Thomas Ptacek re-hashes what he has said before, as wrong as it was then and is now. Mike Rothman chimes in with a preemptive strike a la Eminem in 8 Mile to try to control the conversation, but it didn’t work. The most interesting thing about Ptacek’s points are that they are all opinions – there is no evidence at all to support his conclusions. He totally DIDN’T say that!
I happen to agree that the whole disclosure (and discovery*) story is old, but I sure hope I will always be there to correct the mistakes being made every time they come up, because they seem to recur (pssst – I know why, too). Regardless of the monotony of the topic to some, just saying what you have said before doesn’t make it any truer than the first time you said it. Of course, anyone who has read chapter 3 of Cialdini’s Influence knows that the repeaters begin to believe what they’ve said more (and still more when it is written) in order to maintain their Commitment and Consistency, in the same way that the cult that thought Y2k would be the end of the world actually believed it more after Y2k happened, regardless of the obvious evidence to the contrary.
The interesting thing, though, is not what they’ve said before, but what they haven’t said, ever. They can’t prove that anything has gotten better. They just want to believe it with all their heart and soul.
To really end the discussion, all they have to do is answer some simple questions:
- When will they be done? Okay, I’ll make this easier – when will all the vulnerabilities be found?
- When will the rate of vulnerability discovery and disclosure surpass the rate of vulnerability creation?
- What evidence is there that the Russian Mafia is going to find the exact same set of vulnerabilities that they find?
- If the Russian Mafia has found the same bugs, and they believe disclosure is necessary for protection, how can they wait so long to disclose?
- What are they doing about the other vulnerabilities that the Russian Mafia has found?
- What software product is now "more secure" with all of its required patches?
- Why does every security agency in the world raise their risk rating when vulne\rabilities are published?
- Why do they believe that without disclosure nobody would ever find any vulnerabilities?
Truth be told, the answer to the question of why bugfinders believe that their actions are justified is simply because they like doing what they are doing. It makes them feel good. I would respect that kind of disclosure most of all.
Btw, I have the evidence on my side: 1) risk warnings never go down with the latest disclosure of vulns; 2) any single infection of a disclosed vuln is evidence that risk went up; 3) bugfinding doesn’t make software more secure; 4) there may be about 7% overlap in bugfinding; 5) bugfinding may make software more secure after 7 years (i.e. about 2-4 years after its useful lifetime).
* My biggest beef with this whole charade is really on the discovery side of things. For some reason, Ptacek focuses on something called "full disclosure" which is defined a thousand different ways by a thousand different people.