This Was Not What I Had In Mind
So, after I completely whiffed on the initial disclosure of the DNS flaw, I wrote the following:
So there’s been some skepticism about the DNS flaw. I want to be clear: It was richly deserved. A “put up or shut up” mentality is critical to the survival of our industry. It’s just too easy to make stuff up, if you can just wave away detractors with “I can’t prove it…it’d be UNSAFE.”
The danger from that statement is very tempting and very real. Our credibility as an industry — ultimately, our ability to get bugs fixed — depends on that statement being called out as the bullsh*t that it is.
We, as an industry, have gone back and forth on full disclosure (i.e. tell everyone) vs. responsible disclosure (i.e. tell everyone after the vendor has had a chance to fix things). Partial disclosure has always been looked down upon, rightfully so, because it’s so amazingly easy to abuse. But if our goal is to protect customers, and one particular bug will affect almost all of them, and a phased disclosure of information will protect the greatest number of customers possible — then perhaps there’s a place for this mode.
It’s certainly not a path you can safely decide to take by yourself, however. That’s what I did, when I refused to tell anyone else in the security industry what the bug was. It’s not something I’d ever do again. It’s not just that you can’t vouch for your own bugs. It’s that, without peer review, you don’t know what bugs people are going to think you’re recapitulating, and you even don’t really understand the severity of your issue.
It’s your blood, sweat, and tears in there. Hard to be impartial.
Tie that in with — it’s not just your credibility you’re betting with, when you go out with partial disclosure, but the credibility of every security researcher working to fix problems — and it’s really not something you can do alone.
That’s what I thought was clear. But what’s happened since my Black Hat talk is something really problematic. Partial Disclosures are occurring, and rather than the press saying “Well, we’ll wait until there’s more information to report on this”, they’re saying, “Wow! This must be like the Kaminsky bug! The Internet’s going to die!”
Awww hell no.
Look. Not every bug is Internet killing. I mean, it’s 2008, if you can’t profit on it nobody’s doing it. And killing the Internet is the first thing you’re told not to do in “Being An Internet Parasite 101”. There’s no profit, so it’s not going to happen — well, barring nation-state level extortion, anyway.
So, what’s been going on with partial disclosures?
First, there’s RSnake and Jeremiah Grossman with Clickjacking. Oh, it’s definitely a bug, unless you think any web site should be able to snap photos from that camera in your laptop. It’s not Internet ending, as RSnake has visibly and repeatedly had to explain to people. But it’s something that needs to get fixed. Why is it a partial disclosure? Because the vendor asked — nicely — for a little more time to complete the responsible disclosure process.
I think everyone can agree that it would have been better to have stayed fully dark until a vendor patch was ready, if waiting for a vendor patch was the path to take. Partial disclosure is not good here, but positive working relationships with vendors are. At least we have pre-emptive excision from “Internet Killing” class.
Not so with the newest case. Now, there’s Robert E. Lee and Jack Louis with their TCP Denial of Service attacks. Now, it’s a bit silly to assume Jack Louis doesn’t know the history of TCP attacks, as it’s silly to assume I don’t know the history of DNS attacks. (You’d be amazed how many people thought I’d just reinvented the birthday attack.) Jack’s written more crazy TCP code than you have, for all values of you including me and possibly Fyodor. Do their attacks work, mostly as they’re saying? Almost certainly. There’s dozens of weird corner cases in TCP where resources and timers are allocated. It’s entirely feasible that at least some of them have nasty effects on the system above and beyond three way handshake flood.
We’ll have to see. But while Robert and Jack appear to have just wanted to have talked about them at T2, something has gone wrong. People are reporting this as a Internet Killing class bug, because the last time someone wanted a couple more weeks, it appeared to actually be one.
Look. It’s a DoS, from non-spoofable address space. We’ve operationally been surviving DoS’s for years and years; if we have a more efficient DoS, that correlates to a smaller botnet. Well, we’ve got freakin’ huge botnets out there, and we’re doing OK. Things go down for a little while, and then lots of IP space gets blocked.
Again, this is Jack Louis we’re talking about, so I’d bet any detractor in the world he has some ridiculously cool resource exhaustion attacks to talk about. He probably knows more about TCP than you do. (If you don’t know what Time-Wait Assassination is, he definitely does.) But the “meta-message” that “I’m not telling you everything, because the Internet will come to an end if I do” almost certainly comes from his desire to finish up some of the cooler attacks, colliding with my reticence to talk this summer because I was trying to get people to patch.
That’s not Jack or Robert or RSnake’s fault. I do think it’s my responsibility to clean up, if not for all the researchers of the world, then for the press.
To all the people in the press: Guys, you’re all awesome, but someone’s going to lie to you. They are going to lie to you, because it will make them money. (See above, it’s 2008.) Consider: A partial disclosure only makes sense, operationally, as a call to arms. It is a disclosure that there is a fault, for which action must be taken. If the action to be taken is to spend a ton of money on a new and fabulous gizmo, then some portion of your readership will go ahead and do just that. And indeed, the longer the period of time between partial disclosure and “full” disclosure, the more gizmos will be sold, and the more money will be made.
To the nth degree, this strategy incentivizes fly-by-night shops to make bugs up, and not even disclose them to the vendor, because that would stop the gravy train as the vendor called foul.
So, press, I must apologize to you. I have put you in the situation where either you acquire complete validation of a flaw from a second source — and thus risk getting scooped! — or you get played. Since I’ve done this to you, I’m going to do something about this. I am going to create something of a community council, that will pre-vet (under legal and strict NDA) any bug that someone claims is so very important that it cannot be disclosed to the point of independent reproduction. Members of this council will have to have publicly presented work in the subject area that is under consideration. I’ve spoken to a decent number of people, and everyone is somewhere between very pissed and legitimately afraid of a flood of unjustified partial disclosures.
Faced with an unending stream of “is the Internet dead yet?” Slashdot posts, everyone I’ve spoken to appears fully on board with providing an honest judgement regarding the legitimacy of findings.
Now, I expect we will reject, out of hand, almost all claims. But we will do so, with the full technical argument brought by the finder, rather than presumptions based on old flaws. Attacking the strawmen implied by partial disclosure is a losing scenario for literally everyone involved.
It stops here. Reporters: There will be a more formal process coming, but please mail or call me if anything more of this nature shows up. Hackers: Would you volunteer to enter an NDA with someone, to help publicly assert whether this sort of behavior is legitimate? Mail me too, especially if you wouldn’t trust me vouching for a given bug.
I think as a community, we’re going to need to determine the limited number of scenarios where the benefits from partial disclosure outweigh the risks. Again, partial disclosure only makes sense as a call to arms. What are users supposed to do, if not install a patch or implement some reasonable operational procedures? A partial disclosure is an ask — what are you asking for?
Vendor intransigence is not an excuse. Patches cannot be reliably synthesized in the time between partial disclosure and when someone figures the attack out. If things are so broken that there must be a release, then the release must be compelling enough that the intransigent vendor cannot deny the validity of the findings. Such a release is not going to be partial!
(Of course, the existence of a council might actually help with occasional intransigence. Hackers — if you’re sitting on a bug you think is Internet threatening, and you’re not getting any progress with the vendor, mail me too.)
There are of course other factors. Effect on infrastructure, which patches very slowly, is one. The severity of the bug, the difficulty of mitigating attacks using existing operational procedures, and oh yes, the actual novelty of the attack all matter as well (there’s a reason it’s called ‘news’). Put simply, no bug that does not actually threaten the stability of the network, in a way we aren’t already mitigating, should ever follow partial disclosure.
I will say, it’s totally OK to fix old and severe bugs that nobody deigned to repair. But you actually do need to get them fixed 🙂
So, what options do Robert and Jack have with the sockstress bugs? Without full details on the attack, the only detail everybody can judge is that there are no patches for this attack — but the same operational mitigations that we use for botnets, will almost certainly cover this issue as well. Both are dings against this bug getting slotted into the Internet-Threatening Partial Disclosure bucket. Things are complicated, however, by the fact that this has already gone off the rails and into the press and vendor realms.
What exactly they should do, really does depend, and isn’t really my place to say. After all, it’s their bug, they can do what they want. But now that this has gotten into vendor hands, I think they need to weigh in, to Robert and Jack, what their perspective on this issue is. It’s entirely possible that this issue has been wildly overblown — it’s a legitimate class of bug, yes, but nothing to panic over and something that can be discussed without “Killing the Internet”. In this case, there’s nothing wrong with Robert and Jack releasing one of their many bugs, just so they can stop talking in theory.
If it’s, in fact, a more severe issue — severe enough to pull the talk, at least as per the vendor — I do think the community needs to have its say on the nature of the fault class. It’d just be too tempting for a fly-by-night operation to threaten vendors into ‘playing along’. A talk can be pulled to be nice to a vendor, or a talk can be pulled because it’s a massive scale threat, but only the community can judge which is which.
Yes, this is all enormously messy. The next time anyone asks why partial disclosure is not more common — this is why.