Full Disclosure Or Not?
Results 1 to 7 of 7

Thread: Full Disclosure Or Not?

  1. #1

    Full Disclosure Or Not?

    Found this article on MSNBC. A college is going to start holding classes for writing virii. They say it is justified because the more you know about how a virus works, the better you will be able to fight them in the wild. There was also mention of the Wired article where they listed a play by play of a virus with source code. Of course the AntiVirus companies are up in arms about all of this. All of the talks break down to the simple question: Full disclosure...Yes or No? Do we keep exploits and virii a secret from the population / customers in the hopes of minimizing the impact or do we release all we know about everything and hope people will use the knowledge to help protect themselves?
    I use to be on the side of full disclosure. I felt that information wants to be free and it should be available to everyone. Now I am not so sure. I began to really use computers in 1983 and back then, most of the users seemed to have a clue. Now...well for those of you who have worked at a help desk know the score. Businesses make choices by looking at the bottom line. If I invest x, what will be my return on the investment? Engineers see things differently and know that protecting the systems are critical. Managment does not see things this way and more often that not, becuase of IT cut backs, vendor choices etc... the systems tend to be left more vulnerable than they should. If all exploits were made public, who would read them. Some system admins, researchers, security companies and people who want to use the exploits for non-legal reasons. Business managment would not read the information and even if they did, they would not understand it. Their focus is on the business, not on the systems. That is why they have IT on the payroll but of course there are cutbacks, etc... It becomes a cycle.
    I do see good changes in the business world. More and more, the managment end is starting to see their IT solutions as a crital part of the venture and not as a drain on their resources. I hope this trend will continue.
    So, we come to the main issue: Full disclosure or Silence. Hold back the information and hope few people use it or release it and hope that no many people use it? I know that if the information is not released to the public, it will still be available on the 'net' but it is one thing for a script kiddie to try and figure out how to configure and compile an exploit he got from a web site, with minimal comments in the source, and having a step by step howto in a major publication like Wired.
    I am still on the fence.

    Read the article here: http://www.msnbc.com/news/925527.asp?0dm=C15LT

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Full Disclosure of exploits ...

    The purpose (IMHO) of full disclosure is to persuade software companies to provide timely patches and admit errors rather than "covering up" problems.

    Therefore, it is sensible to have full disclosure, but ONLY AFTER, the vendor has had a reasonable chance to verify the problem and produce a patch. Ideally the vendor should produce the patch before the exploit is made public, thereby reducing risk to everyone.

    However if you argue that all exploits should be kept secret, software makers could just sweep any error under the carpet, and pretend it didn't exist. Black-hats will still discover exploits, and they can still be used, but people won't know what risk they're at.

    Unfortunately the system breaks down in open source software, a blackhat can take the patched source, diff it, and reverse engineer an exploit relatively easily. Therefore it is almost equivalent to release the patch and the exploit (of course elite blackhats can diff binaries produced by a vendor and reverse engineer an exploit for the unpatched version anyway).

    Viruses are a different matter. They are annoying, but not nearly as bad as exploits for stuff - because they can't (in principle at least) infect systems where good practice is used.

    Viruses are also fairly easy to write. Certainly many of the worms of late (ILOVEYOU) have been written by script kiddies who have no understanding of assembler, executable file formats etc. On the other hand, some like Slammer and codered clearly required a great deal of understanding to construct.

    I don't think there is much point hiding the information required to write viruses - but that's no reason to produce a "cookbook"

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    This isn't new. You can read these posts here about the same subject.

    http://www.antionline.com/showthread...=virus+writing
    http://www.antionline.com/showthread...=virus+writing

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Originally posted here by thehorse13
    This isn't new. You can read these posts here about the same subject.

    http://www.antionline.com/showthread...=virus+writing
    http://www.antionline.com/showthread...=virus+writing

    I know it is not new. There seems to be some more recent talk of it in the media. It was something I read and afterwards I felt that I had something to say. That's all. I did not mean to break a rule here at AO. If I did, I apologize. I had a ding from a user who felt I should not bring up / reactivate old threads. I'll take a look a the threads you have listed.

    Sorry.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Don't apologize. I wasn't giving you a hard time. I was just giving you additional info on the subject.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Ok...Thanks...Sorry for being a little jumpy

    (I need some caffine)

  7. #7
    Member
    Join Date
    Feb 2003
    Posts
    41
    "Therefore, it is sensible to have full disclosure, but ONLY AFTER, the vendor
    has had a reasonable chance to verify the problem and produce a patch.
    Ideally the vendor should produce the patch before the exploit is made public,
    thereby reducing risk to everyone."

    I agree with a reasonable time frame but you know the answer lies in
    stepped up proactive auditing and bug squashing in programming code by
    trained eyes if the vendors cleaned up there code and I mean seriously
    squashed the bugs they wouldn't have to play ping pong back&fourth with
    Script Kiddies and Blackhats but because they play react and patch they lose
    and users lose big time. Some new thinking or approach is needed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides