Firewall Wizards mailing list archives
Re: recent disclosure debates
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 16 Dec 2002 21:41:33 -0500 (EST)
On Mon, 16 Dec 2002, Adam Shostack wrote:
Ok, well this is my opinion, and I'll happily sell it to the highest bidder. ;)
*grin* This'll be the end of it from my end- but I wanted to hit a couple of points...
I didn't say that that happened this time, I said that there's a flurry of activity as you release, and people make mistakes.
But you're automatically accepting the premise that a public release by the discoverer at the moment a patch is available is a good thing. If you're going to start with that premise, then you have to accept that an incredible number of victims are automatically created- not only when things go wrong, as they did in this case, but when folks do everything coordinated well, any major infrastructure issue like is is going to create victims. I'm not going to rehash the disclosure debate here- but just understand that choices like this impact people and more negatively than positively when it comes to infrastructure like BIND. Ponder what the negative impact would have been to anyone attacked had ISS not done a release, but had they let ISC handle the release since they were cooperating fully according to all sources. In that case, we'd all be 100% focused on ISC's actions. That'd be a much more fun point to rail upon.
Regarding your second point, errors are inevitable. We must start
Yes, and when you insist on a coordinated anything, you magnify the chance of error significantly. The way they chose to proceede isn't as much of an issue as the fact that they seemed to violate the disclosure policies they'd agreed to. So, let's dodge the full/limited disclosure bullet by directing back on that.
designing systems to be resilient when errors happen, because in the real world, errors happen. I don't think its right to overly blame
Shouldn't that include designing disclosure systems? ;) [snip]
Again, I respectfully disagree. The marketing decision was not what put anyone at risk, an error in execution was what put people at risk. And yes, ISS ought to do better. They ought to have checklists of how to do this stuff, and "check that the patches are available and fix the problem" ought to be on that checklist.
You're in a squad that's part of a two squad action- you have to travel 120 km to your objective and engage the enemy. The enemy forces are balaced such that if your squad alone opens fire, they'll likely be decimated, but the other squad is more heavily armed- you have two choices- Plan A is let the heavily armed squad open up first, then for your squad to provide supporting crossfire, and Plan B is to coordinate opening fire at 03:00 for your squad and 03:01 for the other squad once the enemy is engaged. In Plan A, you get a supporting role, and in Plan B, you get to claim to have initiated the attack. Which plan do you vote for[1]?
I'll buy that its an AND, but I really don't agree that ISS deserves to be dragged through the mud. (When I was competing with them, I might have said differently ;) The reason I don't think so is ISS is
We do compete with them. Our business model often imposes a less dangerous disclosure model on our company. You want their vulnerability code- there's enough partisanship to go around here. I'm not dragging them through the mud though- I'm pointing out that Russ' article was about the discord between the disclosure policy they agreed to when joining an organization and their actions, as well as the inherent instability in their chosen method of handling such issues. But it's definitely a marketing issue- our "moral high ground" is that we err on the side of not causing attacks, even at the risk of losing some of our market. That's not just a good marketing message, but something that matches my philosophy about handling vulnerabilities. I'm going to avoid the twisty maze of disclosure issues entirely and stop here. Paul [1] Bzzzt! There's no voting! Fall in! ;) ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul Robertson (Dec 16)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul D. Robertson (Dec 16)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates Paul D. Robertson (Dec 15)
- <Possible follow-ups>
- Re: recent disclosure debates ISC Tattler (Dec 17)
- Re: recent disclosure debates Marcus J. Ranum (Dec 17)
- RE: recent disclosure debates Reckhard, Tobias (Dec 17)