Tuesday, April 18, 2006

full disclosure

considering the tone of some of my past articles, some people could get the impression that i'm against full disclosure... nothing could be further from the truth...

i am in fact a proponent of full disclosure, but i don't approach the issue on simple blind faith as most people do... i've examined the arguments for and against full disclosure, i've looked at the underlying assumptions of those arguments, and i've made up my own mind about when full disclosure is appropriate and when it is not...

which is to say i support selective full disclosure... the fact is that those arguments against full disclosure have one thing right - making information on how to exploit vulnerabilities available to the public puts tools into the hands of bad guys... the reason full disclosure works is not because that doesn't happen, but because (theoretically at least) putting that information out there also hastens the correction of whatever mistake(s) lead to the vulnerability and therefore closes the window of exposure for the vulnerability... it's a security trade-off, and being able to close the hole once and for all tips the balance in favour of this practice because it winds up doing more good than harm...

if the vulnerability is not correctable, however, and some genuinely aren't, then the good that full disclosure is supposed to do can't be done...

take for example the following vulnerability... if an attacker knows your name, address, and credit card number, your credit card is vulnerable to unauthorized purchasing by the attacker... this is obvious, and i hope it's also obvious that the credit card purchasing system can't really be corrected to prevent this - this is one of those cases where full disclosure of the information needed to perform the attack (your credit card info) cannot result in this the attacked system being fixed to prevent that type of attack... the harm part of the equation is still present, of course...

many people don't consider the possibilitty that some vulnerabilities can't be fixed, however... they follow full disclosure blindly, with unwavering faith that it's going to improve the situation... they don't do that in my credit card example above, of course, because in reality everyone follows selective full disclosure without even realizing it... it seems to just be computer related vulnerabilities that people assume can always be corrected, which shows a regretable but understandable ignorance of the finer points of computer science... serious computer security researchers should know better though...

full disclosure is a good thing, when applied appropriately - but just as free speech has limits on when and where it's appropriate (ex. don't yell fire in a crowded theatre), full disclosure has limits too... that's why i'm selective in my practice and support of full disclosure...

0 comments: