Note: The Bugtraq Moderator has informed me that this topic has been closed, but they have graciously allowed me an opportunity to respond to statements made directly at me by mark_sala (at) yahoo (dot) com. [email concealed]
Mark said;
"In the end, I'd rather have a security company find the vulnerabilities and work with the vendor to fix, then to stay in the dark and let the holes stay open for intruders to exploit."
Where is it stated that there are only two options here? The OIS was formed with the stated goal of defining best practices when it comes to disclosure. This not only suggests there are many (e.g. more than two options), but also that there's disagreement in the community (both the industry and userbase) as to what should be done. Even Mike Warfield's note states there is a fine line and you can never do the "right thing".
Let's clear up a few totally inaccurate statements claimed to be facts by Mark;
1. I made no claims that ISS did not work with ISC to come up with patches. I said that at the time of ISS' Advisory release there were no publicly available patches on the ISC site.
2. As for ISS giving ISC proper notice, there's no doubt they did. What they didn't do was ensure that the patches were available to the general public prior to the release of their Advisory. As a result of not ensuring, they put everyone into a tizzy as we all went scrambling to get patches that were unavailable. That's "irresponsible" in my book, and against the charter of the OIS...which is what I said.
3. Slashdot's discussions on the issue hardly "clear up" anything. Florian told me ISS had contacted CERT also, so what. According to other posts on Bugtraq some (many?) BIND OEMs weren't notified until the day before ISS' Advisory release. Was that ISC's fault, of course! Could ISS have acted more responsibly by ensuring with ISC and BIND OEMs themselves that they had been notified prior to release, definitely. According to unnamed sources "coordination is a problem."
4. Any credit or thanks from ISC to ISS on ISC's website occurred after the furor over the lack of patches and almost a day after the ISS Advisory. The "speak to ISC about patches" link was replaced with a link to the actual patches and credit added to the web pages.
5. "They did not release any exploit code or demonstration code" statement makes one wonder. Checks for these issues had been added to ISS' Scanner and RealSecure. Many programmers at ISS needed to know how to exploit these vulnerabilities in order to add such checks to their products. One can only wonder if any of that leaked into the underground. Of course there's also the question of where the discovery came from in the first place. Some security companies are quite content to purchase vulnerability discoveries from the underground and then release them as their own.
6. TruSecure does not make "products", so we have nothing to update that's similar to ISS' product updates.
7. As to whether TruSecure has or hasn't ever made vulnerability discoveries, of course we have. In most cases we work directly with the Vendors and leave it to them to make any announcements. We seek no credit for the work done by ISCA Labs (owned by TruSecure Corporation as such work is part of an agreement between ourselves and the Vendors whom we certify (which includes ISS, and every other reasonable Vendor of security software/hardware products.) I've been cited on several MS Security Bulletins and no, we don't inform our customers prior to the public release of CERT's and/or the Vendor's Advisory.
FYI, ICSA Labs contains the most comprehensive R&D lab for specific security testing of Firewalls (Corporate and Personal, IDS, AntiVirus, Vulnerability Scanners, Wireless, etc... We constantly test every product we certify against the latest threats.
6. On the day of the Advisory release, our cursory check of the Internet showed that ~80% of all BIND servers we looked at were vulnerable. Even with patches from ISC, the majority of those we checked could not be patched as they would break their support agreements with their OEMs. The workaround was the only solution, and while few should have been configured such that they needed the workaround, most (80%) were. That hasn't changed in the short time since the Advisory was published.
Now to the issue of updating your own products with information about, as yet publicly undisclosed, security vulnerabilities. What happens first? Do you code up your products to check for these vulnerabilities, then contact the Vendor, then disclose to the public? Or do you notify the Vendor, code up your products, then disclose? What if you can't get good checks in a short period of time? Do you hold off notifying the Vendor until after you've gotten good signatures for your own product? What if you're a company the size of Microsoft, or Computer Associates? How many product groups do you inform about the vulnerability? How likely are you to be able to control the publication of vulnerabilities if you're sharing this information with many of your employees before you inform the Vendor, or even while you wait for the Vendor to fix their product?
I was told that ISC informed some of its customers early. I was also told that some of those people informed happened to be both ISC and ISS customers. I was subsequently told that there was pressure on ISS from some of those customers to ensure they're products could detect these vulnerabilities...and this all happened prior to the public release of either fixes or an Advisory. Who's ISS responsible to? Its customers? The Vendor of the vulnerable product? That Vendor's customers? The Internet as a whole? Or their shareholders?
If there aren't clear guidelines as to how this stuff is going to be handled by Discoverers who claim to be responsible, then there will be no such thing as Responsible Disclosure.
OIS basically says you're not supposed to market discovery information. IMO, ISS is essentially making its customers a "Pre-release community", something which the OIS clearly states is unethical. ISS' products can be sold on the basis they contain checks for as yet unreleased vulnerabilities. Their customers expect this, so you can hardly blame them for doing it, but its irresponsible IMO.
As to this capitalism issue, let's consider...Research for Profit is one of the biggest issues facing the U.S. today. The cost of drugs is often linked to the profitability of research. Is there a cure for cancer that just can't be patented, so its unavailable? Is someone looking to craft a patented delivery mechanism for a new drug to eliminate diabetes, so we don't have the drug until the delivery mechanism is patented? Is that ethical? Responsible?
I'm the biggest capitalist that I know, but unless you want to see security degrade into an industry where the only people protected are the ones who've purchased a scanner from the Vendor who did the research into the vulnerability, there has to be ethics and responsibility which go beyond normal capitalism.
I told ISS that, IMO, the responsible thing to do would have been to hold off on the Advisory until the patches were clearly available on the ISC website. They should've checked that themselves, as opposed to being willing to just accept ISC's word that on the agreed date everything would've been up. I also said they should've contacted BIND OEMs themselves and brought them up to speed on the issues ISC was working on. "Coordination is a problem", don't we know it, and some Vendors are better than others in how they deal with vulnerabilities. That's just life as we know it. Clearly the OIS isn't doing anything to make that better, and neither is Bugtraq or my NTBugtraq. I put forward a proposal that I felt would make it better, called the Responsible Disclosure Forum.
ISC is not free from blame here either, but then they haven't claimed to be responsible as ISS has. If you want to do whatever you think you should there's no reason to join something like the Organization for Internet Safety. Be a capitalist, serve your customers and your shareholders, and let the world sort out those other problems. And be prepared for criticism. But, if you instead want to claim you're leading the world to a new era in responsibility and ethics with respect to computer security, then LEAD!!
BTW, Mark, if the best researchers at ISS happened to move over to Symantec, what would you do, change all of the software you use to protect yourself? Security products shouldn't compete on the basis of when they knew about a vulnerability.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Mark said;
"In the end, I'd rather have a security company find the vulnerabilities and work with the vendor to fix, then to stay in the dark and let the holes stay open for intruders to exploit."
Where is it stated that there are only two options here? The OIS was formed with the stated goal of defining best practices when it comes to disclosure. This not only suggests there are many (e.g. more than two options), but also that there's disagreement in the community (both the industry and userbase) as to what should be done. Even Mike Warfield's note states there is a fine line and you can never do the "right thing".
Let's clear up a few totally inaccurate statements claimed to be facts by Mark;
1. I made no claims that ISS did not work with ISC to come up with patches. I said that at the time of ISS' Advisory release there were no publicly available patches on the ISC site.
2. As for ISS giving ISC proper notice, there's no doubt they did. What they didn't do was ensure that the patches were available to the general public prior to the release of their Advisory. As a result of not ensuring, they put everyone into a tizzy as we all went scrambling to get patches that were unavailable. That's "irresponsible" in my book, and against the charter of the OIS...which is what I said.
3. Slashdot's discussions on the issue hardly "clear up" anything. Florian told me ISS had contacted CERT also, so what. According to other posts on Bugtraq some (many?) BIND OEMs weren't notified until the day before ISS' Advisory release. Was that ISC's fault, of course! Could ISS have acted more responsibly by ensuring with ISC and BIND OEMs themselves that they had been notified prior to release, definitely. According to unnamed sources "coordination is a problem."
4. Any credit or thanks from ISC to ISS on ISC's website occurred after the furor over the lack of patches and almost a day after the ISS Advisory. The "speak to ISC about patches" link was replaced with a link to the actual patches and credit added to the web pages.
5. "They did not release any exploit code or demonstration code" statement makes one wonder. Checks for these issues had been added to ISS' Scanner and RealSecure. Many programmers at ISS needed to know how to exploit these vulnerabilities in order to add such checks to their products. One can only wonder if any of that leaked into the underground. Of course there's also the question of where the discovery came from in the first place. Some security companies are quite content to purchase vulnerability discoveries from the underground and then release them as their own.
6. TruSecure does not make "products", so we have nothing to update that's similar to ISS' product updates.
7. As to whether TruSecure has or hasn't ever made vulnerability discoveries, of course we have. In most cases we work directly with the Vendors and leave it to them to make any announcements. We seek no credit for the work done by ISCA Labs (owned by TruSecure Corporation as such work is part of an agreement between ourselves and the Vendors whom we certify (which includes ISS, and every other reasonable Vendor of security software/hardware products.) I've been cited on several MS Security Bulletins and no, we don't inform our customers prior to the public release of CERT's and/or the Vendor's Advisory.
FYI, ICSA Labs contains the most comprehensive R&D lab for specific security testing of Firewalls (Corporate and Personal, IDS, AntiVirus, Vulnerability Scanners, Wireless, etc... We constantly test every product we certify against the latest threats.
6. On the day of the Advisory release, our cursory check of the Internet showed that ~80% of all BIND servers we looked at were vulnerable. Even with patches from ISC, the majority of those we checked could not be patched as they would break their support agreements with their OEMs. The workaround was the only solution, and while few should have been configured such that they needed the workaround, most (80%) were. That hasn't changed in the short time since the Advisory was published.
Now to the issue of updating your own products with information about, as yet publicly undisclosed, security vulnerabilities. What happens first? Do you code up your products to check for these vulnerabilities, then contact the Vendor, then disclose to the public? Or do you notify the Vendor, code up your products, then disclose? What if you can't get good checks in a short period of time? Do you hold off notifying the Vendor until after you've gotten good signatures for your own product? What if you're a company the size of Microsoft, or Computer Associates? How many product groups do you inform about the vulnerability? How likely are you to be able to control the publication of vulnerabilities if you're sharing this information with many of your employees before you inform the Vendor, or even while you wait for the Vendor to fix their product?
I was told that ISC informed some of its customers early. I was also told that some of those people informed happened to be both ISC and ISS customers. I was subsequently told that there was pressure on ISS from some of those customers to ensure they're products could detect these vulnerabilities...and this all happened prior to the public release of either fixes or an Advisory. Who's ISS responsible to? Its customers? The Vendor of the vulnerable product? That Vendor's customers? The Internet as a whole? Or their shareholders?
If there aren't clear guidelines as to how this stuff is going to be handled by Discoverers who claim to be responsible, then there will be no such thing as Responsible Disclosure.
OIS basically says you're not supposed to market discovery information. IMO, ISS is essentially making its customers a "Pre-release community", something which the OIS clearly states is unethical. ISS' products can be sold on the basis they contain checks for as yet unreleased vulnerabilities. Their customers expect this, so you can hardly blame them for doing it, but its irresponsible IMO.
As to this capitalism issue, let's consider...Research for Profit is one of the biggest issues facing the U.S. today. The cost of drugs is often linked to the profitability of research. Is there a cure for cancer that just can't be patented, so its unavailable? Is someone looking to craft a patented delivery mechanism for a new drug to eliminate diabetes, so we don't have the drug until the delivery mechanism is patented? Is that ethical? Responsible?
I'm the biggest capitalist that I know, but unless you want to see security degrade into an industry where the only people protected are the ones who've purchased a scanner from the Vendor who did the research into the vulnerability, there has to be ethics and responsibility which go beyond normal capitalism.
I told ISS that, IMO, the responsible thing to do would have been to hold off on the Advisory until the patches were clearly available on the ISC website. They should've checked that themselves, as opposed to being willing to just accept ISC's word that on the agreed date everything would've been up. I also said they should've contacted BIND OEMs themselves and brought them up to speed on the issues ISC was working on. "Coordination is a problem", don't we know it, and some Vendors are better than others in how they deal with vulnerabilities. That's just life as we know it. Clearly the OIS isn't doing anything to make that better, and neither is Bugtraq or my NTBugtraq. I put forward a proposal that I felt would make it better, called the Responsible Disclosure Forum.
ISC is not free from blame here either, but then they haven't claimed to be responsible as ISS has. If you want to do whatever you think you should there's no reason to join something like the Organization for Internet Safety. Be a capitalist, serve your customers and your shareholders, and let the world sort out those other problems. And be prepared for criticism. But, if you instead want to claim you're leading the world to a new era in responsibility and ethics with respect to computer security, then LEAD!!
BTW, Mark, if the best researchers at ISS happened to move over to Symantec, what would you do, change all of the software you use to protect yourself? Security products shouldn't compete on the basis of when they knew about a vulnerability.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
[ reply ]