Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief

Evan Schuman | April 2, 2014
The alternatives to an independent list like Full Disclosure can't match it for stopping new cyberattack tactics.

Lyon is right that FD is worth saving. Its most remarkable attribute is that it cleverly wins at the game of keeping the bad guys out by not ever trying. A senior security manager for a very large retailer made the point that the list embraces wide disclosure as the best weapon against thieves and vandals.

"Full Disclosure," he said during that dark week when it looked as if FD was gone for good, "was intended for security researchers, but they knew any attempt to exclude thieves was guaranteed futile, so they never tried. It's not really a rivals-versus-rivals issue. It's about white and gray hats versus black hats. This list was kind of an uneasy truce between the white and gray hats. It was also competition between researchers, as announcing a discovery bestows prestige. Among the list's accomplishments is that they worked out a disclosure policy. Responsible researchers agreed to notify software companies 30 (or more) days before publishing on FD, giving the vendors time to patch in exchange for the publicity associated with the discovery."

If FD had truly disappeared, there are other lists available, but the retail security manager said many security researchers would probably choose private communication options. "Taking its place will be private contests, such as pwn2own, and firms offering cash for vulnerabilities like Google's bug bounty, etc. Google pays far better than Apple, by the way. There -- allegedly -- are also private vulnerability exchanges, where (supposedly) you can sell a zero-day for cash or Bitcoins, no questions asked. It's long been assumed the NSA has made the bulk of the purchases."

But everyone in the security field should be rooting for Lyon to keep FD going. Its real demise would be a win for the bad guys. "By not having this place to expose them, the vulnerabilities will remain hidden longer, they will remain unpatched longer, yet the attacks will keep coming," the security manager said. "I expect to see a resultant increase in zero-day attacks and damage as a result."

There are just some things that an independent list like FD can do better than the other options. The "share immediately" school of thought has always had a fundamental flaw: The initial information available to breach victims is almost universally wrong, and dramatically so. It takes time to sort out forensics, to figure out which digital fingerprints are real and which were deliberately left by the attackers to send investigators in the wrong direction. That gets sifted out on an independent list that's policed by an aggressive community that lives to find weak logic or invalid assumptions uttered by their colleagues. As a result, information can get out cleanly and consistently.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.