part 34 in the ongoing ramble on disclosure practices

Grossman and RSnake have gone public with wind of a new, critical enough vulnerability in, well, the web I guess, for lack of further details. Rather than disclose their findings either online or in an upcoming talk, they have opted on their own to pull their information until the major browser vendors can get their stuff patched. Kudos to that!

In the meantime, we get to know something evil is afoot, but we have to just worry and find religion until the vendors roll out patches and we get them rolled out in turn. RSnake mentioned both browser vendors and web site operators…ugh…sounds big and complicated and I certainly wish I knew what to look for or how to even workaround it or spot any symptoms in the meantime.

I 100% understand the reasons for performing responsible disclosure, and I don’t necessarily directly disagree with them. I don’t find it useful to disagree with someone’s opinions, as a general rule in life. Ten years ago disclosure was about throwing the information out there. In recent years, it is very fashionable (and even defendable) to follow “responsible disclosure” practices.

But I predict “responsible” is going to change in the next few years. Right now, “responsible” is defined by the vendors in an effort to protect their business and products (and scare researchers with lawsuits). In several years from now, I see the pendulum swinging back over to “responsible” being defined as how the public is affected, especially the security people representing and protecting the public. Of course, that opens the debate of whether it is more secure to disclose bugs (thus giving bad guys the information) or withhold them (not allow anyone to know how to protect themselves).

In the end, this keeps the general user at the mercy not just of the bad guys, but also a handful of security researchers and the vendors. But maybe we overestimate the bad guys? Maybe we have no idea what the real impact of disclosure is? If they disclosed, would the Internet buckle as thousands of people are collectively owned in 12 hours, 2 days, 1 month? Would it kill Browser X in the browser wars? What if Kaminsky had disclosed earlier this year and gave the vendors little to no lead time?

I certainly have no answers, but I do tend to fall on the side of full disclosure more often than not usually because it is the side that tends to have less dependency on assumptions and unknowns that may never be quantified. I stress tend because there are exceptions, and I don’t actually fault someone who has chosen the other side.

As a final parting shot, we can take both practices to an extreme. In one side, we have lots of hidden knowledge that few people know and understand. In the other, we have collectively more knowledge and ability to protect ourselves or improve the bottom line in the long term, perhaps at the expense of the 0day period. One promotes the sharing of the general concept of Truth, and the other stifles it. It is my opinion that truth, like information, tends towards freedom. It is people (especially those with something to lose, like power) that fight against that tendency.