Re: "responsible disclosure" explanation (an example of the fallacy of idealistic thought)

[robert () dyadsecurity com]

Matthew Murphy(mattmurphy () kc rr com)@Tue, Aug 09, 2005 at 01:42:36AM -0500:
> In this scenario, much as a software vulnerability, two factors are
> consistent.  The threat (the malicious individual seeking to move
> things illegally or harm life or property) is fixed, as is the
> vulnerability (the weakness that allows that individual access).  The
> only component of the puzzle that is not static is the actual risk of
> the threat becoming reality (exploitation of the vulnerability).

This arguement is old and neither side can be substantiated to the point
of swaying opinion.  That said, it is really arrogant to assume that the
1st security researcher to share the information publicly was the 1st
person (or only person) to find the problem.  We (at dyad) find multiple
"0day" problems in software every week.  We don't share any of them with
the community at large, partly because of ingrateful people like you,
and partly because it doesn't provide any real value anyway.  I know
we're not the only researchers to feel this way.  Just know that for
every advisory that comes out, there are likely 100-1000x more problems
being discovered, harvested, and used for noble and malicious purposes.

On the internet, information flow isn't contained.  The people who
create the software are not the only people who find the problems,
therefore they can not be the only source for information exchange, and
indeed may not be the most appropriate source for vulnerability
information.

> The point you miss is that by withholding vulnerability details, I
> guarantee nothing, other than that those details are less widely
> known.  I agree that patch processes should be more expeditious, but
> the solution to that dilemma is not to force companies to sacrifice
> quality by creating an imminent risk that did not otherwise exist.

The imminent risk is caused by the vulnerability existing in the
software being discovered, not by having the advisory with good details
publicly shared.  Having the details shared helps the end users know
their risks.

With tools like unicornscan (http://www.unicornscan.org) becoming more
widely deployed, as soon as an 0day is discovered, it's a simple matter
to hit every publicly available IP on the internet in under 24 hours. 
There is imminent risk as soon as the 1st malicious person finds the
bug.

Robert

-- 
Robert E. Lee
CEO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/