Full disclosure--two views collide
by Andy Oram
At last Thursday's Ignite Boston, which I wrote up in a previous blog, provided an unexpected mirror in which two opposing views shined on each other, each view provided by one of the two keynotes by John Viega and Jonathan Zdziarski.
Both Viega and Zdziarski.are security experts and authors of books by O'Reilly and other publishers. Viega used the bully pulpit for an entreaty against the "full disclosure" philosophy, a fundamental article in the open source catechism. Zdziarski, who had not consulted with Viega beforehand, endorsed full disclosure whole-heartedly and with a doggedly pragmatic intent. The context for Zdziarski's approach is the Apple iPhone, which has security vulnerabilities that, in his experience, Apple doesn't fix until they're made embarrassingly public.
Today Zdziarski sent me a long and frightening article from the National Journal about the threat of cyberwar. Although the basic premises in the article have been circulating for years, many of the details were new to me. And despite the focus of the title on China, the article makes it clear that governments as well as individuals (the "cyber-militia") are engaging in disruptive behavior around the world. In fact, the article cites worries about what may be happening in the NSA.
It seems to me that the National Journal article provides more fodder for Viega than Zdziarski. Veiga insisted that the black hats planning DDOS attacks and identity theft aren't as smart as they are commonly made out to be. They couldn't create as much havoc if they had to rely only on the vulnerabilities they found themselves. They are helped immeasurably, he said, by the revelations of vulnerabilities in major software products by people with no malicious intent. The worldwide database of known vulnerabilities is swelled by individuals trying to show off their technical chops, and by companies in the security business trying to demonstrate the indispensibility of their products.
So long as software vendors are slow to fix bugs, full disclosure has to be an option, a kind of last resort, and I think Viega allowed for this. Open source projects have to promote a sense of responsibility among contributors to be discreet in reporting bugs with security implications. Perhaps it doesn't matter much anyway--because most people keep using unpatched versions of software long after fixes come out.