With the release of the latest DNS Exploit at Black Hat by Dan Kaminsky, a noted white hat hacker - it has taken me to think.
When does one disclose vulnerabilities versus only alerting the company/organization associated with that particular vulnerability? Do you think it is not only a good idea, but necessary to release such vulnerabilities to force programmers/companies to take security of an application as serious as usability/functionality? Which they have not in the past; I am almost certain that such disclosures has forced the likes of Microsoft to take security serious, I am sure they even lost a good market shared due to their constant vulnerabilities and constant attacks.
Cisco is another company, sitting on the top, under constant attack and are often forced to release quick fixes due to disclosure - I purpose the following question; how long would it take for the company to fix the vulnerability if it was not disclosed to the public versus how long it would take to fix it, upon being released to the public?
I am interested in your responses.
Disclosure versus Non-disclosure.
Uh...a hot topic ^^
Personally, I believe in full disclosure more than contacting the company before disclosure however that shouldn't be interpreted as not being good to contact the company, they deserve to know but in the other hand, "clients" deserve to know and I think that is at this point where I believe that full disclosure is better.
Big companies have big egos, sadly enough, this have been prooven more than one time to be a very bad thing for security, there's always this false sense of security companies have when a vulnerability have been found, things like "that's unlikely to happen" or "it's unlikely that this flaw is going to compromise client's data" are scarily common
I think that a good example of this could be the pwnie awards, in the best server-side bug you have the IGMP vulnerability, there were people saying that it was unlikely this vulnerability to be a problem in "real world conditions" however a reliable exploit was made to proove otherwise.
Recently, an 0day was published at milw0rm for Oracle software, in this case there was a full disclosure without contacting previously the company of such vulnerability, the result? besides Oracle being pissed off, at the next day Oracle was releasing in a hurry a workaround to avoid this vulnerability, could this be different if Oracle were contacted first? I think it could be very different, my guest is that Oracle would have taken a few days to verify the problem and wait untill to the next update cycle to distribute a patch, this is just my guest but I think a very accurated one because that's what most companies do
If my guest is correct, then there's a big different result by doing full disclosure because clients have a solution (even if it's a workaround) at the next day instead to wait for the next update cycle and when such a cycle is at 15 days ahead, it is a big deal for clients because exploit a vulnerability cab be just a matter of minutes.
What would have happened with the bug in Debian's OpenSSL package if disclosure wasn't addressed, clients would have recieved a patch for sure during an update, however, it's possible that this would have been seen as any other security update without clients considering the impact the PNRG bug could have in their systems thus paying less attention to it.
Sadly, something that I think have been prooven more than one time is that companies take vulnerabilities serious when they see there's a serious problem going on and serious problems only occurs when attackers start to exploit this vulnerabilities, I'm not a security expert but I think that this is just wrong
When it seems that companies address quickly security problems when they are forced to, you just can't avoid asking yourself way is this? why this big ego and security obscurity?
With the DNS flaw I think that Dan did the right thing however, he kinda played for both sides, he alerted the companies and try to avoid leaking information and disclosure as much as he could but in the other hand he forced companies by saying "you have one month to patch" after a month, no matter if servers are patched or not, information will be disclosed
In this case this was good because you're still forcing companies to address the problem but given the impact that this problem can have on the entire Internet infrasctructure, it was good to avoid as much you could disclosure.
My believe is that full disclosure should be addressed as much as you can because to many companies it seems more like a burocracy thing to address security like "oh...I see, we'll be verifying your information about the problem in the next few days..." and I'm not saying that companies shouldn't verify that vulnerabilities are indeed vulnerabilities, however is more like a support ticket system where you say that this problem exists and they just put you in a hold-on call
Finally, as I said, clients deserve to know what's happening with the software they use, they should be able to meassure the impact a problem can be for their companies and in a world where most companies avoid giving such information to clients, full disclosure is a good way to address this.
Personally, I believe in full disclosure more than contacting the company before disclosure however that shouldn't be interpreted as not being good to contact the company, they deserve to know but in the other hand, "clients" deserve to know and I think that is at this point where I believe that full disclosure is better.
Big companies have big egos, sadly enough, this have been prooven more than one time to be a very bad thing for security, there's always this false sense of security companies have when a vulnerability have been found, things like "that's unlikely to happen" or "it's unlikely that this flaw is going to compromise client's data" are scarily common
I think that a good example of this could be the pwnie awards, in the best server-side bug you have the IGMP vulnerability, there were people saying that it was unlikely this vulnerability to be a problem in "real world conditions" however a reliable exploit was made to proove otherwise.
Recently, an 0day was published at milw0rm for Oracle software, in this case there was a full disclosure without contacting previously the company of such vulnerability, the result? besides Oracle being pissed off, at the next day Oracle was releasing in a hurry a workaround to avoid this vulnerability, could this be different if Oracle were contacted first? I think it could be very different, my guest is that Oracle would have taken a few days to verify the problem and wait untill to the next update cycle to distribute a patch, this is just my guest but I think a very accurated one because that's what most companies do
If my guest is correct, then there's a big different result by doing full disclosure because clients have a solution (even if it's a workaround) at the next day instead to wait for the next update cycle and when such a cycle is at 15 days ahead, it is a big deal for clients because exploit a vulnerability cab be just a matter of minutes.
What would have happened with the bug in Debian's OpenSSL package if disclosure wasn't addressed, clients would have recieved a patch for sure during an update, however, it's possible that this would have been seen as any other security update without clients considering the impact the PNRG bug could have in their systems thus paying less attention to it.
Sadly, something that I think have been prooven more than one time is that companies take vulnerabilities serious when they see there's a serious problem going on and serious problems only occurs when attackers start to exploit this vulnerabilities, I'm not a security expert but I think that this is just wrong
When it seems that companies address quickly security problems when they are forced to, you just can't avoid asking yourself way is this? why this big ego and security obscurity?
With the DNS flaw I think that Dan did the right thing however, he kinda played for both sides, he alerted the companies and try to avoid leaking information and disclosure as much as he could but in the other hand he forced companies by saying "you have one month to patch" after a month, no matter if servers are patched or not, information will be disclosed
In this case this was good because you're still forcing companies to address the problem but given the impact that this problem can have on the entire Internet infrasctructure, it was good to avoid as much you could disclosure.
My believe is that full disclosure should be addressed as much as you can because to many companies it seems more like a burocracy thing to address security like "oh...I see, we'll be verifying your information about the problem in the next few days..." and I'm not saying that companies shouldn't verify that vulnerabilities are indeed vulnerabilities, however is more like a support ticket system where you say that this problem exists and they just put you in a hold-on call
Finally, as I said, clients deserve to know what's happening with the software they use, they should be able to meassure the impact a problem can be for their companies and in a world where most companies avoid giving such information to clients, full disclosure is a good way to address this.