Re: Can we afford full disclosure of security holes?

[Ryan Russell <ryan () securityfocus com>]

On Fri, 10 Aug 2001, Richard M. Smith wrote:

> For the sake of argument, let's say that Computer Economics
> is off by a factor of one hundred.  That still puts the
> clean-up costs at $20 million.
>
> This $20 million figure begs the question was it really
> necessary for eEye Digital Security to release full details
> of the IIS buffer overflow that made the Code Red I and II worms
> possible?  I think the answer is clearly no.

So if someone publishes true information about a company, and that company
gets a class-action suit against them, the person who publishes the
information should pay for it?  Given an industry that doesn't force their
users to waive the ability to sue, of course.

> Wouldn't it have been much better for eEye to give the details
> of the buffer overflow only to Microsoft?  They could have still
> issued a security advisory saying that they found a problem in IIS
> and where to get the  Microsoft patch.

This begs the question of will Microsoft do The Right Thing if they could
cover it up.  A few years ago, the answer was, no they wouldn't do the
right thing, they would cover it up.  And it is not just Microsoft, lets
be fair.  Almost every single software vendor has tried to do a cover up &
slipstream or ignore the problem at some point in time.  It is a learning
process they almost all seem to go through.  Please explain why you think
they won't all revert if they have the chance.

> I realized that a partial
> disclosure policy isn't as sexy as a full disclosure policy, but
> I believe that less revealing eEye advisory would have saved a lot
> companies a lot of money and grief.

There is no such thing as partial disclosure.  If you try to release
nearly no details, then someone else will smell blood, and figure out the
original hole, or find a new one in the same area that they will assume is
the original hole.  Go read about the RDS hole.  If you try no public
disclosure, and only release to the Right People, it will leak.  Check out
the history of MS99-022.  This only took a couple of days:
http://www.securityfocus.com/archive/1/17519
Finally, I know a guy who's favorite trick was to break into the machine
of a security expert at a given company, and make off with their private
exploits.  Then he would take the new holes, and break into a new expert's
machine.  Rinse, lather, repeat.

> Unlike the eEye advisory, the Microsoft advisory on the IIS
> security hole shows the right balance.  It gives IIS customers
> enough information about the buffer overflow without giving a recipe
> to virus writers of how to exploit it.

Take a careful look at the Code Red disassembly.  The guy(s) who wrote
that didn't need any help from eEye.  If the eEye advisory had been
helpful to the people who needed it, then we would have seen a slew of
exploits published to Bugtraq the next day.

All that eEye did was show us a bug a month before the worm did.

The whole debate is really simple:  The research will take place.  You get
to see, or you don't.  And by "you", I mean people who appear to be
against full disclosure.  Don't kid yourself and think that you won't be
the first to be cut out of the loop, if full disclosure goes away.

                                        Ryan