tssci security

Full disclosure: How about no security vulnerabilities in the first place?

Michael (LV) over at terminal23 hits the nail right on the head with the latest articles and blog posts regarding full disclosure and responsible disclosure. I'd rather hear from the community about a new security vulnerability than wait for a vendor to respond and come up with a fix. All the while that same vulnerability could already be being exploited by somebody else. When I know about a new security vulnerability, be it a 0day or one that's still unpatched, I can at least plan on using other layers (you are practicing defense in depth, aren't you?) of security to mitigate it.

Even better, would be for everyone to stop researching security vulnerabilities all together... black hats, white hats, you name it! But then, we'd all have to find a new career.. and it's a totally unrealistic goal right from the start. There will always be someone finding security holes, and if one "responsible" researcher can find one, you can bet there is someone else that knows as well, with an entirely different intent.

These latest discussions reminds me of the controversy with Michael Lynn, Cisco and Black Hat back in 2005. My favorite is this quote from Schneier's blog:

Full disclosure is good for society. But because it helps the bad guys as well as the good guys (see my essay on secrecy and security for more discussion of the balance), many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced. The problem is that not all researchers follow these guidelines. And laws limiting free speech do more harm to society than good. (In any case, laws won't completely fix the problem; we can't get laws passed in every possible country security researchers live.) So the only reasonable course of action for a company is to work with researchers who alert them to vulnerabilities, but also assume that vulnerability information will sometimes be released without prior warning.

A colleague of mine once compared Michael Lynn and responsible disclosure to the medical/pharmaceutical industry. It's not always the case, but I find the comparison insightful; I would like to hear any research a doctor has about an Rx with potentially dangerous, undisclosed side effects... wouldn't anybody?

Posted by Marcin on Friday, January 5, 2007 in Security.

blog comments powered by Disqus
blog comments powered by Disqus