D. J. Bernstein wrote:

>Crispin starts from these three examples of intrusions occurring _after_
>full disclosure, and---applying the principle ``post hoc, ergo propter
>hoc''---leaps to the astounding conclusion that the intrusions were
>_caused_ by full disclosure, i.e., that avoiding disclosure would have
>prevented the intrusions.
>
>
You are right, it is circumstantial evidence. But it is mighty strong
circumstantial evidence. Brown et al only study three vulnerabilities,
but it is not an uncommon result. Reportedly a primary reason that
Microsoft switched to monthly disclosures is that they were seeing a
bloom of malware attacks following every single disclosure, and they
wanted to batch them up to get control of those blooms.

>Crispin's conclusion is obviously incorrect. We've all seen reports of
>extensive damage caused by attackers exploiting security holes that
>_weren't_ publicly known before the attacks. Clearly the attackers are
>capable of reading software and finding security holes for themselves.
>This isn't rocket science.
>
>
That you can find instances of something other than full disclosure
causing a bloom of attacks does not invalidate the inference that full
and *abrupt* disclosure can cause a bloom of attacks. It just means that
full disclosure is not the *only* cause of a bloom. The above logic is
obviously faulty, even if it does include Latin words :)

However, if I may offer a different criticism of my own claim, there is
a question of the evidence of positive benefits of responsible
disclosure. Rescola presents data
http://www.usenix.org/events/sec03/tech/rescorla.html that even with a
well-timed responsible disclosure of a major vulnerability (OpenSSL
chunking bug) many many people just never bothered to patch. However,
this study concerns only a single vulnerability, and it is possible that
OpenSSL was not widely patched because it is reputed to be a difficult
upgrade to perform correctly.

>There is, by the way, a more subtle problem with the argument against
>full disclosure: the argument focuses entirely on short-term effects and
>ignores long-term effects.
>
Forcible disclosure with a time like as specified in the RFPolicy
http://www.wiretrip.net/rfp/policy.html would seem to have nearly
identical long-term effects with much less damaging short-term effects.
Is it your contention that a "patch up or else" disclosure policy like
the RFPolicy does *not* cause programmers to clean up their act? Can you
justify how abrupt disclosure encourages any better behavior than timed
disclosure at the discretion of the bug-finder?

> But the basic problem with the argument is
>that it's out of whack with reality. If you think that hiding security
>information keeps us safe, you're deluding yourself.
>
>
But I *do not* think that hiding security information keeps us safe.
Rather, I think that disclosing vulnerability information has impact on
attackers and defenders, and the *timing* of that disclosure, especially
with respect to the availability of a patch, has critical impact on who
it impacts and how much.

Crispin

--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com

[ reply ]