You said, “what I think is that we need to be secure without having to rely on bugfinding. There are plenty of opportunities for better representation of legitimate functionality (software safety data sheets) and enhanced monitoring. We will always be behind the game trying to deal with finding every flaw in the world”.

If you keep talking this line over the years, I’m going to be more and more likely to agree with you.

What do we do until software safety sheets reach popular culture as critical mass? In a world where Consumer Reports still rates AV software and network equipment vendors put the words, “NERC CIP-compliant” on their latest hardware and software — isn’t bugfinding a bit more appropriate?

IMO, we will always be behind the game if vendors can continue to sell security as marketing terminology or shoddy blackfilter products.

In this Dan Kaminsky situation, I agree with you. There was no reason to go public in the way and to the degree that he did. Dan has done us all a disfavor.

Pete, you also said, “Dan, I like positive press, too, but if you go back and look at what you’ve done, it was probably the biggest self-initiated ego-trip I’ve ever seen in bugfinding history. Not only that, but I think it is arrogant to try to “order” people around with “Just.Patch.Now” kinds of assertions, when you have no clue what they have going on at their jobs and how this announcement fits into it. And when your supporters start getting self-righteous and calling people stupid for not patching, I find it even more offensive”.

Maybe you’ll be interested to know that Dan won the Pwnie award for “Most over-hyped bug”, and then proceeded to storm off-stage and out the room crying and acting like a baby.

what I think is that we need to be secure without having to rely on bugfinding. There are plenty of opportunities for better representation of legitimate functionality (software safety data sheets) and enhanced monitoring. We will always be behind the game trying to deal with finding every flaw in the world

If you keep talking this line over the years, I’m going to be more and more likely to agree with you.

What do we do until software safety sheets reach popular culture as critical mass? In a world where Consumer Reports still rates AV software and network equipment vendors put the words, “NERC CIP-compliant” on their latest hardware and software — isn’t bugfinding a bit more appropriate?

IMO, we will always be behind the game if vendors can continue to sell security as marketing terminology or shoddy blackfilter products.

In this Dan Kaminsky situation, I agree with you. There was no reason to go public in the way and to the degree that he did. Dan has done us all a disfavor.

Dan, I like positive press, too, but if you go back and look at what you’ve done, it was probably the biggest self-initiated ego-trip I’ve ever seen in bugfinding history.

Not only that, but I think it is arrogant to try to “order” people around with “Just.Patch.Now” kinds of assertions, when you have no clue what they have going on at their jobs and how this announcement fits into it. And when your supporters start getting self-righteous and calling people stupid for not patching, I find it even more offensive

Maybe you’ll be interested to know that Dan won the Pwnie award for “Most over-hyped bug”, and then proceeded to storm off-stage and out the room crying and acting like a baby.

I wrote a more in-depth risk assessment for the DNS flaw on the Burton Group SRMS blog.

I think you severely underestimate the ability and motivation of the bad guys, and that accounts for our difference of opinion. If the bugfinders are really that much smarter than the bad guys, then I take your point. On the other hand, when there is so much evidence of financially motivated and able attackers (especially in Russia and China), I tend to believe that the attackers already know most of these vulnerabilities. In that case, the bugfinders are only helping to close the gap, and I appreciate their work.

And, to point of the attention-seeking, I think that’s a lot less beneficial than it once was. I used to believe that Microsoft needed to be publicly embarrassed before it would clean up its act. Now I know that Microsoft improved their security because they saw it was necessary. Oracle is repeatedly exposed as vulnerable and they still get away with an “Unbreakable” ad campaign, so clearly the publicity has no impact on the bottom line.

I could do with less publicity-whoring. Especially from Kaminsky, whose act includes his grandmother, doing shots on stage, some kind of sombrero, and now his niece. It’s difficult to take him seriously.

1) I am “against” any discovery and disclosure events that increase risk. I hold open the possibility that there are situations where this doesn’t happen (QA for pre-GA software might be a good example here). In general, random public discovery and disclosure increases risk and I am all for minimizing it.

2) I am particularly “against” bugfinders who find bugs thinking they are doing the world a favor, and by extension encouraging other people who want to be heroes to go out and find bugs too.

3) The rate of vulnerability creation is far exceeding the rate of vuln discovery, so while every find seems beneficial, they are Pyrrhic victories in a war we are losing. Therefore, I am “for” developing existing techniques and finding new ones that put us in a better position of winning.

4) You make an assumption that bugfinders magically find the vulns the bad guys find. In an unconstrained world of vulnerabilities, this probability is extremely low.

This means that bugfinders are contributing even more to the smart bad guys being able to find flaws and exploit them because they are distracting us and consuming significant resources on the wrong vulnerabilities.

Then, lo and behold, even those vulnerabilities get exploited and we’ve increased risk and created an even bigger problem. Meanwhile, those smart bad guys that you think I am leaving alone are being aided and abetted by folks like you who support disclosure.

5) You seem to imply that this is the only way to protect ourselves. If it is, we are dead. But it isn’t. We need to focus more on trusted systems and monitoring, and a lot less on vuln patching. But we can’t because bugfinders keep creating imminent threats out of thin air that must be addressed. (And meanwhile, I say again, the really smart bad guys are still doing their thing.)

The consumer reports analogy was intended to show another instance of a third party with better/more information helping a group of consumers without the time or expertise to do the evaluation themselves. It was probably a bad analogy.

If I’m reading you correctly, you are against all forms of vulnerability disclosure? Like Mr. Burns, the world is so ridden with software bugs that the only thing keeping us alive is that all the bugs try to get through the door at the same time?

So, no disclosure? Let the smart bad guys find all the flaws and exploit them, in order to keep the lesser bad guys from learning about them (and, by extension, preventing the good guys from having a chance to protect themselves)?

People withhold vulnerability information all the time. Bad guys likely have plenty of vulnerabilities that we don’t know about. But there are too many vulnerabilities to try to find them all.

Clearly, systems are better off without bugs in them. I don’t think you can find any of them… In fact, I don’t even think you can find the majority of them… People are NOT better off when you find a single bug out of the many that exist and disclose it to the world.

No, I don’t get mad at Consumer Reports because there is no intelligent adversary involved who could inject lead paint in millions of toys around the world with the information Consumer Reports provides. (Not sure why you think that analogy is a good one).

And that’s where I don’t get the anger directed at people that find bugs. Do you also get pissed when Consumer Reports discovers lead paint in toys? Would you rather carry on believing all the toys are safe, instead?

http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience-05

(Don’t be too surprised by the timing; Amit Klein’s TXID randomness attacks were gated by TTL opportunities. This is a necessary consequence of that talk.)

I think we can agree that this bug would have been far riskier just going public one day, than this staged disclosure. In absolute terms, there would be more incidents from the inevitable rebuttal to Forgery Resilience than from a simultaneous patch event.

Beyond that, I suspect that the long term damage to the Net of this bug staying in the hands of a few bad guys (it’s too simple not to have) would have been — has been — silent but quite deadly.

I guess it comes down to — suppose you knew of a flaw that could really break things. Would you just leave it there, waiting to hurt people? Or would you try to do something about it?

I’m trying to do something about it. I’m not asking for anyone’s gratitude. Actually, the security community is pretty pissed at me right now — broke their rules, knowingly. What’s increasingly clear to me is we need good ways to deal with these flaws, and that just leaving them there until they collapse is just as dangerous an idea with internet infrastructure as it is with our roads and bridges.

I look forward to seeing what everyone has to say, when all this is said and done — even you. Though I will say, the inflammatory titles do not help your credibility in that matter.

(If I wanted to ignore you, I would.)