Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MSIE (mshtml.dll) OBJECT tag vulnerability
From: bkfsec <bkfsec () sdf lonestar org>
Date: Mon, 01 May 2006 14:29:35 -0400

Tim Bilbo wrote:

Setting aside analogies, the questions remain: Does full disclosure make
the IT community as whole less secure than it would otherwise would be?
Is it more dangerous to have a handfull of sophisticated blackhats
lurking about with an unknown exploit vs. publishing it for every
wannabe hacker to use?  I am confident that the answer is that fully
disclosing discovered vulnerabilites without first giving the vendor a
reasonable chance to address them is more harmful.
I'm confident in saying that full disclosure does not make the IT community as a whole less secure.

My experience, both seeing the white hat and the black hat side of the community fence at different points in my life, is that the black hats will always have access to a certain substrata of information that those of us living in the world of light (i.e. not in a basement) will not have access to for some time.

The problem with your question is that you're ultimately setting up an example that doesn't fit reality. The world you describe above is one where there are two tiers: Those with access to underground data and those without. The script kiddies on the outside, in the world described above, don't have access unless it's disclosed in public. The trouble is that the simplistic model doesn't represent reality. There are many strata in the black hat world and information is used until useless and then dumped into the lower strata as cannon fodder.

What you do usually see with full disclosure (likewise with patching), which is ironically dragged out as an argument against full disclosure, is that when a flaw is disclosed, you do see script kiddies coming out of the woodwork making loud noises with automated bots mass-owning systems. Is this the fault of full disclosure? Nope. It's inevitable. There are no power structures in place to keep script kiddies from using what they find and making it their own. Of course, there's the world of law enforcement, which is effective at apprehending them after they do the deed, but as a deterrent you have to consider the type of person being dealt with: A person who feels marginalized by society and power structures in real life, often lashing out with power they have gained in the online world through the sheer lack of security on the Internet in general. The average script kiddie already has an inflated ego to counter the lack of self esteem they feel. Law enforcement as a deterrent to this type of person is not as effective as other people because the script kiddie already believes that he can't be caught.

It's largely because of this multi-layer strata that we're talking about that makes your question somewhat moot. Are we more or less secure with or without full disclosure? Well, the question's pretty irrelevant now isn't it? Disclosure will always happen.. .the question is who will be doing the disclosure. Is it worse to have a skilled, quiet hacker who knows what he's doing on your network using 0-days, or an army of clumsy script kiddies writing worms that don't work half the time clogging up networks for one or two days a year -- not even really affecting most of the Internet or people who are security-wise in the first place?

Personally, I think the more quiet, careful hacker is more dangerous. And in the end, it will always get out anyway... so you might as well bring it full circle sooner. Vendor disclosure before public disclosure is nice, but does not notifying the vendor inherently make us less secure? Well, I'd say not really. We were already insecure to begin with... and a state of secrecy doesn't make us more secure. It just means we don't know there's a problem that needs to be fixed.

            -bkfsec


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]