Aug 30 2006
Not so secret disclosure secrets
Over at the securosis.com site there’s a pretty good article titled “The 3 dirty little secrets of disclosure no one wants to talk about“. Except some of us really do want to talk about it! The post lists three problems with whole idea of disclosure:
- Full disclosure helps the bad guys: I agree, but I think it also helps the good guys. I’m willing to cede that it probably helps the bad guys more, which is why I’m also willing to cede that full disclosure is not the way to go by default.
- It’s about ego, control and competition: I’m not sure I can I can agree with this point. There are elements of all three of these in many of the disclosures incidents, but I’m not sure if it’s even true in the majority of cases. Ego is probably true about many of the security researchers, while the control issue is more of a concern with the vendors and competition is true of both groups. I consider this to be a neutral issue, because there are very few people on either side of the argument that can say they really aren’t guilty of these sins somewhere along the line.
- We need the threat of full disclosure or vendors will ignore security: This I agree with whole heartedly. This is also why I can’t back any system where the vendor is the one who get’s to define ‘responsible disclosure’. As long as the vendor get’s to be the one defining the terms, any disclosure that doesn’t meet with the vendor’s timelines is by definition going to be ‘irresponsible’, a setup that is almost as bad as no disclosure.
One more minor issue I have with the article is the use of security through obscurity: while this works for a while, security through obscurity is the most brittle of all types of security. All it takes is one hacker releasing his notes on your security vulnerability and what little security you had because of the lack of knowledge is gone. I sure don’t want my bank relying on security through obscurity to protect my bank account. Not that they’d get much right now, a couple of days before the end of the month.
Technorati Tags: security, Mckeay, Security through obscurity
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}