Re: Pro Disclosure (was Re: UnixWare)

[mgream () acacia itd uts edu au (Matthew Gream)]

Earlier, Paul A Vixie wrote:

> I think this anti-CERT sentiment is misplaced.  If someone tells CERT about
> a bug and CERT manages to tell the vendors about the bug, before _everybody_
> knows about the bug, then it seems to me that a good service has been done.

[..]
>       a bad guy finds a hole
>       lots of bad guys use the hole
>       some good guy notices the hole being used, and tells CERT
>       CERT tells the vendors
>       some vendors get a binary patch together; others ignore it
>       CERT tells the world of the existence (but not details!) of the hole,
>               and gives references to the vendor's patches, and suggested
>               workarounds
[..]

One problem is the time difference between the first and last
data points you have outlined. CERT quite often sits on
"problems" for a considerable length of time (be it to wait for
the vendor patch or otherwise). During that time, the
underground is happily running around exploiting the
"vulnerability" in question, until it reaches a threshold that
prompts CERT to go out and give a warning about it.

One particular instance of this is the "tcp sniffer" saga. CERT
knew about this specific item of software somewhere in the
order of 18 months before they made an announcement (brought on
because its use had reached plague proportions). 

How many systems and network wide attacks would have been saved
if CERT had made noise about the software 18 months earlier ?
If you think about it, it's gross negligence on their behalf
(don't blame the author of the software either ... ).

Maybe if they decided to announce problems faster, rather than
play god in terms of deciding when is the best time to tell the
community about a particular vulnerability.

Matthew.

-- 
Matthew Gream
Consent Technologies
Sydney, (02) 821-2043
M.Gream () uts edu au