On quinta-feira, 25 de outubro de 2012 00.18.32, d3fault wrote: > Qt has corporate roots. Responsible Disclosure has been in place since > the Trolltech days. Corporations tend to prefer Responsible Disclosure > because it pleases their commercial customers. Commercial entities > like to keep their end users in the dark because vulnerabilities > reflect poorly on the company and affect their bottom line.
Against my judgement, I'm replying to you. I'm doing that *again* only because this is about security. So let's get on with it. Your characterisation above is incorrect. Corporations may have profit motives, and I'm not saying they don't. But your characterisation is somewhere between blissfully ignorant and flat-out lying and FUD: commercial entities have good people who make intelligent and logical decisions. But this is not about them. This is about the Qt Project. So let's get on with *that*. Note: Intel practices Responsible Disclosure, but this is not about my employer either. > So for the sake of argument, let's say it has none. We should then > compare the pros and cons of Responsible vs. Full Disclosure [0]. > > As of yet, no logically sound arguments (that haven't been re-butted > by yours truly) have been presented in favor of Responsible > Disclosure. Lots of opinions have been presented, but opinions have > very little weight against logic. The only exception to the "no > arguments" is script kiddies, but script kiddies are nothing compared > to crackers. Responsible Disclosure both extends the window of > opportunity for crackers and also increases the vulnerability's > overall exposure... leading to more crackers finding and exploiting it > before public disclosure. Here are the arguments in favour of Responsible Disclosure: While there are many zero-day exploits, assuming that all security issues are known to exploiters is disingenuous. What's more important in this is that the level of competence and resources in the exploit community varies a lot. I can agree that exploiters with vast resources may learn the security issues before the full disclosure happens, but I definitely do not agree that all exploiters will. Therefore, disclosing the details to everyone is irresponsible. This enables attackers with little resources to gain access to details that they may otherwise not have found out. This increases the attack surface and compounds the problem. Another argument is that disclosing too early serves little benefit. More to the point, disclosing the details of a security issue before a workaround or fix is available serves very few. There's a waterfall where we lose people upon the disclosure: - most people will not be paying attention - of those that are paying attention, we lose a great part because the details are too technical and they are not able to comprehend them, not even to determine whether they are affected by the issue - of those that did understand the details, we also lose a great part because they are unable to come up with a fix or solution for their affected systems, short of shutting them down completely Let's be generous and say that 3% of the community is able to act on the fully-disclosed security information before a fix or workaround is published. That means 97% is still vulnerable, and we've just enabled low-resource attackers to attack. Instead, Responsible Disclosure requests that the sensitive information be treated in a closed circle until a workaround or, preferably, a fix is available. This closed circle should publish the inoculation mechanisms as soon as possible, as well as the proper fix if that's the case. By releasing the information on how to close the vulnerability before the details of the attack vector, we accomplish: - a high signal/noise ratio on the disclosures, which should cause people to pay more attention - relevant information for the affected parties on what steps they should take to protect themselves - little information for the attackers on how to exploit the issue This isn't coming from just me. I've taken the time to talk to a security expert, who explained the details to me. That has reinforced what I already believed. > I really hope we choose Full Disclosure as our security model, as it > gives the _users_ the best opportunity to protect both themselves and > their end-users. I do not and my reasons are above. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
