I haven’t blogged anything of good use lately so I thought I would start up again by calling out this completely useless and incorrect opinion piece. On the Dark Reading blog an article appeared entitled; “Share – Or Keep Getting Pwned”
Sigh. Clearly zero research was done in to this posting as there really is a lot of information sharing going on in the industry. While I will admit that the industry as a whole needs to be better organized the assumption that no one shares inside the industry is a wrong one and very misleading to the sheep who actually believe what they read.
Take the second paragraph for example;
“Take the attacks on Google, Adobe, Intel, and others out of China (aka “Operation Aurora”). McAfee and other security firms investigating victims’ systems each had is own fiefdom of intelligence, occasionally publicly sharing bits of information, like the Internet Explorer zero-day bug used in many of the initial attacks. But did anyone have the whole picture of the attacks?”
Actually, yes. Yes multiple people at multiple different organizations did in fact have the whole picture. I personally was witness to a lot of inter-vendor information sharing that was extremely helpful for those affected by this issue. I obviously am not going to comment on who exactly shared what information or what was shared. But a lot of information that was never made public was in fact shared amongst many parties. Even more “shocking” this was done without the use of silly non-disclosure agreements (NDA) and done based on reputation and personal trust relationships. Meaning that there was zero corporate bullshit in the way of moving forward.
Using a second example, that I can talk more publically about without getting myself in trouble, we all remember the Marsh Ray TLS MITM bug from earlier this year. Marsh Ray and Steve Dispensa both went above and beyond what was expected with sharing information with anyone. They even attempted to leverage the muscle at ICASI (http://www.icasi.org) to pull all the major vendors together and share. Taking things a step further, Marsh personally offered to sit down and work directly with any vendor having issues with the bug. Sure, the vulnerability release did not go as planned, these things rarely do happen that way, but it was handled in a very open and progressive manner.
These are only two of multiple examples. There are even private mailing lists where COMPETITORS on the product side of the house routinely share information on various threats ranging from malware to new exploitation techniques. So again, the whole process could use some improvement (maybe I just found a use for VulnWatch) but the insinuation that sharing doesn’t happen because of jealousy or competitive reasons is way off base. Most want to do the right thing even if it means working directly with a competitor.