Re: Can we afford full disclosure of security holes?

[antirez <antirez () invece org>]

On Fri, Aug 10, 2001 at 02:39:06PM -0400, Richard M. Smith wrote:
> This $20 million figure begs the question was it really 
> necessary for eEye Digital Security to release full details 
> of the IIS buffer overflow that made the Code Red I and II worms 
> possible?  I think the answer is clearly no.

The 'no' answer is clear only for you (and few additional people).

1) The next time the code red authors may be the same guys
   that discovered the vulnerability, so your no-disclosure policy
   fails anyway, while it creates the condition to make the next worm
   more aggressive, see the next points.
2) Full disclosure provide to the comunity a lot of information
   and expirience to make better protecion, more secure code
   and security culture around the world. Also create the 'case'
   and the customers will think that maybe that vendor does not
   provide very secure code. This should stimulate the vendor
   to write better code.
3) The lacks of full disclosure and proof of concepts exploit
   helps to create an unsane security feeling about the actual
   software, sysadmin will probably be less responsive upgrading
   they systems so when we reach the point 1) the result is very
   catastrophic.
4) A motivated attacker can anyway obtain information
   about the vulnerability examining the patch in the case of
   opensource software (or the differences between the last and the current
   version), so this (dont) works only for proprietary software,
   without to consider that it is anyway possible to guess
   informations about the vulnerability with two different
   binaries (one patched the second vulnerable).

regards,
antirez

-- 
Salvatore Sanfilippo <antirez () invece org>
http://www.kyuzz.org/antirez
finger antirez () tella alicom com for PGP key
28 52 F5 4A 49 65 34 29 - 1D 1B F6 DA 24 C7 12 BF