Archive for know more free bugs

Apparently Time Has Reversed – Not The Disclosure Debate Again?!?

Posted in security with tags , , , , , , , , , , , , , , on April 23, 2010 by hellnbak

Remember  back in 2001 when researchers were compared to Terrorists and the term “Information Anarchy” was coined?  You can read this blast from the past here –>  http://www.windowsitpro.com/article/windows-client/information-anarchy-the-blame-game-.aspx

As the saying goes, those who do not learn from history are doomed to repeat it, or something like that we have this clueless blog post over on the Verizon Business Blog –>  http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/

The gem of this post is:

“Narcissistic Vulnerability Pimp: One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

Sigh.  Really?  One would think that a business with the word “Intelligence” in it would actually show some.  Meanwhile we all know that the “intelligence” is nothing more than a bunch of drones monitoring IPS logs and being yelled at when the technology they have pimped out does not actually detect a real world threat.  So instead of actually attempting to improve things it is much easier to point fingers, call names and attempt to blame researchers.

Researchers *DESERVE* credit for their finds because while they are causing short-term pain (short-term pain Verizon Business is able to invoice clients for) they are affecting long-term changes.  History has proven, when a vendor gets tired of being hammered by security issues that vendor starts taking security seriously and begins to improve.  Let us not forget that the majority of researchers do this FOR FREE, so giving them some resume fodder and recognition should not be such a big deal.

Verizon Business’ entire business model falls apart if it was not for these so-called “Narcissistic Vulnerability Pimps” giving your drones something to submit billable hours for.  Or how about the fact that Verizon Business themselves have and may very will still employ the exact people they are attempting to point fingers at.  I know for a fact that at one time (maybe still) a couple very high-profile “Pimps” were receiving paychecks from Verizon.

I am totally stealing this comment from Charlie Miller’s twitter (http://twitter.com/0xcharlie) but based on this blog post — Verizon Business are the whores that the vulnerability Pimps peddle to.  Given the choice of being a pimp or a whore I would pick pimp any day of the week, the wage is better, the benefits are better and who doesn’t like smacking a ho once in a while?

Lets back up a second and try to determine exactly what Verizon is complaining about.  I suppose they are trying to point out the difference between a researcher that follows responsible disclosure vs one that does not.  So why the silly name calling?  Why not just simply put it that way.  There are those that believe in responsible disclosure and there are those that do not.  Kind of simple isn’t it?  Oh wait, that does not make for a good blog post to generate some attention and traffic — much like this one.

While I am ranting about what is probably the most ass backwards blog post this year I might as well share my opinion on the whole disclosure thing and yes I do truly believe that this is beating a dead horse as there will never be an opinion that is completely correct.

There was a time, especially around the 2001 timeframe, when I believed that reporting a bug to a vendor, then giving said vendor a set amount of time (30 days in my case) to fix a vulnerability was the right thing to do.  After 30 days expires, release full details on the vulnerability and move on. 

Over the years, and as I began to work for various software and hardware vendors, my thoughts on this slighty changed putting me more in the responsible disclosure camp.  To me this means, you find a vulnerability, you report it to the vendor and you wait for the vendor to patch before releasing your independent advisory.  The severity, based on ease of exploitation and impact of exploitation, of the issue dictates how much information to release on the issue as the whole point is to actually help increase security.  The only caveat I have to this is that I also believe that if a vendor is refusing to patch an issue, not taking the issue seriously, or someone else finds the issue and uses it publically then all bets are off and it is better to simply drop all details so that those in the protection business have a level playing field. 

In fact, the only reason I am against the whole “No More Free Bugs” movement is because if you privatize and monetize the reporting of vulnerabilities, you remove the ability to hold a vendor truly accountable by having the ability to simply “drop zero day” on them to force a fix.  Once you enter in to contracts and start accepting money for vulnerabilities — you lose your ability to force change.  That said, a pimp needs to get paid.  😉

Anyways, this whole argument is stupid.  Full Disclosure works and in my opinion responsible disclosure is a safe compromise as long as the vendor is playing along.  Verizon Business is truly biting the hand that feeds them.

Advertisements