Page 35 - index
P. 35
Responsible Disclosure: A History Repeating
Tal Klein
There seems to be an ongoing, almost incessant debate about the concept of responsible
disclosure and whether it’s helpful or not for white hat hackers and other security researchers to
publicly reveal details about the information security vulnerabilities they find.
The debate has been getting a lot of mainstream media exposure because of phenomenon
such as Heartbleed and Shellshock, and the question I increasingly field from said mainstream
media is: “What do we do in the face of this growing mountain of disclosures?” My answer is
always “smile.” These disclosures are good things.
Responsible disclosure is an incredibly valuable tool that ensures infrastructure remains
reliable. Opposition to the idea is usually grounded in the argument that telling the black hats
which doors are unlocked is unnecessarily risky.
As if they don’t already know.
Fact is, whether motivated by avarice, ideology or nationalistic pride, the bad guys are already
doing a pretty good job of probing the defenses of every network on the planet and sharing what
they find among their own. In order for the rest of us to keep up (or, rather, not fall so far
behind), we have little choice but to share information. Industry’s response in the wake of
reports of vulnerabilities inherent to the likes of Heartbleed and Shellshock were instructive.
Once brought to light, the speed with which most organizations moved to patch their holes—
holes that were no secret to the Internet’s boogeymen—was (or should have been) reassuring.
During a recent Christian Science Monitor panel discussion on cybersecurity entitled Developing
America’s Edge, Jeff Moss, founder of Black Hat and DEF CON and a co-chair of the
Department of Homeland Security Cybersecurity Task Force, commented that (my paraphrase)
“if we haven’t solved information security after twenty years, what makes us think we can as the
problems grow more complex?”
Actually, we’ve been grappling with the problem of information security for a lot longer than two
decades. Here’s a telling excerpt from the book Locks and Safes: The Construction of Locks by
A. C. Hobbs, published in 1853.
“A commercial, and in some respects a social doubt has been started within the
last year or two, whether or not it is right to discuss so openly the security or
insecurity of locks. Many well-meaning persons suppose that the discussion
respecting the means for baffling the supposed safety of locks offers a premium
for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues
are very keen in their profession, and know already much more than we can
teach them respecting their several kinds of roguery.
“Rogues knew a good deal about lock-picking long before locksmiths discussed it
among themselves, as they have lately done. If a lock, let it have been made in
whatever country, or by whatever maker, is not so inviolable as it has hitherto
been deemed to be, surely it is to the interest of honest persons to know this fact,
35 Cyber Warnings E-Magazine – October 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
