Re: recent disclosure debates

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 16 Dec 2002, Adam Shostack wrote:

> Ok, well this is my opinion, and I'll happily sell it to the highest
> bidder. ;)

*grin*

This'll be the end of it from my end- but I wanted to hit a couple of 
points...

> I didn't say that that happened this time, I said that there's a
> flurry of activity as you release, and people make mistakes.

But you're automatically accepting the premise that a public release by 
the discoverer at the moment a patch is available is a good thing.  If 
you're going to start with that premise, then you have to accept that an 
incredible number of victims are automatically created- not only when 
things go wrong, as they did in this case, but when folks do everything 
coordinated well, any major infrastructure issue like is is going to 
create victims.

I'm not going to rehash the disclosure debate here- but just understand 
that choices like this impact people and more negatively than positively 
when it comes to infrastructure like BIND.

Ponder what the negative impact would have been to anyone attacked had ISS 
not done a release, but had they let ISC handle the release since they 
were cooperating fully according to all sources.  In that case, we'd all 
be 100% focused on ISC's actions.  That'd be a much more fun point to rail 
upon.

> Regarding your second point, errors are inevitable.  We must start

Yes, and when you insist on a coordinated anything, you magnify the chance 
of error significantly.  

The way they chose to proceede isn't as much of an issue as the fact that 
they seemed to violate the disclosure policies they'd agreed to.  So, 
let's dodge the full/limited disclosure bullet by directing back on that.

> designing systems to be resilient when errors happen, because in the
> real world, errors happen.  I don't think its right to overly blame

Shouldn't that include designing disclosure systems? ;)

[snip]

> Again, I respectfully disagree.  The marketing decision was not what
> put anyone at risk, an error in execution was what put people at
> risk.  And yes, ISS ought to do better.  They ought to have checklists
> of how to do this stuff, and "check that the patches are available and
> fix the problem" ought to be on that checklist.

You're in a squad that's part of a two squad action- you have to travel 
120 km to your objective and engage the enemy.  The enemy forces are 
balaced such that if your squad alone opens fire, they'll likely be 
decimated, but the other squad is more heavily armed- you have two 
choices- Plan A is let the heavily armed squad open up first, then for 
your squad to provide supporting crossfire, and Plan B is to coordinate 
opening fire at 03:00 for your squad and 03:01 for the other squad once 
the enemy is engaged.  In Plan A, you get a supporting role, and in Plan 
B, you get to claim to have initiated the attack.

Which plan do you vote for[1]?

> I'll buy that its an AND, but I really don't agree that ISS deserves
> to be dragged through the mud.  (When I was competing with them, I
> might have said differently ;) The reason I don't think so is ISS is

We do compete with them.  Our business model often imposes a less 
dangerous disclosure model on our company.  You want their vulnerability 
code- there's enough partisanship to go around here.  I'm not dragging 
them through the mud though- I'm pointing out that Russ' article was about 
the discord between the disclosure policy they agreed to when joining an 
organization and their actions, as well as the inherent instability in 
their chosen method of handling such issues.  But it's definitely a 
marketing issue- our "moral high ground" is that we err on the 
side of not causing attacks, even at the risk of losing some of our 
market.  That's not just a good marketing message, but something that 
matches my philosophy about handling vulnerabilities.  

I'm going to avoid the twisty maze of disclosure issues entirely and stop 
here.

Paul
[1] Bzzzt!  There's no voting!  Fall in! ;)
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards