Re: Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)

[George Dunlap <George.Dunlap@eu.citrix.com>]

On Sun, Jul 8, 2012 at 8:30 AM, Joanna Rutkowska
<joanna@invisiblethingslab.com> wrote:
> On 07/06/12 18:46, George Dunlap wrote:
>> Another question has to do with robustness of enforcement.  If there
>> is a strong incentive for people on the list to break the rules
>> ("moral hazard"), then we need to import a whole legal framework: how
>> do we detect breaking the rules?
>
> 1) Realizing that somebody released patched binaries during embargo is
> simple.
>
> 2) Detecting that somebody patched their systems might be harder (after
> all we're not going to perform pen-tests on EC2 systems and the likes,
> right? ;)
>
> 3) Detecting that somebody sold info about the bug/exploit to the black
> market might be prohibitively hard -- the only thing that might
> *somehow* help is the use of some smart water marking (e.g. of the proof
> of concept code). Of course, if a person fully understands the
> bug/exploit, she would be able to recreate it from scratch herself, and
> then sell to the bad guys.
>
> On the other hand, the #2 above, seems like the least problematic for
> the safety of others. After all if the proverbial AWS folks patch their
> systems quietly, it doesn't immediately give others (the bad guys)
> access to the info about the bug, because nobody external (normally
> should) have access to the (running) binaries on the providers machines.
> So, perhaps #3 is of biggest concern to the community.

The reason I brought up the issue above didn't so much have to do with
the risk of people leaking it, but to help evaluate the proposals that
had "No roll-out is allowed until the patch date".  There's probably
little incentive or ability for the average programmer / IT person to
sell the bug on the black market.  (I have no idea how I would begin
to go about it, for instance.)  However, if we had a "no roll-out
during embargo period" rule, there would be a huge incentive for
people or organizations to "cheat" by rolling it out early, giving
them an advantage over those either not on the list, and those on the
list but not cheating.  So from a security perspective, of course #3
is the most important; but as a community project with a wide range of
users (many of whom are both small and active), #2 is what I am most
concerned about.

BTW, Joanna, do you have any opinions / input on the argument that
disclosure does not significantly increase risk, because patched
systems means that the vulnerability has reduced value to black hats?

 -George