Update: Clarified my question and point in second to last paragraph.
The Guardian had an article yesterday about how vulnerability auctions are essentially protection rackets and it is all bad for security:
This year computer users will be more exposed to
cybercriminals than ever before. It’s not just because online crime is so
attractive to identity theft gangs but, ironically, because the computer
security industry that is supposed to protect users has deteriorated – from one
which shared everything about newly discovered weaknesses to what some within
it now call a "protection racket".…
"The security industry is fast becoming a protection
racket. There’s no other word for it," Henry says. "The tradition has
always been for vendors to share information on vulnerabilities so we can all
protect our customers. Now you’ve got hackers being given a so-called
legitimate route of selling vulnerabilities to a single company who then
protect their own.
People love certainty, even when the knowledge may increase the risk, which it does with broader disclosure. You see, the vulnerability already exists in your environment, so you have already accepted that risk. The only thing that changes the equation, then, is the threat side – and more people knowing about it equals greater threat, and therefore increased risk.
Mitigation techniques that are tied to specific knowledge of specific vulnerabilities (e.g. patches) are inherently flawed. The benefit is greatly outweighed by the cost, when you look at a) the proportional allocation of resources across ALL vulnerabilities (including unidentified ones) in an environment, and b) the number of vulnerabilities that are actually exploited.
Ask yourself this question: why do would you think bugfinders are finding ALL of the exact same vulnerabilities that the bad guys are finding and using? There are so many vulnerabilities to choose from, the "collision" rate could easily be very low (and is low, according to security professionals who subscribe to the belief that the black hats are winning). In order to be sufficient, an explicit discovery strategy must find every vulnerability.
The industry must either increase vulnerability discovery by (probably) a factor of 10x or more to even attempt to catch up with every single vulnerability ever created and being created in real-time…. or come up with new methods for protection.
For further reading, see my original post on vulnerability auctions.
“Ask yourself this question: why do you think bugfinders are finding ALL of the exact same vulnerabilities that the bad guys are finding and using?”
They are not finding all the same bugs. Please show proof of this if you really believe it or you are just trolling.
@David -
I don’t believe that, but I am not trolling*.
My point is this: if the bad guys are finding different bugs (which I expect, given the huge number of available bugs in the code universe), but we are only worried about the ones that the good guys find, then we are misappropriating our resources. We should be making much more of an effort protecting ourselves from “known unknowns” – the bugs that we can all agree are likely to be discovered (by the good guys) a year from now but affect our systems now.
In the context of the original article – we should be thankful that fewer people know the details and shouldn’t be relying so heavily on the knowledge ourselves, especially given the known unknowns out there.
Btw, I think I have the best proof there is that bad guys find different bugs, but note that it is fairly sparse compared to the huge number of discovered vulns overall. See http://spiresecurity.typepad.com/spire_security_viewpoint/2007/11/updated-underco.html for details. In the spirit of your request for evidence, I would love if you provided your own.
*How can I be trolling my own blog?