The REAL zero-day
Thomas Ptacek | August 10th, 2005 | Filed Under: Uncategorized
From Lindstrom’s latest, and here only because it’s not directly a full-disclosure argument. Lindstrom is dubious about researchers who claim to be “in the know” about secret vulnerabilities:
If you really do know and can’t say, why would you hang the entire Internet out to dry by keeping in-the-wild exploits against undercover vulnerabilities a secret while you encourage the wheel spinning of research and disclosure?
Here are a couple reasons “why”:
You found the hole and are waiting for vendor response
You know the people who found the hole are waiting for vendor response
You know people who were victimized by the hole and that the hole is part of an active investigation
You know the hole exists but not how to make the exploit work
You know the exploit exists but not the details of the hole it exploits
Your knowledge of the hole is connected with a work-for-hire situation that attributes ownership of the information to someone else
Your information about the hole comes from a confidential informant who will be compromised by your disclosure
Like Lindstrom, you believe that disclosing the hole will do more harm than good
Having knowledge of vulnerabilities that are not public is, and always has been, a commonplace among people working in this field. Some of my reasons (like the “confidential information” thing) sound “cloak and dagger” but are really pedestrian —- “a friend told me”, and “the only purpose served by me publishing is that I’ll never get a heads-up from her again”.
Certainly this is one of the ethical conundrums you’d like to see a real security code of ethics addressing.
Also, as an aside to Lindstrom, you betray a certain mindset when you refer to exploits as “in the wild”. We don’t work in antivirus, and I think you’d agree, there’s no such thing as a “dormant” vulnerability.
Updated 2:45P CST
Lindstrom clarifies what he means by “in the wild”. Granting that the distinction he’s making is meaningful, here’s the issue:
In antivirus, the difference between an “in the wild” virus and a “laboratory” virus is that you care about “in the wild” viruses.
By Lindstrom’s definition, you’d be negligent in any setting, triage or not, if you left vulnerability open on a public-facing resource just because you didn’t know about its “in the wild” implications.
It’s not just that we’re shifting mindsets to antivirus, where the bar for security is much lower than here, where we’re defending Tibco trading transactions for Fortune 10 financial institutions. It’s that antivirus uses the term in a very loaded manner that provokes a certain (somewhat casual) risk response, and I think it’s dangerous to bring that way of thinking into real security.
