D. J. Bernstein wrote:
Crispin starts from these three examples of intrusions occurring _after_
full disclosure, and---applying the principle ``post hoc, ergo propter
hoc''---leaps to the astounding conclusion that the intrusions were
_caused_ by full disclosure, i.e., that avoiding disclosure would have
prevented the intrusions.
You are right, it is circumstantial evidence. But it is mighty strong
circumstantial evidence. Brown et al only study three vulnerabilities,
but it is not an uncommon result. Reportedly a primary reason that
Microsoft switched to monthly disclosures is that they were seeing a
bloom of malware attacks following every single disclosure, and they
wanted to batch them up to get control of those blooms.
Crispin's conclusion is obviously incorrect. We've all seen reports of
extensive damage caused by attackers exploiting security holes that
_weren't_ publicly known before the attacks. Clearly the attackers are
capable of reading software and finding security holes for themselves.
This isn't rocket science.
That you can find instances of something other than full disclosure
causing a bloom of attacks does not invalidate the inference that full
and *abrupt* disclosure can cause a bloom of attacks. It just means that
full disclosure is not the *only* cause of a bloom. The above logic is
obviously faulty, even if it does include Latin words :)
However, if I may offer a different criticism of my own claim, there is
a question of the evidence of positive benefits of responsible
disclosure. Rescola presents data
http://www.usenix.org/events/sec03/tech/rescorla.html that even with a
well-timed responsible disclosure of a major vulnerability (OpenSSL
chunking bug) many many people just never bothered to patch. However,
this study concerns only a single vulnerability, and it is possible that
OpenSSL was not widely patched because it is reputed to be a difficult
upgrade to perform correctly.
There is, by the way, a more subtle problem with the argument against
full disclosure: the argument focuses entirely on short-term effects and
ignores long-term effects.
Forcible disclosure with a time like as specified in the RFPolicy
http://www.wiretrip.net/rfp/policy.html would seem to have nearly
identical long-term effects with much less damaging short-term effects.
Is it your contention that a "patch up or else" disclosure policy like
the RFPolicy does *not* cause programmers to clean up their act? Can you
justify how abrupt disclosure encourages any better behavior than timed
disclosure at the discretion of the bug-finder?
But the basic problem with the argument is
that it's out of whack with reality. If you think that hiding security
information keeps us safe, you're deluding yourself.
But I *do not* think that hiding security information keeps us safe.
Rather, I think that disclosing vulnerability information has impact on
attackers and defenders, and the *timing* of that disclosure, especially
with respect to the availability of a patch, has critical impact on who
it impacts and how much.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com
