The Vulnerability Disclosure Game: Are We More Secure?
Marcus Ranum asks: Can we speak frankly about "vulnerability disclosure" now? More than a decade into the process, can anyone say security has improved?
I do think that despite how thought provoking your essay is, you've got this one wrong.
Your essay's main point is that since full disclosure hasn't fixed the problem of insecure computers it must not have been the right thing to do. This argument falls to fallacy that there is a single cause of the problem, a single solution and that the problem has not evolved over time.
I would think it more likely there are multiple causes, and the playing field, the problem and the kind of disclosures have changed.
To test this, tmagine not what the insecure state of computers is these days, but what the state would have been if far fewer people did vulnerability testing and few people released them publicly.
Computers would still have the massively increased complexity they have now, but there would have much less focus on stamping out insecure apps and protocols that money would have been spent instead on increased features/cost reduction (a security negative). As a result there would be a significantly less secure playing field of apps and servers.
There would have been much less publicity of "theoretical" vulnerabilities (a security positive) and this would likely have lead to less entry into hacking/spyware/malware/spam by criminal organizations (a positive).
However, the no-disclosure change would have created a new breed of criminal "super" hackers who could find these exploits on their own (networking with other hackers) and with the lesser security defenses have wrought havoc wherever they chose to apply their personal attention. Mind you these so called "Super Hackers" are actually less skilled than modern ones because the bar is so much lower and they require less knowledge to find vulnerabilities.
Armed with their secret stash of exploits that go perpetually un-patched, they can move about at will hacking into corporate networks gathering valuable secrets at will.
These Super Hackers can then choose to blackmail the companies, sell the secrets to competitors or publicize the data. The fallout from this happening a lot is big splashy news stories about how companies got hacked or used bribery to hide it. Criminals would undoubtably hire these hackers and money would be made. Its debatable if that more or less total loss would occur.
Desktops PCs would fail even more often (and in huge blocks), but now the causes would be more mysterious than they are now.
I think it likely that many organizations would have isolated their networks except for a few specific tasks to attempt to mitigate these risks and instability.
Reading tea leaves like this is hard. The players are many and the threat complex.
Would the government and corporate App Developers or Users have reacted effectively somehow? Would the Internet boom have still occurred with much greater instability and insecurity? Would we just make do with less? No one really knows.
It's been my experience that better security enables better features to be created. I want the features we have today, so I'm all for full disclosure.
Good evening. It is wonderful how quickly you get used to things, even the most astonishing. Help me! It has to find sites on the: Braun silk epil on facial hair. I found only this - use Braun silk epil. braun se7681 silk epil xpressive epilator. Braun silk epil ep 4000, products was overall able in cleansing the percent not. With respect :-), Oprah from Ireland.
You mean as opposed to letting vulnerabilities sit "undisclosed" while the vendor sits on it for 1 year, 2 years, etc... all the while hackers are utilizing the vulnerability?
If one vulnerability researcher has found it, then it is easy to assume that others (with less than honorable intent) have found it as well. The vulnerability researcher the disclosed it may even be behind the curve as the attackers are already utilizing the unknown/undisclosed hole.
It's moot point, the vendor sits on it and we're vulnerable, the vulnerability is disclosed and we are vulnerable. But at least in the disclosure scenario we are not in the dark, we may have a way to detect and protect ourselves, and the vendor's hand is forced to fix it.
I agree that disclosure hasn't made the vendor software any more secure. It has given people the ability to assess their risk, mitigate if possible, or have their eyes wide open for signs of the vulnerability.
I guess I am looking at it from a pure vuln disclosure point. Like you I am not impressed with the commercial vuln peddlers or fame seekers.
The Vulnerability Disclosure Game: Are We More Secure?
Marcus Ranum asks: Can we speak frankly about "vulnerability disclosure" now? More than a decade into the process, can anyone say security has improved?
» View Article
qwertyuiop
asdfghjkl
Marcus,
I do think that despite how thought provoking your essay is, you've got this one wrong.
Your essay's main point is that since full disclosure hasn't fixed the problem of insecure computers it must not have been the right thing to do. This argument falls to fallacy that there is a single cause of the problem, a single solution and that the problem has not evolved over time.
I would think it more likely there are multiple causes, and the playing field, the problem and the kind of disclosures have changed.
To test this, tmagine not what the insecure state of computers is these days, but what the state would have been if far fewer people did vulnerability testing and few people released them publicly.
Computers would still have the massively increased complexity they have now, but there would have much less focus on stamping out insecure apps and protocols that money would have been spent instead on increased features/cost reduction (a security negative). As a result there would be a significantly less secure playing field of apps and servers.
There would have been much less publicity of "theoretical" vulnerabilities (a security positive) and this would likely have lead to less entry into hacking/spyware/malware/spam by criminal organizations (a positive).
However, the no-disclosure change would have created a new breed of criminal "super" hackers who could find these exploits on their own (networking with other hackers) and with the lesser security defenses have wrought havoc wherever they chose to apply their personal attention. Mind you these so called "Super Hackers" are actually less skilled than modern ones because the bar is so much lower and they require less knowledge to find vulnerabilities.
Armed with their secret stash of exploits that go perpetually un-patched, they can move about at will hacking into corporate networks gathering valuable secrets at will.
These Super Hackers can then choose to blackmail the companies, sell the secrets to competitors or publicize the data. The fallout from this happening a lot is big splashy news stories about how companies got hacked or used bribery to hide it. Criminals would undoubtably hire these hackers and money would be made. Its debatable if that more or less total loss would occur.
Desktops PCs would fail even more often (and in huge blocks), but now the causes would be more mysterious than they are now.
I think it likely that many organizations would have isolated their networks except for a few specific tasks to attempt to mitigate these risks and instability.
Reading tea leaves like this is hard. The players are many and the threat complex.
Would the government and corporate App Developers or Users have reacted effectively somehow? Would the Internet boom have still occurred with much greater instability and insecurity? Would we just make do with less? No one really knows.
It's been my experience that better security enables better features to be created. I want the features we have today, so I'm all for full disclosure.
Good evening. It is wonderful how quickly you get used to things, even the most astonishing. Help me! It has to find sites on the: Braun silk epil on facial hair. I found only this - use Braun silk epil. braun se7681 silk epil xpressive epilator. Braun silk epil ep 4000, products was overall able in cleansing the percent not. With respect :-), Oprah from Ireland.
You mean as opposed to letting vulnerabilities sit "undisclosed" while the vendor sits on it for 1 year, 2 years, etc... all the while hackers are utilizing the vulnerability?
If one vulnerability researcher has found it, then it is easy to assume that others (with less than honorable intent) have found it as well. The vulnerability researcher the disclosed it may even be behind the curve as the attackers are already utilizing the unknown/undisclosed hole.
It's moot point, the vendor sits on it and we're vulnerable, the vulnerability is disclosed and we are vulnerable. But at least in the disclosure scenario we are not in the dark, we may have a way to detect and protect ourselves, and the vendor's hand is forced to fix it.
I agree that disclosure hasn't made the vendor software any more secure. It has given people the ability to assess their risk, mitigate if possible, or have their eyes wide open for signs of the vulnerability.
I guess I am looking at it from a pure vuln disclosure point. Like you I am not impressed with the commercial vuln peddlers or fame seekers.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK