Mogull and Lindstrom Are Smart, But Have Nothing New To Say About Disclosure

Thomas Ptacek | September 1st, 2006 | Filed Under: Disclosure, Uncategorized

What more can I say about the full disclosure debate that I haven’t already said?

  • That concealing vulnerabilities to make time for extra-safe patching hurts responsible enterprises, who have other responses besides patching? Nope. Said that already.

  • That if you’re going to patch vulnerabilities (and, be serious, you’re going to patch them!), it’s unreasonably difficult to hide the details anyways? Nope. Said that too.

  • That if researchers didn’t find vulnerabilities, the Russian Mafia would instead? Nope. But do you listen?

  • That without full disclosure, we’d have software as secure as Sendmail instead of qmail, Windows 98 instead of Vista, and NCSA HTTPD instead of Apache? I totally said that!

  • That an entire unimpeachably respectable branch of information security —- cryptography —- utterly depends on vulnerability research? I think Peter Lindstrom even agreed with me.

  • That vendors employ an arsenal of tricks to derail security research and make security researchers look bad? I wrote that in 1997. Please read it again, because it’s better than anything else I’ve written on the topic.

We even posted our own disclosure code of ethics. (Why doesn’t everyone do this?)

So there’s yet another full-disclosure-vulnerability-research argument brewing. Rich Mogull says research is ugly, but necessary to drive secure programming. He’s right except for the “ugly” part. Peter Lindstrom responds that the ends don’t justify the means; he’s wrong, because the means don’t need justifying. I also don’t know what he means by “conflict of interest”.

But I want to home in on something Rich Mogull said:

[Full disclosure is] about ego, control, and competition

Exactly what aspects of working in technology aren’t about ego, control, and competition? What do you think turns people into Linux kernel developers, or, for that matter, Linus? We’re people, not robots or Jesuit missionaries. The best of us are driven by pride in our craft and accomplishments. This isn’t a dirty secret. Competition and ego, held in check by ethics, are good things.

Viewing 2 Comments

    • ^
    • v
    I'm certainly not going to entire the fray of arguments for and against full disclosure (I don't wield rhetoric nearly surgically enough to stand up admist the sparring parties), but I will say that in my short time in the security field, I have become a firm believer in full disclosure. Much like the RIAA futiley fighting against merging music with "electronic distribution," I feel that opponents to full disclosure are dangerously bound to find themselves in the past. Full disclosure is the future, for better or worse. And they may as well get on the side of better. Rather than whine and argue it for years, make a decision, and move forward with it, for the betterment of everyone.
    • ^
    • v
    aha! the RIAA analogy is a good one (let's add the MPAA to the lot as well) they will eventually listen to your "embrace change" pledge but only when there is no other option left and after they've exacted the last possible penny of the comsumer using non electronic-distribution means.
    Full-disclosure (whatever that means) is not the thing of the future, it is the thing of the past and if it still an acepted practice is because before it there was no web, no bugtraq, no google, no security advisories and no publicly available information about security flaws. That is the only known and tested alternative and it is demostrably a failure.

    Some people, surpisingly some smart security industry analysts and not surprisingly some greedy businessmen , choose to ignore reality and would like us all to go back to the age of security obscuratism. I've been there, it wasn't any fun and I don't want to go back. You can play ostrich if you like but don't expect me to do it.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus