Full disclosure debate…. again?

The full disclosure debate has raged over the years again and again.  While I am sure that many people are tired of hearing about it, sometimes things happen that provide a new look at the idea and the conversation.  Shadow Brokers and the NSA leak is a great example of one of those things.  As such, ISACA asked Pete Lindstrom of IDC and I to write about the two sides of this debate in light of the NSA tools and exploits being leaked.

The two articles can be read at:

Enjoy and we would love to hear your thoughts.


1 thought on “Full disclosure debate…. again?”

  1. These are two really great articles and a great discussion. To be upfront, my view on the topic was in-line with Kevin’s before reading, but Pete gave some really great points that gave me pause.

    In the end, I still think that a full disclosure process, that includes a non-public disclosure period (i.e. vendor notification first), seems to be the right balance. Give the vendor X days to fix and push a patch, then, if necessary, cause a PR issue for them to force their hand. I’ve discovered dozens of vulnerabilities in big named vendor products that I cannot disclose (NDAs) that they have been sitting on for years. In my experience, as a general rule, the bigger the company, the slower they are to correct the problem in a reasonable amount of time (if ever). PR is really the only thing I’ve found that will move them to work faster…or at all in some cases.

    I completely agree with Pete’s point about the bad guy moving faster than the defenders (in many cases), and “we make the costs trivial for attackers…[with] proof-of-concept exploits”. But, if a single exploited vulnerability compromises everything, then that says a lot about that organization’s, and the industry’s, security stance. Example, when DDE (re)surfaced, my employer had close to a dozen mitigation and detection capabilities that prevented/alerted on everything that was seen in the wild (before it started). Same with just about every other over-hyped, named vuln/attack vector. There’s never been an, “oh crap, we’re screwed” moment. As Pete mentioned, “hygiene is preventative”.

    Now, a rant about the NSA comments. This hits very close to home for me, so I have to comment…on what I can. Kevin, I have much respect for you, but I have to respectfully disagree about what you said concerning the NSA.

    What Shadow Brokers did does not at all resemble “responsible” disclosure, IMO. They didn’t contact a vendor and give 30 days or publish a (non-weaponized) vuln disclosure. They released/sold ready-to-fire exploits before the vendor was even notified about the vuln.

    I think it’s a bit unfair to blame NSA for this. NSA didn’t release these. Don’t forgot, NSA has an IAD/CND mission to protect DoD and Gov systems running the same software, in many cases. But, they also have a CNE mission to locate people that are hell-bent on killing you and me (so they can be neutralized) and providing intel that can and does stop wars. Trust me when I say, when a vuln is discovered at NSA, there are serious, sometimes heated, conversations that take place on what to do with it. The process, run by humans, is not perfect. And, like this discussion, the decision is not always easy to come to. Also, the outcome is not binary (“use it” vs “disclose it”). There are some really cool options that NSA exercises regularly in regards to this topic that would amaze you.

    Would encourage you to read these:
    > https://www.eff.org/files/2016/01/18/37-3_vep_2016.pdf
    > https://lieu.house.gov/sites/lieu.house.gov/files/CRS%20Memo%20-%20Vulnerabilities%20Equities%20Process.pdf

    This is a great quote from the second link above: “Disclosing vulnerabilities to vendors is not a guarantee the vulnerability will be patched”. If NSA disclosed something to a vendor and the vendor chose not to fix it, but NSA was later discovered to be using it, does that change your opinion of NSA any?

    NSA’s VEP is the same type process that I (a current red teamer) work under now. Sometimes we hold things back until we use them and sometimes we preemptively disclose to blue. Many times when we preemptively disclose, we are still able to leverage them for days/weeks/months/years. If my employer got hit with something we (red team) is using, are we the bad guys? Especially if we had already disclosed it? If anything, I feel that a higher percentage of my GNEVA work at NSA went the preemptive disclosure route than my private sector red team work does.

    My last comment is on, “The NSA [is]…collecting and developing exploits against popular software”. Heck yeah, and I am extremely proud that I served my country providing that capability. The bad guys use “popular software” also. And, I personally prefer dead terrorists to saving a big business who should have had better layers of mitigation. IMO, “we all will be safer” is very subjective.

    Please don’t misunderstand my points above. NSA has a lot of flaws. And the fed government is out of control. If I were president for a day, 95% of the fed government would be shutdown permanently, and the other 5% returned to a constitutional based system which does not grant them so much power and secrecy. Any politician/lawmaker that is not fighting for this cares more about their power and control over us than doing what is right. I’m definitely not defending the government. But, I am trying to give you some reassurance about the VEP.


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top