Tuesday, July 20, 2010

full disclosure as disarmament

i suppose it was only a matter of time before i linked to some article that touched on the sad story of tavis ormandy (backstory for those living under a rock: he disclosed a serious windows flaw to the public after a rather pitiful amount of negotiation with microsoft over the patch timeline). i'm a little too late to the party to bother with vilifying him, but the arguments used to support him could stand and be reused in the future and those need to be addressed.

the most interesting of those arguments that i've witnessed so far comes from lurene grenier who wrote a guest article for zdnet about how tavis supposedly acted responsibly by fully disclosing the details of the vulnerability. what interests me so much about her argument is the idea that tavis was actually disarming the bad guys:
So we must ask, were the actions that  Tavis took responsible? Would it have been more responsible to allow a company to sit on a serious bug for an extended period of time? The bugs we are discussing are APT quality bugs. Disclosing them removes ammunition from APT attackers.
now i shouldn't have to remind people that full disclosure actually puts ammunition INTO the hands of bad guys - and this case was no exception. it was only a matter of days before people started seeing attacks leveraging tavis' discovery in the wild. that doesn't contradict lurene's argument, though, because her argument is carefully constructed around the concept of APT (advanced persistent threat) attackers. she contends that when vulnerabilities of this calibre are disclosed they are no longer of use to "serious attackers".

i propose a different way of looking at things:
  1. when an attack's days become numbered, an attacker who had been sitting on it with plans on using it might just let it fade away OR such an attacker could decide to pull the trigger right then and there to get as much use out of it as possible in the time s/he has left. patches and mitigations take time to develop and deploy so any disarmament sort of effect would not be immediate.
  2. it seems entirely probable to me that a so-called serious attacker, specifically one who qualifies as an advanced persistent threat, would not just sit on the attack and wait. such an attacker would have used the attack to gain access to whatever high-value target they had in mind long ago. it is easier to retain access (which can be done through more mundane methods) than to gain it in the first place. so while it may well be possible to liken the disclosure of a high value vulnerability to the removal of ammunition, it seems likely that that ammunition has already been spent, and removing spent ammunition doesn't have quite as big a benefit for us as lurene probably had in mind.
  3. the implication that only APT style attackers are serious, that they're the only ones we really need to worry about is quite frankly farcical. while it's true that they are one of the few credible threats to power generation facilities and other infrastructure level targets, to imply that they are the only ones we need to worry about displays the same narrow-mindedness that we've previously seen applied to financially motivated cybercrime. there are more things in heaven and earth than are dreampt of in your philosophy if all you care about is APT.
  4. finally, even if we were to accept the argument that full disclosure takes ammunition away from APT-style attackers, it demonstrably puts it in the hands of other attackers. taking ammunition out of the hands of a highly selective minority and putting it into the hands of a far larger, less discriminating and less controlled adversary doesn't seem like all that clear-cut a case of making things better. it may lessen the potential impact of the attack in theory (arguably), but it demonstrably increases the probability and scope of the attack in practice. 
if i were to take arms away from terrorists and give them to criminals, would that really be better? that's a really tough argument to make - i don't think it's supportable. the concept of disarming APT-style attackers is an interesting one, but responsible disclosure does the same thing and it minimizes the unwanted fall-out. so when faced with a choice between 2 evils did tavis ormandy choose the lesser evil? not so much, and that makes his actions irresponsible.

4 comments:

Anonymous said...

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

What would have happened if you started looking for examples of it being exploited before you knew what to look for?

kurt wismer said...

what would have happened if you went looking for examples of it being exploited before it became public knowledge is that you'd find far, far fewer examples (perhaps even no examples).

i'm sure you think you're clever by trotting out the old "correlation does not imply causation" argument, but the malware world has numerous examples of researchers POC code being copied and used in malware instead of the bad guys developing the same technology independently (copied code is not too difficult to verify). in fact there are even examples of researchers binaries being used as-is (see for example jamie butler's POC stealthkit that became one of the most widely deployed stealthkits on earth at one point here). occam's razor dictates that the same must happen in the vulnerability world. the alternative explanation - that everyone who exploits the vulnerability magically new about it before the researchers disclosed it publicly, and simply decided to use it in ever increasing frequency only after the disclosure - is patently ridiculous.

ergo full disclosure does in fact aid the attackers.

Anonymous said...

http://threatpost.com/en_us/blogs/microsoft-knew-ie-zero-day-flaw-september-012110

No.

kurt wismer said...

wow, 1 whole word with completely ambiguous context and an example of what exactly? a vulnerability that was exploited minimally before disclosure (because few people knew about it) and maximally afterwards.

way to support my argument that disclosure arms the bad guys.