Total dissemination – Wikipedia

Posted on by
before-content-x4

The total dissemination It is the practice of publishing analysis on the vulnerability of a software as soon as possible, allowing access to information and data by anyone without any restrictions. The main purpose of this wide dissemination of information on vulnerability is that the potential victims of IT attacks are as much as the attackers are. [first] In the field of IT security, it can often happen that researchers discover imperfections in the software that can be exploited to cause an unaware behavior, these imperfections are defined as vulnerability.
The process by which these vulnerability analyzes are shared with third parties is the subject of a heated debate, and refers to the policy of dissemination ‘and researchers.

after-content-x4

Bruce Schneier, in one of his article written about this topic, said “full disclosure, that is, the practice of making public details on safety vulnerability is an excellent idea. Public research is the only reliable way to improve safety, while secrecy makes us only less safe “. [2]

The debate on the dissemination of vulnerability [ change | Modifica Wikitesto ]

The controversy around the public dissemination of sensitive information is not new. In fact, already in the nineteenth century the topic of total dissemination was raised in the context of the blacksmiths, in which it was discussed if a weakness discovered in a padlock should be kept secret in society, or revealed to the public. [3] Today, the major vulnerability disclosure policies are three and are categorized in: [4] Non -disclosure, coordinated dissemination and total dissemination.

Most of the people involved in the search for vulnerabilities have their policies formed by various reasons, and not so strange that they observe commercial campaigns, marketing or lobbies to adopt their favorite policy and reproach those who diverge from it.
Some IT security experts favor full dissemination, while many sellers prefer coordinated dissemination. The non -disclosure, in general, is favored by the Black Hat.

Coordinated dissemination [ change | Modifica Wikitesto ]

The supporters of the coordinated dissemination believe that software producers have the right to control information on vulnerability concerning their products. [5] The cardinal principle of this policy is that no one should be informed about vulnerability until the manufacturer himself grants permission. Even if there are some variants or exceptions of this methodology, initially the distribution of information must be limited and the producers are granted the privilege of accessing the still non -public research.
The supporters of coordinated dissemination prefer the weighted, but less descriptive, term of “responsible dissemination” coined by Scott Culp, security manager in Microsoft, in his article “It’s time to end information anarchy” [6] (referring to complete dissemination).
Subsequently, Microsoft asked to remove the term in favor of “coordinated dissemination”. [7]

Although there are several reasons, several professionals in the sector discussed that the end user cannot benefit from access to information on vulnerabilities without instructions or patch by the software manufacturer, since the risks of sharing research with attackers is too high for so few benefits.
In fact, Microsoft explained “coordinated dissemination serves those who have strong interest in ensuring that the customer receives high quality safety updates, but that they are not exposed to harmful attacks while developing the patch”. [8]

Total dissemination [ change | Modifica Wikitesto ]

Total dissemination is the policy of publishing information on vulnerabilities as soon as possible and without omitting details, making information accessible to the whole world without any restriction. The supporters of this practice believe that the benefits of the free availability of research are greater than the risks, while the opponents prefer limited distribution.

after-content-x4

The availability of information on vulnerabilities allows users and administrators to understand and respond to vulnerabilities that present themselves in their systems, and also allow customers to exert pressure on the sellers to ensure that the imperfections start again, who perhaps otherwise not feel the need to solve it.
There are some fundamental problems of coordinated dissemination that can be solved with full dissemination.

  • If customers do not know vulnerabilities, they cannot request patches and sellers have no economic incentive to correct vulnerability.
  • System administrators cannot make informed decisions regarding the risk in their systems, since the information has limited access.
  • The bad guys who know the flaw have a long period of time to continue exploiting it.

The discovery of a vulnerability is not a mutually exclusive event, several researchers with different motivations, in fact, can discover the same foul independently of each other.

There are no standard ways to make information on vulnerabilities available to the public, researchers often use dedicated mailing lists for the topic, academic relationships or industrial conferences.

Non -disclosure [ change | Modifica Wikitesto ]

Non -disclosure is the principle according to which no information regarding vulnerability must be shared, or shared under an agreement of non -disclosure (informally or through a contract).

The main supporters of non -disclosure I include exploiting commercial software sellers, researchers who intend to exploit the flaw they have found, [4] And sellers who believe that every information on vulnerabilities can somehow assist the bad guys.

Debate [ change | Modifica Wikitesto ]

Topics against coordinated dissemination [ change | Modifica Wikitesto ]

Researchers in favor of coordinated dissemination believe that users cannot take advantage of the knowledge of vulnerability without the driving by the software seller, and most of these are served by limiting the distribution of information on vulnerability. The proponents of this theory argue that an attacker with a discrete skills can use this information to perform sophisticated attacks that would be beyond their true skills, and the potential benefits have no greater weight of the probable damage caused by bad users.
Only when the seller has prepared instructions that even the simplest user can understand, then the information should be made public.

This thesis assumes that the discovery of a vulnerability is a mutually exclusive event, namely that only a person can discover a vulnerability.
There are many examples of vulnerability that have been discovered simultaneously, and often have been exploited in secret before being discovered by other researchers. [9]

Topics against non -disclosure [ change | Modifica Wikitesto ]

The non -disclosure is typically used when a researcher intends to use the knowledge of a vulnerability to attack a computer system managed by his enemies, or to exchange information with a third party in exchange for money, which typically uses it to attack his enemies .

Researchers who practice this methodology are generally not worried about improving the safety or protection of a network. However, some supporters of this theory simply argue that they do not want to assist software producers, and they also say that they do not intend to damage others.

While the exponents of the full and coordinated dissemination declared similar objectives and motivations, simply not accepting the best way to achieve them, the non -disclosure is totally incompatible.

  1. ^ Jay Heiser, Exposing Infosecurity Hype , in Information Security Mag , TechTarget, January 2001. URL consulted on 20 December 2017 (archived by URL Original March 28, 2006) .
  2. ^ Bruce Schneier, Damned Good Idea . are Schneier.com , CSO online. URL consulted on 20 December 2017 .
  3. ^ Alfred Hobbs, Locks and Safes: The Construction of Locks , London, Virtue & Co., 1853.
  4. ^ a b Stephen Shepherd, Vulnerability Disclosure: How do we define Responsible Disclosure? , in SANS GIAC SEC PRACTICAL VER. 1.4B (OPTION 1) , SANS Institute. URL consulted on April 29, 2013 .
  5. ^ Steve Christey, Responsible Vulnerability Disclosure Process . are tools.ietf.org , IETF, p. 3.3.2. URL consulted on April 29, 2013 .
  6. ^ Scott Culp, It’s Time to End Information Anarchy , in Technet Security , Microsoft TechNet. URL consulted on April 29, 2013 (archived by URL Original November 9, 2001) .
  7. ^ And goodin, Microsoft imposes security disclosure policy on all workers , in The Register . URL consulted on April 29, 2013 .
  8. ^ Security TechCenter, Coordinated Vulnerability Disclosure . are Technnet.microsoft.com . URL consulted on April 29, 2013 .
  9. ^ Ac1d B1tch3z, Ac1db1tch3z vs x86_64 Linux Kernel . are seclists.org . URL consulted on April 29, 2013 .

after-content-x4