Debian attacker may have used new exploit

Wed Dec 3 19:42:32 UTC 2003

On Wed, Dec 03, 2003 at 08:59:17AM -0500, JoeHill wrote:
> On Wed, 3 Dec 2003 09:16:11 -0500
> John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:
> 
> > Immediate public disclosure does not provide more eyes
> > for a bug in MS code, just more eyes in the cracker
> > community.
> 
> That is a myth, propagated by MS and other proprietary vendors, to avoid
> embarassment and having to do actual work to improve security.

Immediate public disclosure of an MS bug provides
zero additional eyes for fixing it.  Guaranteed.
Possibly, it might provide zero additional cracker
eyes, but perhaps it might not.  The best possibility
there is for immediate disclosure to break even,
more likely it loses.

Let's toss coins for a while - heads you pay me $50,
tails we call it a draw.  Hey, you might not lose.

> Witness the recent case of Diebold and their voting machines. If it were not for
> the work of students and activists at Swarthmore College, no one would ever have
> known of the security flaws. Diebold certainly showed no interest in fixing the
> problem, even though internal memos showed they were aware of those flaws. It
> was only after said students published the internal memos online that enough
> pressure is being brought to bear on Diebold to fix the vulnerabilities. Now
> what software were those machines running agian...? Oh, that's right, MS.

That's not affected by this argument.  Delayed public
disclosure, to give them a chance to fix the problem,
followed by automatic public disclosure a suitable
time afterward will show up the cases that are showing
no interest.  In fact, it makes it far more obvious -
they had a chance to fix the problem and just ignored
it hoping no-one would ever notice.  Immediate public
disclosure denies them any opportunity to show the
proper level of concern.

> > Telling MS of a bug, and then telling the world later
> > of the bug (and that MS was told a month earlier
> > so that people can judge whether their response was
> > adequate) provide more than ample pressure, and may
> > reduce the number of exploits carried out against
> > victims who have never had any warning or chance to
> > apply a fix because there wasn't one.  If MS responds
> > prompty (which they are doing better at these days -
> > they've learned that they have to), then when the
> > public announcement goes out any attacks prompted by
> > the announcement can only be applied against people
> > who have not yet applied the fix.
> 
> Again, facts and reality fly in the face of this argument. Hackers are usually,
> if not always, aware of these vulnerabilities before the security
> "establishment", and certainly before software designers can come up with a 
> patch. Full public disclosure is one way to give the vast majority of users a
> head start, before a patch can even be issued, so that they can at least be
> aware of the risk. In fact, following this logic, it could be proposed that
> disclosure be even *more* widespread, as soon and as widely as possible.
> Security issues are not solved by a patch, they are mitigated by awareness.

Some crackers might already know of the problem,
but that is not affected by either choice (delay
or immediate publication).  The issue is whether
disclosure will cause any more crackers to learn
of (it's not likely to make any of the ones that
already know of it to forget, so we're back to at
best breaking even and anything other than the best
possibility is losing).

> Finally, there is no way to develop an enforceable "policy" in this regard, so
> it is not realistic to expect that, even if you assume this "myth" is true,
> people will not go on publicly releasing info on exploits. It's more realistic
> to find a way to deal with the *expectation* that the exploits are already
> widely known, and to work from there.

You're choosing between throwing out the baby with
the bathwater or never bathing the baby.

Automatic public disclosure is a good thing.
Immediate public disclosure before a fix is available
is sometimes no worse than delayed but could easily
be worse.  It is never better.

> If you read the full account of the Debian incident, you will see that that is
> exactly what happened, and exactly the attitude that was taken. Nothing radical
> here! In fact, if you do a quick google on this topic, you will find that
> nothing I'm saying is particularly original, this is the opinion of much bigger
> fish than you or I.

I read it.

It appeared after they had a fix for the kernel and
even so, it does not provide specific details of the
mechanism used, not the binary of the program used.

That is in no way "public disclosure in advance of
informing the affected parties".  It fits my model
of appropriate behaviour perfectly well and provides
no reason to choose your model instead.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml