Five of the brighter minds in the security industry spent two hours Thursday afternoon arguing, needling each other and generally disagreeing about everything under the sun and at the end of it all settled absolutely nothing on the topic of partial disclosure.
The panel was meant to generate some spiriter debate about the practice by some researchers of dribbling out small amounts of information on new vulnerabilities in advance of the full release, and it certainly accomplished that. Dan Kaminsky, who found the infamous DNS bug last year, and Alex Sotirov, who was part of a team that found a major weakness in SSL, traded jabs all afternoon, particularly on the topic of whether vulnerability disclosure should be used as a hammer to force vendors and users to do better on security.
“I do believe that causing some short-term damage is worth it if you’re safer in the long term,” said Sotirov.
That sentiment didn’t sit particularly well with Kaminsky or Katie Moussouris of Microsoft. Moussouris, a former researcher at @stake, said that strategy may have some limited applicability when dealing with vendors, but had no place at the table when it comes to infrastructure problems such as the DNS flaw or the SSL attack.
“It may have taken some serious wake-up calls for the vendor population to start implementing projects like the [Security Development Lifecycle],” she said. “But if you’re looking at infrastructure that’s in deployment right now, it’s a completely different problem. There needs to be some sort of common language between infrastructure deployers and security researchers. There will be no perfect infrastructure in the future that doesn’t need this kind of rapport.”
Kaminsky, who has said he regrets not bringing other researchers into the process earlier when he was working to get the DNS patch deployed last year, said that regardless of the means, the end needs to be protecting as many users as possible, as quickly as possible. This is especially true in the case of Internet-level problems.
“There are problems out there and we know that if we don’t look for them and put our heads in the sand, they’re not going to get better,” Kaminsky said. “We should look at, how do we make it smooth and easy for users. It’s too difficult and too espensive to take our advice. I think it’s a great thing to as much as possible reward people who can apply patches.”
Dino Dai Zovi, a security researcher who until recently was a security officer at a hedge fund, agreed, saying that there’s a huge amount of pain involved in trying to get infrastructure owners to deploy an emergency fix on the advice of someone’s they don’t know and have no reason to trust.
“It’s a huge leap of faith for these infrastructure people to do this. You have to look at the risk calculation from their side,” he said. “If that patch changes anything or breaks anything, it’s a disaster. Most of the infrastructure is way more fragile than we’d like to think.”