02 October 2008

About Disclosure

Let me start off by saying that I wish I had time to sit down and write this in a very concise, coherent manner. Unfortunately, I don't, so instead of a well written post, here's a rapid brain dump.

A couple of researchers (Robert E. Lee and Jack C. Louis) have recently been making a very large amount of press for discovering a new vulnerability in TCP. (see this blog post for a starting point).

The researchers are fairly well respected (among other things, they authored unicornscan, which is a tool that I am quite fond of).

Like Dan Kaminsky and the DNS fiasco not too long ago, they have decided to go with what a colleague of mine accurately referred to as "dribble disclosure", that is, they've said there's a problem, and they've given a large number of interviews giving out bits and pieces of what it may be, how they found it, etc. but they have not come out all the way and said precisely what the issue is.

However, unlike Dan Kaminsky, they've done this *before* any patching of any kind has been released. It was bad enough trying to deal with this type of disclosure *after* vendors had already had a chance to patch, trying to do it without that benefit is insane.

The problem with this type of disclosure is that it leads to a gigantic circus of FUD, both in the media and otherwise. For example, there's some debate in various technical circles as to whether or not they have actually discovered anything new, or whether they've rediscovered older known issues.

I'm giving them the benefit of the doubt and presuming that they have in fact found something new, but without information, who knows? It's all guesswork.


As for the media, I wish it was only the uninformed "mass" media that were spreading unrest and FUD, unfortunately even security researchers are contributing to the festivities.

For example, Robert Hansen (or RSnake as he is known) makes the following statement in his take:

I feel winter slowly coming, and it would be a shame if entire power grids could be taken offline with a few keystrokes, or if supply chains could be interrupted. I hear it gets awfully cold in Scandinavia.


Are you kidding me? We've gone from no details at all to suddenly power grids being knocked offline. Never mind the fact that it's extremely unlikely (read: not gonna happen) that a device which controls the power grid of an area is directly connected to the internet. Devices that display power consumption/usage maybe, but not devices that control where that power is going and whether or not a given path is online.

Fyodor (of nmap fame) has posted his guess on the details of this new vulnerability (and an echo of my frustration at this type of disclosure as well), however Robert E. Lee replies that while Fyodor has very valid points and explains a bit of how their tool works, he doesn't quite explain the attack they've found.

That's one of the points of this rant: Smart people *are* going to figure out what the problem is. They may be "good guys", or they may be "bad guys" (in my opinion it is likely that both sides will figure it out). Either way, there are certainly enough clues given in the various reports/podcasts to enable an individual that is clueful about the protocol to figure out a likely scenario.

To make matters worse, this time there are at least five unique vulnerabilities which have been documented by Robert and Jack. This of course increases the odds that the exploit will be found (that is, someone will figure at least one of the five out, if not all of them.)

So what really is the point of disclosing this way?
It isn't helping anyone except the media and the researchers (because they get to revel in the media circus while it lasts).

More specifically:

  • It doesn't protect end users

  • It doesn't help administrators

  • It doesn't even help security researchers other than those doing the dribbling, because rather than allowing one to try to find ways to fix the problem, or even new ways to apply the problem to other areas, it forces them to try to recreate what's already been done using a disjointed trail of clues.



So, why do it this way?
Disclosure is simple really, either do it, or don't.

Personally, I think "full disclosure" (eg. 'do it') is best.
Whether you do so before or after "responsible" vendor notification, I don't care really. But get all the information out there when you do it, or keep your mouth shut until you're ready to do so.

I'm disgusted with this "new way" of doing things, and I've decided to coin a term for this method: discloscharades

Just like the game charades, this "half informed" nonsense ends up making the person dribbling clues out look silly or worse, and it leaves the people doing the guesswork frustrated and annoyed.

No comments:

Post a Comment