Is the world about to end?
October 12, 2008
In the film War Games, Joshua/WOPR asks "would you like to play a game"? David (Matthew Broderick) of course wants to play "Global Thermonuclear War" (and I’m sure you would to – chess or tick-tac-toe is just so boring – we want those cool graphics!). Because of this choice the world (in the film at least) is pushed to the brink of annihilation. Today the game seems to be that of 20 questions wrapped up in the guise of "Responsible Disclosure" and a lot of people (the press mostly) are making it seem that each "bug" that is discovered by the top-named security researchers is going to mean the end of the internet.
Just before BlackHat we had the whole "DNS is broken" fiasco. Not knocking Dan for his research and discovery of the problem – sure, as many people say, the underlying flaw was at least identified a long time ago – but what what he did was make the underlying vulnerability into a workable exploit and kudos for that.
Next up we have the TCP flaw which if we are led to believe can bring the internet to it’s knees with the use of just a simple tool. Once again there’s speculation that this isn’t a new issue, but something quite old brought new again.
Recently we have "clickjacking" which, once again, the industry press are pushing out to be the next major threat. I’m a little closer to this field than the others (networking not really being my "thing"), so when Jeremiah and Robert’s talk at OWASP was pulled (thus raising the interest level) I had a look and immediately understood what they were going on about. Again, it’s not brand-new – there’s been talk about iframe injection and click stealing in the past – but these guys have improved the exploitability of the flaw and are raising awareness.
I’m not out to knock any of these guys doing this work. I think it’s great that they are researching into security issues (and yes, I am a little jealous that they get the time to look into these things) and even more happier that they are getting the message out. At the very least in the case of clickjacking RSnake had been very clear in where the previous work and the impact (they didn’t pull their talk BTW – they were asked to), and Dan had to walk a very fine (and high) tightrope in order to get more people to patch, but there’s very little "sexyness" for journalists (or blog authors for that matter) in writing anything level-headed. When these news articles go out CISO’s come round, article in hand, asking what they can do and getting back blank looks – no-one knows what the issues are, the drawbacks/side-effects/risks of patching vs not patching, or where to go for more information/advice. This just leaves both sides frustrated.
There’s lots of smarter people than me adding their $0.02 worth (including the researchers themselves), but "responsible disclosure", especially when it’s associated with someone revealing details about the issue at a conference is turning out to be more like "partial disclosure" as other smart people play their own 20 questions game and in turn figure out at the very least a rough approximation of the issue. It is right to do the whole responsible disclosure thing and work with vendors to get things fixed before it’s common knowledge but saying "I know something you don’t know" just makes other people want to know that information to, and our industry is full of bright people that given the motivation (which very may well be showing the rest of the world how bright they are, or stealing the limelight, not to mention the black-hats out there) are plenty capable of working it all out.
I guess what I’m asking for is if you do find a vulnerability, by all means work with a vendor to get it fixed, but (and I know this can be very difficult with the fame and fortune just around the corner) using it as a "PR" event for you/your company or scheduling the big reveal with a major conference all the while holding the details back I feel is a recipe for disaster partial disclosure. If too many people go down this route, and it appears that it’s becoming more and more common, it’s going to end up like the boy who cried wolf – when there is a major vulnerability everyone is going to be so de-sensitized they just aren’t going to care.
Posted in 
