OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Luke Kenneth Casson Leighton (lkclSAMBA-TNG.ORG)
Date: Sat Nov 03 2001 - 05:43:09 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Fri, Nov 02, 2001 at 08:45:37PM -0500, Carter Mobley wrote:
    > If Microsoft would simply offer cash rewards to vulnerability discoverers,
    > conditioned on the discoverer promising to never disclose to a third party,
    > I think the problem is solved quite nicely. For Microsoft, it's a cost of
    > doing business, they can add it to the price of the software. All we need is
    > a price list. What about this one?
    >
    > A. $25,000.00 for bringing down a fully patched web server
    > B. $50,000.00 for accessessing database records without setting off any
    > alarms on a fully patched SQL server.
    > C. $10,000.00 for accessing private information from a fully patched windows
    > XP home edition.
    > etc...
    >
    > If we assume that over the course of the next 5 years that 100 A type
    > vulnerabilities and 100 B type vulnerabilities are found, reported
    > responsibly, and fixed by Micorosoft, it cost Microsoft a total of 7.5
    > million dollars in reward money to protect their customers, all
    > vulnerabilities remaining 100 percent undisclosed.
    >
    > Any rational objections to this simple, inexpensive, yet effective plan?

    yes, i have one and only one objection to this otherwise
    very good plan: the undisclosure bit.

    there's no guarantee that the information received will be
    acted upon effectively or even at all.

    sorry to put it quite so bluntly, but it's true.

    the information so obtained could, instead, be used to...
    say... simply delay releases of software.

    let's imagine that several quite serious security problems were
    found - twenty, all told.

    one of them, the first one, was incredibly incredibly serious.
    they're just about to release a hotfix, or a major new version,
    with the problem fixed.

    then there comes in the other nineteen other problems.
    the hotfix and new version are delayed whilst these other
    nineteen problems are analysed, for impacts upon the hotfix
    and the rest of the OS, and the entire testing procedure has
    to go round AGAIN.

    in the mean-time, out on the internet, someone discovers
    how to exploit Serious Problem No. 1.

    too late!

    so, no, i don't think that non-disclosure is a good idea.

    oh, and for the record, i don't think that immediate disclosure
    is a good idea _either_: that's just irresponsible.

    [i worked for ISS, i know the procedure / algorithm for reporting
    problems to vendors and working with vendors to get the
    problem fixed quite well]

    luke