Back to Top

Friday, February 23, 2007

Full disclosure - repaired

That was quick. Thanks to my emails the blog posting which posted detailed information about how to root a given ISPs routers via an erroneous default configuration got sanitized.

Just to be clear: I'm not against full disclosure. I'm pretty much in favor of it - if used for doing good. Because this sounds to abstract, I'll try to give some concrete examples: let's say that you contacted the vendor / service provider / etc and they are unwilling to provide a fix or even acknowledge the existence of the flaw (yes, sadly it happens)! Then you can use full disclosure first as a negotiation tool and if everything else fails, as a public tool to shame the vendor into providing a solution. Just be sure to know your legal liabilities and act accordingly (posting from an anonymous email account, etc). The second case when full disclosure would be useful is when you publish the information together with the solution or at least a mitigation technique in a place where it is reasonable to expect that a large number of the affected people are seeing it. This is useful when there exists an effective mitigation technique (like in the case of the WMF or VML flaws where you only had to unregister a DLL with minimal functionality loss), because you can greatly reduce the exploitation window, protecting the people even before the vendor had time to react.

Now lets analyze this blog posting: from what I know the ISP wasn't contacted before publishing it. From all I know it wasn't contacted even after it got published. Most probably their awareness got raised by the e-mail I sent them. So the first argument - using full disclosure as a negotiation tool - fails. As for the second argument, while the posting contained information about how to secure yourself, it wasn't published at a site where it would have been likely to be read by the ISPs customers. What remains is a possible quest for personal glory and some misunderstood concept about full disclosure.

To end on a light note: heise Security put out what seems a good primer into web application security. If you are interested in the topic, this looks like a very nice introduction, which explains in a relatively detailed manner the major methods of attacks. So go out there and lets get those vulnerable sites below 70%!


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.