I had a bit of a discussion with someone this morning on the nuances of partial disclosure and their effectiveness/risk within the greater security stage. The discussion was sparked by a recent post by Dan Kaminsky at www.doxpara.com. In this post Dan is essentially saying that partial disclosure in general is a bad idea; however it is occasionally required if the scope of the issue is so large and potentially dangerous that disclosure at any point would put a significant portion of the computing populous at risk. What Dan is afraid of (and I believe rightfully so) is that the research community and their affiliated companies and marketing machines realizes the fact that partial disclosure generates revenue. When distilled down, partial disclosure can be used as a way of putting FUD out there in an effort to generate buying impulses. Not everyone will directly attempt to utilize partial disclosure as a money making machine; However, I believe the majority of business minds will. They'll either do it with the approval of their researcher or occasionally without. Sometimes the researcher themselves will recognize the positive brand impact and money that can come from partial disclosure and exercise this model directly. So what do we do about this? We create a group to help police the partial disclosure process. We create a way for the populous to know if the released partial details is real or is it FUD.
The second part of our discussion centered around who should be responsible for vetting security related partial disclosure. Dan suggested that a group of security researchers be responsible for the determination if a particular vulnerability should be partially disclosed. This is where I disagree with Dan a bit. There are no parties that can truly act impartially within the security research community when it comes to vetting disclosure. We all have a stake, either directly or indirectly, at the release and disclosure of such information. I suggest that a higher level group that contains people outside of the general security research community be put in charge of vetting the legitimacy of a particular partial disclosure. They could bring in subject matter security experts as required but the group itself must be sufficiently removed from the process to be properly impartial while bringing in the technical expertise only on a consultative basis. The technical details are factual, the risk impact is always subjective.
Maybe I'm being too pessimistic in thinking that the abuse of partial disclosure is imminent. Maybe I'm being too altruistic in thinking that a group of people even at a higher level could ever be impartial enough to properly vet partial disclosure requests. But I do know one thing, this topic is very touchy and will certainly require a large scale effort and significant hand holding if it is ever going to come to fruition.
As always, comments are welcome...
Blogging is out, "Tweeting" is in. Twitter is the new black, it's the latest and greatest, it's.. well weird. I've posted on my thoughts regarding microblogging in the past (here). "At first I was afraid, I was petrified", but then I realized just how useful this type of medium can be. I've since found myself adopting this technology as a way to keep up with the latest and greatest information security minutia directly from the people that are creating it. With groups of people such as the Security Twits along with the researchers I know personally, it's a very useful 1:Many discussion medium. The down side of the microblogging thing is that it's been taking away from my time/energy to create real blog entries for my reader(1). I promise this will change soon.
In the mean time, follow me on twitter (txs_) if you wish to join in the interesting conversation. I'm always keen to hear what my reader(1) has to say.
