Disclosure/Non-Disclosure
Case Study Observations
Prepared by
Scott Sakai, Mansi Shah,
Kevin Walsh, and Patrick Wong
Approach
• Context created by course curriculum
• Disclosure and Non-Disclosure Defined
• Case studies
• Observed practices and “norms”
• Summary and conclusions
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Introduction
• Intro to computer security vulnerabilities
• To disclose or not?
• Is it illegal or unethical not to disclose a
discovered vulnerability?
• What practices are observed by industry
in the case studies?
• Questions to the audience: What
appear to be the accepted norms?
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Introduction (2)
• Context of course
– Ethical Codes: acceptable professional
behavior in the computer industry
– Lessig: Architecture, Market, Norms, Law
– Brin: Transparency, criticism,
accountability, authority, authentication,
trust
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Full Disclosure – What is it?
A security flaw that is…
• Released to the public immediately
• Developed and discussed in a public
forum
• In general, brought to light before the
public and vendors simultaneously
(often before a vendor fix is available)
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Full Disclosure - Pros
• Levels the playing field
• Motivates vendors to fix flaw
• Lets knowledgeable users know what
their program is doing
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Full Disclosure – Cons
• Makes exploiting vulnerability easier
• Increases chance of compromise or
crash
• Potential loss of productivity
• May result in incomplete fix
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Non-Disclosure Defined
A security flaw that is…
• Held until the proper fixes are produced
• Not to be shared in the public eye
• Limited disclosure is a medium defined
by the company where they disclose
some information on the vulnerability
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Non Disclosure - Pros
• Potential loss of market share
• Company/product reputation
• Undesirable exposure of underlying
technology architecture
• Liability for company (can cut both
ways)
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Non Disclosure - Cons
• False sense of security
• Potential delay of fixes (both company
and client)
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 1
Ping of Death - overview
• Exploit: (late 1996) Sending large IP
packets to a computer may crash it.
• Stakeholders:
– Malicious individuals executing attack
– Users who rely on vulnerable systems
– Vendors of vulnerable systems
– Public (relies on any of the above)
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 1
Ping of Death - analysis
• Classification: Full disclosure
• Pros
– More stable TCP/IP implementation
– Similar exploits prevented
• Cons
– Lost data
– Vulnerable systems may still exist
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 1 Ping of Death -
Issues
• Ethical tests:
– Utilitarian: TCP/IP is more stable now – ethical.
– Golden Rule: It sucks when someone crashes
your computer, so you shouldn’t do it to them. --
unethical
• Legal issues:
– Denial of service attacks are illegal under CFAA
– Saw the beginning of contemporary issues
• International boundaries
• Data integrity
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 2
Microsoft IIS
June ‘99: eEye/Microsoft IIS Security Vulnerability
• eEye finds a serious security flaw in IIS Server
• eEye emails Microsoft and places warning
bulletins, along with CERT
• Microsoft does not respond to the emails or
warnings
• eEye discloses the vulnerability due to
Microsoft’s apathy.
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 2
Microsoft IIS (2)
November ‘00: Microsoft’s Anti Disclosure Plan
• Microsoft and 5 security companies decide to
create a industry standard for disclosure.
• Will draft a standard for notifying the public
about newly-found software security bugs
• Leading objective of the group will be to
discourage "full disclosure" of security holes
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 2
Microsoft IIS (3)
April ’02: Microsoft’s Practices Today
• Trustworthy Computing Initiative started
by a memo from Bill Gates where all
employees are being trained in security
• Microsoft placed a bulletin warning on
ten of their IIS vulnerabilities
• Both events are high profile in the area
of security
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 3
Felten vs. RIAA (1)
• Hack SDMI Contest (Fall 2000)
– Break 4 watermarks
• Render watermarks undetectable without significantly
degrading audio quality
– Edward Felten & Team
• Broke all 4 technologies
• RIAA threatened team with litigation thru DMCA if team
presented research to public
• Felten sued RIAA to allow presentation of research
– Case thrown out since DMCA does not apply to research
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 3
Felten vs. RIAA (2)
• Stakeholders
– Professor Edward Felten & Team
• Crackers of digital watermark technology
– Other researchers
– RIAA
• Record Industry
– Secure Digital Music Initiative (SDMI)
• Holders of the watermark contest
– Verance
• One of the watermark manufacturers
– Public
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 3
Felten vs RIAA - analysis
• Classification: Full Disclosure
• Pros
– Public learns truth; watermark technology fails
– Watermark companies can learn from hacks and
develop better technology
– SDMI & RIAA learn technology doesn’t work
before full scale release of watermarked Cd’s
• Cons
– Verance’s watermark compromised
• DVD-Audio already in use in market, now easily hacked
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 3
Felten vs RIAA - Issues
• Ethical tests:
– Rights: RIAA threat to sue Felten for presenting
paper on hacking watermarks – unethical
– Utilitarian: Public learns that watermark
technology doesn’t work – ethical
– Utilitarian: Hackers learn of vulnerability in DVD-
Audio thru paper – unethical
• Legal Issues:
– Right to disclose SDMI watermark hack
– Fear of litigation due to DMCA
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 4
Malformed SNMP
• Simple Network Management Protocol
(SNMP)
• Vulnerability reported by the Oulu University
Secure Programming Group
• Vulnerability concerned trap and request
handling
• Impact included DOS, service interruption,
and unauthorized access and control
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 4
Malformed SNMP (2)
• Stakeholders:
– equipment from over 250 manufacturers involved
– 3Com, Cisco, Compaq, Dell, Hewlett Packard,
Lucent, IBM, Iplanet, Larscom, Lotus, Juniper,
Nokia, Novell, Microsoft, Red Hat, Sun, Xerox
• Potential impact critical to Internet and
majority of government and commercial
networks.
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Case Study 4
Malformed SNMP (3)
• Response and solution
• CERT and CVE
• Ethical test: text book case of vendor
notification and posted fixes
• Majority of vendors post patches within
three weeks of notice
• Immediate work around non-
catastrophic
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Observed
Industry Practices
• Emergence of clearing house and
response organizations: Computer
Emergency Response Team (CERT),
Common Vulnerabilities and Exposure
(CVE), Responsible Disclosure Forum
• Accepted as legitimate by industry and
the customer
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Observed
Industry Practices (2)
• Role of industry and mainstream press
• Role university and industry research
groups
• Evidence of industry, press, and buying
public arriving at a sense of a “norm”
• Norm legitimized through criticism
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Summary and Conclusions
From case studies:
• Both non-disclosure and full disclosure
can be ethical and unethical depending
upon the tests applied
• The rights test is not applicable in most
contexts due to the timeliness of the
legal system
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies
Summary and Conclusions (2)
Movement of the Industry:
• Practices by major software corporations are
moving from non-disclosure (and limited
interest in security) towards full disclosure
(and a much greater interest in software
security).
• Stakeholders following this trend: Microsoft,
the 281 manufacturers and organizations like
CERT.
Disclosure/Non-Disclosure
Sakai,Shah, Walsh, Wong
Case Studies