if we honestly believe that the true threats are zero-day attacks (exploits against discovered vulns that no good guys know about).
Pete, your point is a good one, but lets go back all the way to creation, rather than discovery. Vuln density in new code is managable. The tools are not yet mature, but they’re improving. I should also mention that Eric Rescorla has done good work on the question of ‘Is Finding Vulns a Good Idea?’ He answers no, but I think the tools available to us to block disclosure are worse than the disease.
I’ll post more tomorrow on the econmics of disclosure, qua disclosure.
I am all for reducing the creation of vulns. The risk, of course, is that you never know whether you’ve found them all. I would love for folks to begin using parallel QA teams of fault injection to estimate defects, but I am not sure that is likely to happen.
Yes, Eric’s approach is pretty neat – basically he looks for a downward trend in the number of vulnerabilities found for an application.
Not sure what you mean by “blocking disclosure”. My initial reaction is that I didn’t do a good job distinguishing between discovery and disclosure. (I am not really looking to block disclosure once the vuln is discovered, just to make it much less attractive to go looking in the first place.)
> “The risk, of course, is that you never know whether you’ve found them all.”
Shoot, that one’s easy. You haven’t found them all. But have you hit a point of diminishing returns for the fully loaded costs of future support?
> “Not sure what you mean by “blocking disclosure”. ”
Laws like DMCA and UTICA.