Full disclosure: Wikis

  

Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.

Encyclopedia

From Wikipedia, the free encyclopedia

In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths since the 19th century.

Contents

Definition

Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to protect their system from potential attacks as well as to protect their own image. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.

In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as Full-Disclosure mailing list and by other means.

Various interpretations

Even among those who believe in disclosure there are differing policies about when, to whom, and how much to disclose.

Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called responsible disclosure.

In the case that a vendor is notified and a fix is not produced within a reasonable time, disclosure is generally made to the public. Opinions differ on what constitutes a reasonable time. Fourteen to thirty days is typical, although the period could be a matter of hours. Internet Security Systems were widely criticised for allowing less than eight hours before disclosing details of a vulnerability in the Apache HTTP Server.

Limited disclosure, with full details going to a restricted community of developers and vendors, and only the existence of the problem being released to the public, is another possible approach. Advocates of this approach also claim the term "responsible disclosure".

To address the controversy of disclosing harmful information to the general Internet community, including blackhats, Rain Forest Puppy developed the RFPolicy, which is an attempt to create a proper way to alert vendors to security problems in their products, and establish guidelines on what to do if the vendor fails to respond.

One challenge with "responsible disclosure" is that some vendors do not respond, or inordinately delay their response, to vulnerability reports that are not public. As long as a vulnerability is not widely known to the public (with enough detail to reproduce the attack), vendors may refuse to fix the vulnerability or refuse to give it enough priority to actually repair it. Unfortunately, vulnerabilities reported to a vendor may already be exploited, or may soon be detected by someone with intent to exploit them. Thus, most security researchers set maximum times (such as 14 days or 30 days) before fully revealing a vulnerability to the public, since otherwise many vendors would never fix even critical vulnerabilities in their products. Many security researchers cite vendors' past failure to respond to vulnerability reports as the reason that they fully disclose vulnerabilities.

History

The issue of full disclosure was first raised in the context of locksmithing, in a 19th century controversy regarding whether weaknesses in lock systems should be kept secret in the locksmithing community, or revealed to the public.

According to A. C. Hobbs:

A commercial, and in some respects a social doubt has been started within the last year or two, whether it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.

Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.

— A. C. Hobbs (Charles Tomlinson, ed.), Locks and Safes: The Construction of Locks. Published by Virtue & Co., London, 1853 (revised 1868).

The full disclosure debate came back to life through dissatisfaction at the methods employed by the Internet security infrastructure in the early 1990s. Software security vulnerabilities were reported to CERT, which would then inform the vendor of that software. Public disclosure of the hole would not take place until the vendor had readied a patch to fix it.

Description made by Mr. Pooley describing one of its own letter-padlock design, excerpt from a Liverpool paper relating a lecture made before the Architectural and Archaeological Society of Liverpool in 1852 :

If this lock is of any value, it should be known; if it has weak points, let them be pointed out, and they may admit of a remedy; for we ought not to be led to believe a lock is safe which is not so.

A treatise on fire and thief-proof depositories, and locks and keys.[1] By George Price.

However, since the disclosures were private, some vendors took years to produce a fix, or never produced a fix at all. In the meantime, the vulnerabilities were actively exploited by crackers. The tendency by software companies to ignore warnings and rely on crackers' ignorance of the problem became known as security through obscurity.

Since CERT and the vendors were aware of the holes, but attempted to keep them secret even to the administrators of machines being cracked in the field, it was felt that CERT's policies were a manifestation of an impractical, "ivory tower" attitude.

In response to this, mailing lists and other avenues for full disclosure were established, notably the Full-Disclosure mailing list.

Mailing list

Full-Disclosure is being seen as radical by many not knowing how the security community works, it is in fact a crucial part of the infrastructure in the security community as it is the only significant security list not being moderated by a commercial entity with its own hidden agenda.

Though Secunia often disagrees with the conclusions being drawn on Full-Disclosure or some of the irresponsible disclosures being made, Secunia never attempts to intervene - in fact Full-Disclosure is out of Secunia's control and is solely run by John Cartwright who has been active in maintaining Full-Disclosure since it was launched by Len Rose and John Cartwright in 2002 as an alternative to the moderated and biased lists predominant at the time.

A security consultant who went by the pseudonym "n3td3v" was controversially banned from the Full-Disclosure mailing list on January 21 2009

Controversy

Full disclosure can be controversial, as often these disclosures include code or executable tools to exploit the vulnerability. The argument against disclosure is that providing complete details or tools to malicious attackers, such as blackhats and script kiddies, allows them to take advantage of vulnerabilities more quickly and makes attacks more widespread. However, this argument assumes that without disclosure such tools and attacks would not have occurred. The advantage of disclosure is that whitehats will obtain the information, and that the vulnerability will be detected and patched more quickly.

References

See also

External links


In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths since the 19th century.

Contents

Definition

Full disclosure requires[citation needed] that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to protect their system from potential attacks as well as to protect their own image. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.

In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as a Full-Disclosure mailing list and by other means.

Various interpretations

Even among those who believe in disclosure there are differing policies about when, to whom, and how much to disclose.

Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called responsible disclosure.

In the case that a vendor is notified and a fix is not produced within a reasonable time, disclosure is generally made to the public. Opinions differ on what constitutes a reasonable time[citation needed]. Fourteen to thirty days is typical, although the period could be a matter of hours.[citation needed] Internet Security Systems was widely criticized for allowing less than eight hours before disclosing details of a vulnerability in the Apache HTTP Server.[citation needed]

Limited disclosure, is an alternative approach where full details of the vulnerability are provided to a restricted community of developers and vendors while the public is only informed of a potential security issue. Advocates of this approach also claim the term "responsible disclosure".[citation needed]

To address the controversy of disclosing harmful information to the general Internet community, including blackhats, Rain Forest Puppy developed the RFPolicy, which is an attempt to formalize the process of alerting vendors to security problems in their products, and establish guidelines on what to do if the vendor fails to respond.

One challenge with "responsible disclosure" is that some vendors do not respond, or inordinately delay their response, to vulnerability reports that are not public. As long as a vulnerability is not widely known to the public (with enough detail to reproduce the attack), vendors may refuse to fix the vulnerability or refuse to give it enough priority to actually repair it. Unfortunately, vulnerabilities reported to a vendor may already be exploited, or may soon be detected by someone with intent to exploit them. Thus, most security researchers set maximum times (such as 14 days or 30 days)[citation needed] before fully revealing a vulnerability to the public, since otherwise many vendors would never fix even critical vulnerabilities in their products. Many security researchers cite vendors' past failure to respond to vulnerability reports as the reason that they fully disclose vulnerabilities.

History

The issue of full disclosure was first raised in the context of locksmithing, in a 19th century controversy regarding whether weaknesses in lock systems should be kept secret in the locksmithing community, or revealed to the public.

According to A. C. Hobbs:

A commercial, and in some respects a social doubt has been started within the last year or two, whether it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.

Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.

— A. C. Hobbs (Charles Tomlinson, ed.), Locks and Safes: The Construction of Locks. Published by Virtue & Co., London, 1853 (revised 1868).

The full disclosure debate came back to life through dissatisfaction at the methods employed by the Internet security infrastructure in the early 1990s. Software security vulnerabilities were reported to CERT, which would then inform the vendor of that software. Public disclosure of the hole would not take place until the vendor had readied a patch to fix it.

However, since the disclosures were private, some vendors took years to produce a fix[citation needed], or never produced a fix at all[citation needed]. In the meantime, the vulnerabilities were actively exploited by crackers.[citation needed] The tendency by software companies to ignore warnings and rely on crackers' ignorance[citation needed] of the problem became known as security through obscurity.

Since CERT and the vendors were aware of the holes, but attempted to keep them secret even to the administrators of machines being cracked in the field, it was felt that CERT's policies were a manifestation of an impractical, "ivory tower" attitude.

In response to this, mailing lists and other avenues for full disclosure were established, notably the Full-Disclosure mailing list.

Mailing list

Full-Disclosure is viewed as radical by many not knowing how the security community works[citation needed], it is in fact a crucial part of the infrastructure in the security community[citation needed] as it is the only significant security list[citation needed] not moderated by a commercial entity with its own hidden agenda[citation needed].

Though Secunia often disagrees with the conclusions being drawn on Full-Disclosure[citation needed] or some of the irresponsible disclosures being made[citation needed], Secunia never attempts to intervene[citation needed] - in fact Full-Disclosure is out of Secunia's control and is solely run by John Cartwright who has been active in maintaining Full-Disclosure since it was launched by Len Rose and John Cartwright in 2002 as an alternative to the moderated and biased lists predominant at the time[citation needed].

Controversy

Full disclosure can be controversial, as often these disclosures include code or executable tools to exploit the vulnerability. The argument against disclosure is that providing complete details or tools to malicious attackers, such as black hats and script kiddies, allows them to take advantage of vulnerabilities more quickly and makes attacks more widespread. However, this argument assumes that without disclosure such tools and attacks would not have occurred. The advantage of disclosure is that White hats will obtain the information, and that the vulnerability will be detected and patched more quickly.

n3td3v was banned from the Full-Disclosure mailing list on January 21 2009. n3td3v is thought to be banned in response to his widespread criticism of irresponsible disclosure pratices carried out by some security researchers, such as HD Moore, and more recently Laurent Gaffié and Tavis Ormandy.[1] Some saw the banning of n3td3v as an attack on freedom of speech[citation needed], while others accused him of being an internet troll.[2]

In August 2010, HD Moore found about 40 vulnerabilities related to DLL load hijacking in Windows applications that Rapid7 was going to publish under its vulnerability disclosure policy.[3][citation needed] Arcos, a Slovenian security firm, found one related vulnerability for iTunes and decided to publish without alerting the vendor, saying "it hasn’t paid out well" in the past and "we’ve found better markets for this kind of information".[4]

See also

References

External links








Got something to say? Make a comment.
Your name
Your email address
Message