[Dshield] Security Firm May Stay Mum on Vulnerabilities intheFuture

Ed Truitt ed.truitt at etee2k.net
Tue Aug 9 13:01:19 GMT 2005

Roger A. Grimes wrote:

>-No, you're right. That is the trade off. I'm fully aware of it. That's
>a valid argument and concern. I just weigh it against which really makes
>more risk. One guy hacking with his private exploit, which happens daily
>regardless of what little drips and drabs are released to the public,
>isn't nearly the threat that a world known POC is.  Those hurt everyone
>-I'm not completely against public disclosure.  People that do it are
>not my enemies, but if I look at what causes me the most work and the
>most risk, it's public disclosure hands down. Just based on my own
>experiences.  The hundred or so professional blackhats aren't being
>affected all that much by what little is released in the public arena.
>I've known exploits for years before they were closed...and I'm probably
>only a mid-level hacker.  When an exploit is publicly disclosed even the
>low-level hackers start breaking in easy. So for every public exploit,
>I've got to worry about the black hats and a million other people who
>want their time in the spotlight.  If it was disclosed to the public,
>I've only got to worry about the talented guys (who are there
>regardless).  Just my opinion.
Public disclosure vs. keeping bad things secret has always been a point 
of tension within the "security" community.  Unfortunately, the result 
of keeping things under wraps is that it tends to lead, over time, to 
people abusing the process by "classifying" information that might prove 
embarrassing, or show that they were less than competent/diligent in 
performing their duties, at which point the pendulum tends to swing back 
toward "public disclosure".  Certainly, knowledge being out in the open 
is almost always more "hassle" then keeping it within a small community 
of elites (those with "need to know").  In some areas (for example, 
troop movements, or military operational plans) secrecy is necessary -- 
but, if we expand the scope too far, then when we are asked to be "on 
the lookout for suspicious behavior" we tend to cast a very wide net 
since all we have to go on is our own bias and prejudice (because the 
real information we need to make a valid evaluation is "classified"), 
and so we end up with a lot of false positives - with potentially tragic 
consequences.  In the IT arena, I can remember when I had a snort rule 
that basically fired for any inbound traffic with a dest port == 1433 
(this back in the early SQL Snake days) -- and how fast my disk filled 
up, some of which was distinctly false positive.

One interesting thought, though -- full disclosure vs. so-called 
"responsible disclosure" may become a moot point in the future.  As 
disclosure of security vulnerabilities is being shown to have an impact 
on a company's stock value, the Sarbanes-Oxley law may end up 
*mandating* full disclosure *by the company itself*, in the name of 
"transparency" on the part of the C-levels.  Of course, IANAL either, 
but it will be interesting to see how this plays out in the future.


Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."  

More information about the list mailing list