More Turtles!
I guess every time I read misguided commentary about vulnerabilities, I should be allowed to respond, since I am not in the majority (yet ;-)). In this case, you can tell Jason really supports my viewpoint, and I'll show you where and why.
The value of vulnerabilities
, 2006-03-07
An unfortunate title - Freudian slip? Happens to the best of us sometimes.
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
It is pretty clear Jason is "playing to the crowd" here since he makes unsubstantiated claims. You can see here and later in the article that he is headed in the right direction - that vulnerabilities should be addressed even if they are not disclosed. But he fails to make the final leap of logic - we should be addressing all vulnerabilities, known, unknown, disclosed or not. when we finally can, disclosure becomes moot.
[snip lots of stuff on just how cool vulnerability research is. Gotta like a guy with passion.]
Trust in the force, Luke, I mean Jason. It is clear that you are saying things you want to believe yet can't quite resolve in your mind.
Where do vulnerabilities come from?
[...]Most public vulnerabilities are disclosed by a security researcher, and more often than not these are on a major security-related mailing list such as Bugtraq.
Again, Jason gets close. Again, a heading derails him slightly (vulnerabilities come from developers, not vulnerability researchers, which is his point, I believe).
[...]
Now, for whatever reason, the public disclosure of a vulnerability is often considered to coincide with its very existence. Even the often-used term "zero-day" seems to imply that an undisclosed vulnerability doesn't really exist yet. This belief is a mistake that too many people make. It's as if people are under the impression that these vulnerabilities don't actually pose any sort of threat until they're publicly disclosed.
That said, again he makes a great point about the existence of undercover vulnerabilities but fails to call for action. Instead, he implies that threat exists prior to disclosure yet is willing to wait until disclosure to do something about it. (It is obvious here that he believes you MUST wait until disclosure and is caught up in a patch game).
[...]There are no guarantees, and therefore I think it would be pretty naive to believe that the person reporting the issue is the only one aware of its existence. That in itself is pretty frightening if you think about it.
And the converse would be naive as well - to believe that researchers report ALL existing issues.
But should we then expect security researchers to audit commercial software, which is sold for profit, and to do so for free?
Well, if a guy put blacktop on my driveway without me asking, yes, I would expect it for free. Nobody is asking for this - I don't believe forced charity is good charity, thanks.
If there are ethical issues in the sale of vulnerabilities, what's ethical about selling very insecure software in the first place? While its impossible to write software without vulnerabilities, it's pretty obvious that some companies don't even try to create secure products.
A good start, but the implications are many and the evidence few. Who is "very" insecure and who isn't? (Where does Symantec fit in?)
Why we need responsible, public disclosure
Personally, I believe that vulnerabilities pose a real threat long before they are publicly disclosed.
Oh, so close. He just needs a nudge... maybe this post will do.
The notion that publicly disclosing these issues puts people at risk - long after the vendor has been notified, and months or even years have passed without any sort of public notification - seems ignorant and self-serving.
And yet, the evidence is plentiful. He will correct himself later, but suffice it to say that risk increases simply because the threat increases (more bad guys find out about the vulnerabilities).
This view also seems like nothing more than an attempt to divert the blame for insecure software and a poor remediation process away from where it belongs: those who created the software. The bottom line is that after a vulnerability is discovered and reported to a vendor, the systems are still vulnerable to the issue, regardless of whether or not someone decides to make the information public.
Actually, the systems are vulnerable upon any discovery, no reports required.
And, to clarify, I'm not saying that posting an exploit to Bugtraq before even contacting a vendor (or perhaps, just a few hours after contacting them) is responsible. It's not. I'm also not saying that it doesn't put people at risk.
Here is the clarification/correction (I just hope that doesn't make him "ignorant and self-serving" - just kidding, Jason ;-))
Ultimately, I believe that security researchers are doing us all a favor. That's something that they deserve to be rewarded for. While responsible disclosure is important, there are also limitations to reasonable vendor response times - because people are at risk long before the public disclosure. In the end, security researchers aren't the ones creating the vulnerabilities, they're just the ones finding them.
Comments