The hardest thing to get large companies to do is to share sensitive corporate information with direct rivals. A very close second to that is to get them to talk about a security attack they just suffered. But that double reticence provides a favorable business climate for cyberthieves.
If all companies in a sector shared information about cyberattacks with one another, they would all learn about new things to look out for. Because potential victims would be aware of where a new danger lies, cyberthieves would have to give up new tactics fairly quickly. If that information isn't being shared, the cyberthieves can just keep repeating their new attacks at one company after another. You would hope that companies could see how it would be beneficial to them to share information with rivals, which would then be encouraged to share information that could save them from a cyberattack as well. But cyberthieves needn't be too worried about that. There's far more suspicion and paranoia in large companies than can be overcome by security self-interest.
I've been thinking about all of this in the wake of the March 19 shutdown of the 12-year-old, highly respected global security mailing list called Full Disclosure. FD was a wonderful forum for security professionals to share new cyberthief tactics and report security holes. The folk who ran FD were vague about why the list was being shut down, other than it involving legal threats.
John Cartwright, the administrator of the list, bemoaned changes in the hacker community, saying in a message, "I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honor amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."
Fortunately, we won't be writing the obituary for Full Disclosure -- yet. A few days after the list was shut down, Gordon Lyon, a fan of the list and himself a respected security researcher, surfaced to take over the administration of the list, with Cartwright's blessing.
Lyon decided to revive the list because he doesn't buy the arguments of some in the security field that lists like FD are no longer needed. To the suggestions that researchers can just host their advisories on websites like Pastebin and post links to them on Twitter, he said, "Mailing lists create a much more permanent record, and their decentralized nature makes them harder to censor or quietly alter in the future."
Lyon is right that FD is worth saving. Its most remarkable attribute is that it cleverly wins at the game of keeping the bad guys out by not ever trying. A senior security manager for a very large retailer made the point that the list embraces wide disclosure as the best weapon against thieves and vandals.
"Full Disclosure," he said during that dark week when it looked as if FD was gone for good, "was intended for security researchers, but they knew any attempt to exclude thieves was guaranteed futile, so they never tried. It's not really a rivals-versus-rivals issue. It's about white and gray hats versus black hats. This list was kind of an uneasy truce between the white and gray hats. It was also competition between researchers, as announcing a discovery bestows prestige. Among the list's accomplishments is that they worked out a disclosure policy. Responsible researchers agreed to notify software companies 30 (or more) days before publishing on FD, giving the vendors time to patch in exchange for the publicity associated with the discovery."
If FD had truly disappeared, there are other lists available, but the retail security manager said many security researchers would probably choose private communication options. "Taking its place will be private contests, such as pwn2own, and firms offering cash for vulnerabilities like Google's bug bounty, etc. Google pays far better than Apple, by the way. There -- allegedly -- are also private vulnerability exchanges, where (supposedly) you can sell a zero-day for cash or Bitcoins, no questions asked. It's long been assumed the NSA has made the bulk of the purchases."
But everyone in the security field should be rooting for Lyon to keep FD going. Its real demise would be a win for the bad guys. "By not having this place to expose them, the vulnerabilities will remain hidden longer, they will remain unpatched longer, yet the attacks will keep coming," the security manager said. "I expect to see a resultant increase in zero-day attacks and damage as a result."
There are just some things that an independent list like FD can do better than the other options. The "share immediately" school of thought has always had a fundamental flaw: The initial information available to breach victims is almost universally wrong, and dramatically so. It takes time to sort out forensics, to figure out which digital fingerprints are real and which were deliberately left by the attackers to send investigators in the wrong direction. That gets sifted out on an independent list that's policed by an aggressive community that lives to find weak logic or invalid assumptions uttered by their colleagues. As a result, information can get out cleanly and consistently.
When Lyon announced the relaunch, he pointed to the list's "light, versus restrictive, moderation and support for researchers' right to decide how to disclose their own discovered bugs."
Most critically, he pledged to handle the pressures that made his predecessor give up. "I'm already quite familiar with handling legal threats and removal demands -- usually by ignoring them," Lyon said. "Vendor legal intimidation and censorship attempts won't be tolerated."
Sounds like the list is in good hands again. That's good news for everyone who struggles to ensure information security, and very bad news for cyberthieves everywhere.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at firstname.lastname@example.org and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.