1	The Pro's and Con's of Full Disclosure in Computer Security Richard M. Smith Internet Security and Privacy Consultant rms@ComputerBytesMan.Com
2	Great political conflicts of our time Israeli/Palestinian conflict Northern Ireland conflict Abortion Gun ownership Full Disclosure
3	My Bugtraq “experiment” Subject line: “Can we afford full disclosure of security holes?” [1] Received 170 replies which is probably a Bugtraq record [2] 95%+ of the responses were pro-full disclosure URL: http://www.computerbytesman.com/security/fd.htm
4	Full disclosure defined Full disclosure is one approach, in which full details of the vulnerability are disclosed to the public, often through Bugtraq or similar means. This must include disclosure of the details of the vulnerability (including how to detect and exploit it). More controversially, it may also involve release of sample code or an executable tool to exploit the problem. (Wikipedia) [3]
5	Security holes or vulnerabilities Bugs in software that allow malicious code to run on a computer They come in many flavors Buffer overflows Unsafe functions can be used for untrusted code SQL injection Cross-site scripting
6	Poor security policies Not bugs but risky design decisions in software Example: JavaScript code in HTML email messages
7	The basic premise of full disclosure Full disclosure of a security hole will force a software company to create and release a software patch for the security hole in a timely manner [4] Without this club, it is only natural that companies will attempt to ignore security problems in their software
8	Security through obscurity A system relying on security through obscurity has theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. (Wikipedia) [5]
9	The Bumper Sticker Security through obscurity – It never works! One piece of advice: Never quote bumper stickers in a debate!
10	The cost of full disclosure The “bad guys” will also learn about security holes that they can exploit in computer viruses, worms, Trojan horses, and other malware. Publishing “Proof of Concept” code makes exploitation more likely Full disclosure advocates believe that the benefits out-weigh the costs [4]
11	The gun security debate The benefit of private ownership of guns is people and property are protected by deterring crimes. Just showing a gun can be enough to stop a crime. Millions of crimes are prevented each year by guns in the U.S. according to gun advocates. The cost however is that ten’s of thousands of people are killed each year in the U.S. by guns in murders, accidents, and crimes of passion.
12	Full disclosure in action Georgi Guninski releases his IE scriptlet advisory [8/21/1999] [6] The advisory includes complete script code for running programs from a Web page or HTML email message Microsoft releases a patch MS99-032 on 8/31/1999 [7]
13	Full disclosure in action (part 2) “Zulu” releases source code for the “Bubbleboy” virus [11/27/1999] [8] Bubbleboy is the first virus that lives inside of an HTML email message Based on the Guninski demo code Zulu credits Guninski for the demo code Lots of press attention but the virus never makes it into the wild
14	Full Disclosure in action (part 3) KaK worm is released on 12/31/1999; based on Guninski demo code [9] Quickly becomes the most prevalent computer virus [10] Tops the virus charts for more than 6 months Many anti-virus packages could not handle viruses in HTML email messages at the time
15	Full disclosure in action (part 4) “The Beginners' Guide to VBS Viruses” by “Neon_Killer” is published in Jan. 2001 “There are many alternative Outlook exploits that can be easily found and manipulated for use in VBS viruses on the Net, most of them are at http://www.guninski.com.” [11]
16	Internet Explorer security holes More than 100 security holes have been found in IE by outside researchers [12] Guninski has found about 50% of them [13] Most, but not all have been patched Only two have ever been used in malware that I am aware of. These security holes were found by the “good guys”.
17	The real lesson of the KaK worm Outlook had a bad security policy: by default it allowed script code to automatically execute in HTML email messages [14] This poor security policy was first formally pointed out to Microsoft in August 1998 The problem wasn’t fixed until after the ILOVEYOU hit
18	Are computer virus even a better stick than full disclosure? Melissa virus resulted in Outlook security update #1 ILOVEYOU resulted in Outlook security update #2 The macro virus plague got Microsoft to require signed macros in Microsoft Word Code Red and Nimda IIS worms helped push along “Trustworthy Computing” initiative
19	Bottom line In general, adopting proper software security policies are more important than fixing security holes. Example: Most computer viruses don’t rely of computer security holes Unfortunately the Microsoft security team does not deal with security policies, only security holes.
20	Security policies are messy Means removing functionality Policies are not black and white and open to debate Policies many times only cut-back on problems are not 100% solutions Our customers might get mad at us
21	What are some of the other benefits of full disclosure? Users can provide their own fixes to security holes Software developers can learn from other people’s mistakes Other security researches can look for similar problems in the same or other software packages
22	Open Source Software and full disclosure More disclosure is required for Open Source Software because many vendors, organizations, and individuals have to be part of the patch process “Proof of concept” code needs to be distributed more widely for testing patches
23	Disclosure policies that work for me Get the vendor involved right in the beginning even if all the details of a problem aren’t known For dangerous problems, don’t publish exploit or “proof-of-concept” code Don’t be in rush to go public with an advisory Offer users work-arounds
24	Partial disclosure Upside: Provides less help to the bad guys making it less likely that a security hole will be exploited. Full-disclosure information can be provided on a “need-to-know” basis. May not work for Open Source Software What’s hard for people: Knowing when you are saying too much about a problem
25	What are some of the hidden agenda’s behind full disclosure? Marketing Money Puzzle solving
26	Marketing Full disclosure gets press coverage for smaller security companies and a little bit of fame for security researchers [15] [16] Press coverage is “free” advertising
27	Money Security FUD sells more security software [17] Highly visible virus outbreaks sell more anti-virus software and other computer security solutions. Many security vendors need to understand completely security holes. Full disclosure means they get this information for free.
28	The one billion dollar computer security question… Do I really want to be paying money to a company for security software and services that is also helping the “bad guys” to attack my systems? Historically the anti-virus business has had “codes of conducts” which forbid helping computer virus writers. [18] What about Symantec and Bugtraq? [19]
29	Puzzle solving Security researchers like to solve puzzles because they are curious Much of the research that goes into looking into security holes cannot be justified on business grounds
30	Who do we “blame” for malware? The software vendor? [20] The security researcher? [21] Bugtraq? [19] The Media? [22] The malware author? [23] The IT department? [24] The user? [25]