Comments: What to do about responsible disclosure?

Four quick points before the weekend:

1. You put me on the side of secrecy. This is skewed. I'm for partial disclosure, but not full disclosure. This is not secrecy.

2. You quote me as saying that: "He blogs that we can't release all this information for security reasons; we don't release security-sensitive info because it gives an attacker an advantage."

Your inference is only partially correct. I wrote that as information security professionals we are adverse to disclosing information and that secrecy is a valid security practice. The specific case I sited dealt with giving an attacker an advantage. One of the cornerstones of our professions is Confidentiality (CIA triad). Sometimes the information is gives an attacker an advantage, other times disclosure has other consequences (see number 3).

3. You write that: "I believe that when people say "cannot release that for security sensitive reasons," there are generally other real reasons. Primarily, this is the safety of the people doing the job in that they can do their job much more happily if they can avoid the scrutiny that disclosure forces."

I believe Dan Geer was more along the correct lines with his General Council remark (which you quote) than your statement; it's more corporate liability than incompetence. In addition, see number 4.

4. The question is secrecy/disclosure to whom. Most corporations and InfoSec departments are audited by internal and external auditors on a regular basis, especially in the US since SOX.

Posted by Kenneth F. Belva at April 6, 2007 07:14 PM

> (Quick quiz -- what's your defence against MITB? is it (a) never heard
> about it, in which case you are a victim of the secrecy myth, (b) have
> one but can't say, in which case you are perpetuating unsafety through
> secrecy, or (c) something else?)

Man in the browser? I guess I ought to turn off Javascript and Java before typing in my bank password. I used to run with those turned off by default, but I gradually gave in and started leaving them on by default as the number of sites that I wanted to use that required them increased. No doubt the same thing will happen with Flash, although it will take longer because there is not a Free Software flash implementation yet, so I don't even have it installed on my primary platform. Also because the web is a helluvalot uglier with flash -- blinking ads everywhere. Ugh. Of course, that was part of my objection to Javascript back in the day, too.

But to come back to your query, I'm not currently spending energy to defend myself against Man in the Browser, but if I were, my defense would be to use a smaller, less featureful browser.

Posted by Zooko at April 7, 2007 01:37 PM

Hi Kenneth, thanks for your reply, some responses!

1. OK :)

2. Right, in that there are plenty of ways to discuss why it is better to not disclose. Secrecy is a valid practice, I agree.

The point though is that the secrecy argument is way overdone. It's hard to argue against "need to preserve secrecy as a valid defence" so it is a frequently trotted out excuse. Only professionals can argue against it, and they won't. Try it some time, and see how you cause your own reputation and professionalism to be questioned.

3. OK, you probably thought I was saying that "information security professionals are incompetent." Heaven knows, it looks that way ... but that's only the outside perception.

In practice, the job is difficult for a number of reasons -- contradictions almost -- and the delivery of results is hard to be objective about. In such an environment, all reasoning to not do something becomes a useful defence against the lack of tangible deliverables.

What Dan Geer points to may well be entirely accurate. But how many professionals have gone to battle on this issue? Versus, how many have said, "oh, that's that, then, we can wash our hands of the damage being done to others...?" (See comment on Adam's original post for more on this.)

My point is that secrecy is a great excuse. Dan Geer's point is another great excuse. The great thing about excuses is that the more the better; the bad thing is that the underlying problem -- sharing information about breaches that might help other companies -- goes unaddressed.

4. I believe I addressed that by listing who to disclose to (points 1,2 in post) Disclosure of breach info to auditors -- why is that useful? A serious question!

Here's one view: It is totally worthless, presuming that the information security professionals are already doing their job and fixing the problem. Is the only value from disclosure to auditors, then, found if the security professionals aren't doing their job, or, perhaps, if they need the "fear of the auditor" in order to do their job in the face of management skepticism?

Posted by Iang at April 7, 2007 02:05 PM

A little drift

Data Breach Notification Laws: A State-by-State Perspective
http://www.intelligententerprise.com/channels/infomanagement/showArticle.jhtml?articleID=198800638
Congress and Data Breaches
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=privacy&articleId=9015819&taxonomyId=84&intsrc=kc_feat

this somewhat related to old "security proportional to risk" posting
http://www.garlic.com/~lynn/2001h.html#61

recent posts about having gotten exposed to some of cal. notification legislation (both opt-in/opt-out stuff related to privacy matters as well as breach stuff) when we were called into help wordsmith the electronic signature legislation.

http://www.garlic.com/~lynn/2007f.html#72 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/2007g.html#8 Securing financial transactions a high priority for 2007

Posted by Lynn Wheeler at April 9, 2007 03:05 PM

After our last conversation I decided to try web browsing with Javascript turned off. It turns out to be surprisingly painless so far! I have two on-line banks -- Wells Fargo and Chase -- and Wells Fargo has traditionally had a simpler (better) user interface. Interestingly, Chase fails noisily without Javascript. After logging in it gives you a .jsp redirect error message or some such bogosity. Wells Fargo gets even simpler (even better), although it does add a note to the top of the page recommending that you turn Javascript back on.

P.S. I'd like to try Frank O. Trotter III's bank, next time I save up enough cash to open another bank account...

Posted by Zooko at April 12, 2007 12:43 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55bd0a09a0c0) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.