Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    To Tell or Not to Tell

    By
    Dennis Fisher
    -
    February 17, 2003
    Share
    Facebook
    Twitter
    Linkedin

      As secrets go, it wasnt very technical.

      Matt Blaze, a respected security expert and research scientist at AT&T Labs Research, in Florham Park, N.J., published a paper last fall describing how to make a master key for an office building or a school. The method required one key for any lock in the building, access to that lock and a small number of blanks.

      The attacker would need no special skills or tools, aside from a metal file, to create the master key, according to Blaze. Once his research hit the media in January, Blaze was inundated with angry e-mail from locksmiths accusing him of being irresponsible for publishing his findings. It turns out that the method Blaze described has been known among locksmiths—and criminals—for decades. The professionals were angry that the secret was now out.

      Its an argument many in IT security know all too well.

      As the issue of full disclosure versus secrecy—debated with religious fervor for years in the security industry—rages on, the parallels to the case of the angry locksmiths are clear: On one side are those who believe that the full disclosure of vulnerability information helps administrators secure their networks; on the other side are folks who say that publishing this data only helps attackers and that the benefits to the rest of the community are minimal.

      “Full disclosure is the worst we can do, except for everything else,” said Bruce Schneier, chief technology officer and co-founder of Counterpane Internet Security Inc., in Cupertino, Calif. “I really believe that the reason people adopt the secrecy argument is that its much easier to understand. If I tell you this guy knows how to break into your house, your first reaction is to make him shut up. People confuse vulnerability information with the vulnerability itself. Everything is kept quiet, and nothing improves.”

      Close on the heels of Blazes revelation came a brief crisis of conscience that led researchers at Next Generation Security Software Ltd., of Surrey, England, to reconsider whether to release exploit code with their vulnerability reports. Code that David Litchfield, the companys co-founder, included with his bulletin warning of the SQL Server 2000 flaw that the Slammer worm exploits was used by the worms creator as a template. This led Litchfield to write a message on the BugTraq mailing list wondering whether the practice of releasing exploit code did more harm than good.

      Historically, this has been the crux of the disclosure debate. Few people question that there are legitimate uses for exploit code, such as testing potentially vulnerable systems or deconstructing the code for educational purposes. But opponents of full disclosure often say that the potential benefits of publishing such code pale in comparison with the harm that can be done by attackers with this kind of detailed knowledge.

      Litchfield said he and his brother, Mark, will continue to publish sample exploits in an effort to give administrators and security specialists a level playing field in their battle against crackers. The decision was not one they made lightly, Litchfield said, but it was made easier by the hundreds of e-mail messages they received encouraging them to keep publishing exploits.

      “There are people out there with a high level of intelligence developing, sharing and actively using exploits against [insecure] systems,” Litchfield said in a lengthy e-mail explaining his thoughts on the subject. “Regardless of motive, there is much to be learnt from these people and their exploits. But if this was the only source of information for those working in the security industry, then the bad guys would always be one step ahead of the good guys; and if theyre one step ahead, we lose and so do the organizations were trying to protect.”

      AT&Ts Blaze agrees. “The existence of this method, and the reaction of the locksmithing profession to it, strikes me as a classic instance of the failure of the keep vulnerabilities secret security model,” Blaze wrote in an essay on his Web site. “Im told that the industry has known about this vulnerability and chosen to do nothing—not even warn its customers—for over a century. Instead it was kept secret and passed along as folklore, sometimes used as a shortcut for recovering lost master keys for paying customers. If at some point in the last hundred years this method had been documented properly, surely the threat could have been addressed and lock customers allowed to make informed decisions about their own security.

      “Although a few people have confused my reporting of the vulnerability with causing the vulnerability itself, I can take comfort in a story that [scientist] Richard Feynman famously told about his days on the Manhattan Project. Some simple vulnerabilities and user interface problems made it easy to open most of the safes in use at Los Alamos. Feynman eventually demonstrated the problem to the Army officials in charge. Horrified, they promised to do something about it. The response? A memo ordering the staff to keep Feynman away from their safes.”

      Dennis Fisher

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×