It was on July 20 2005 12:18PM when Fernando Gont sent an email to bugtraq (at) securityfocus.com, a security mailing list full of people submitting information about software bugs or vulnerabilities from any software or hardware product. On his email, Fernando Gont disclosed the information about “ICMP attacks against TCP” [Security Focus 2005a].
Theo de Raadt, leader of OpenBSD operating system which claimed to be the most secure operating system in the world (OpenBSD 2005), was the person that Fernando talked to and seemed that both person has the same understanding on how to fix the problem. Theo invited Fernando to join OpenBSD Hackathon which is the place for all of computer expert gathered to fix software problems. [KernelTrap 2005]
And the problem begun. As Fernando sent several notifications to CERT/CC and NISCC, and privately notified several open source projects including OpenBSD, NetBSD, FreeBSD and Linux, as well as larger vendors such as Microsoft, Cisco, and Sun Microsystems, his intention is to fix this problem together with software vendors before the problem will be publicly disclosed.[KernelTrap 2005]
Cisco then replied the email claiming that Cisco has the patent of his work but refuse to give further details. Later on the thread, Cisco then admit that Cisco had withdrawn their patent. Cisco even accused Fernando working with terrorist.[KernelTrap 2005]
Microsoft also replied the findings saying that Fernando should inform Microsoft confidentially yet Fernando found out that Microsoft refused to give him credits for the discovery.[KernelTrap 2005]
The discovery was supposedly to be made public by January 2005 but it was repeatedly delayed until April 2005 as many vendors were not ready with fixes.[KernelTrap 2005]
Fernando regretted the hesitate responds from vendors to fix the problem.[KernelTrap 2005] The main point of the case is the hesitation from vendors to fix the problems and the idea of patenting the technology finding that supposed to be owned by public.
Meanwhile on July 28, 2005, Wallstreet Journal reported that Cisco threatened legal action to a 24-year-old security researcher for another software vulnerability findings. Cisco even instructed workers to rip off pages containing the presentation from Michael Lynn. As the problem got more heat, Michael Lynn had to resign from his work at ISS. [WallStreet Journal 2005].
Another additional issue found on these two case is the existence of vendors to sell/distribute closed-source software will lead to limited quality control which can only be done by the vendors or using public controlled quality testing.[WallStreet Journal 2005]
Another new article from Security Focus [Security Focus 2005b], dated 7 September 2005, noted Gont’s saying ” Some people say ‘this is old stuff.’ But they miss a very important point: While these attacks have been know to many people for many years, there have never been proposals on how to deal with them. ”
Schneier [Schneier 2005a], has pointed out several ideas based on those case as below:
- As the software distributed in binary code while no one will know what inside it, Vendors will easily pretending that the software is reasonably secure.
- If anyone tried to find something from inside the software, vendors will easily come up with copyright violation as no one will has the right to see what kind of software they are buying.
- Companies treat vulnerabilities as public-relations problems first and technical problems second.
- If companies have the power to censor information about their products they don’t like, then we as consumers have less information with which to make intelligent buying decisions.
- If companies have the power to squelch vulnerability information about their products, then there’s no incentive for them to improve security.
The (NO) Good Will.
Microsoft, as cited in Schneier 2001, said that proprietary vendors have the right to hold the information to public. Microsoft claimed that the we would be much safer if if the security expert keep the information securely rather disclosed it to public while this action can be considered arming the vigilant hackers.
A software bug is a programming error made by software developer yet not identified during the testing period. After the product released, somebody noticed it. This is where the root of problem begins. If the guy inform this bug to the developer, they will fix it, for certain period of time. But the danger is there while the bug is discovered. What if there is another somebody who found the same bug while the other guy keep it for himself, the danger increases. [Schneier 2001]
Vulnerabilities news spread. It can use the security community mailing list or even spread among underground cracker. Wherever its announced the danger increases as more people aware of the problem. (Schneier 2001)
The danger doubles when somebody willingly create an exploit to automate the attack based on the software bug. Script Kiddies, which don’t have any appropriate level of knowledge will easily use these tools for fun. [Schneier 2001]
Even when the developer fix the problem and release the patch, there will be some place in the world not even aware that the problem exists. [Schneier 2001]
Back to where the computer were only owned by university and rich research centre. Software bug disclosure was easy to control as only several people know about computers and willingly to inform software vendor while there was no necessity to fix the problem as soon as possible.
The the world changed. More and more people using computer but still reluctant from software vendors were something inevitable. More and more people get frustrated about the software problems and start to disclose this information to public to give pressure to software vendors to fix the problem as soon as possible or they will lose their face. It is actually a good PR to show to the customer how fast they will be able to fix the problems.
However, not everybody will act purely based on good motivation to release the information. Some underground cracker will keep this information for themselves and use it for vigilant purpose. It’s a catch 22 matter.
Basically, there are more advantage to release the vulnerabilities information to public rather than to keep. As soon as the problem going public, people will more aware and vendors are pushed to work out of it.
There are three things that Schneier [Schneier 2001] emphasizes on doing vulnerabilities disclosure:
- Publishing vulnerabilities should always based on reducing the problem rather than creating exploit to magnitude the problems. [Schneier 2001]
- Vendor should be given early notice about the vulnerabilities information thus giving them times to fix it. It also good to give some weeks deadline to the vendor before the information goes to public. In this case, vendor will be pushed to fix the problem in time. [Schneier 2001]
- Creating exploit will cause more problems than fix the problems. To some extend, it is criminal to distribute virus. Of course, there are also several program that can act dangerously in wrong hand. For example the existence of vulnerabilities scanner. This scanner was built based on the vulnerabilities information and use those information to secure the system rather than to break it. Another catch 22 thing. [Schneier 2001]
This is also the reason why software vendors will also take the liability for software problems that will cost E-Commerce market severely in pain. [Schneier 2001]. It is obviously easy for proprietary software vendors to release the buggy software then fix it later on than to create a better software from the beginning.
Until now, the full disclosure method is still considered the best way to get the homework done while they keeping the software closed to anyone. Nobody unless the vendor can see it, the they are the one who liable to fix it or they going to loose the market.