More, more, more (Vuln Research)

TQBF writes about my opinions (and others) regarding vulnerabilities. I will clarify a few points and address some of his comments:

TQBF: Says Lindstrom: We’d be better off without disclosures, and if we need to regulate to get there, we should.

No, we are better off without discoveries, something I am sure will make you think I am even crazier than I am. The raging disclosure battle doesn’t really matter much, though every new set of eyes that sees new vulnerability information increases the risk. For the record, I think regulation that is often discussed regarding software liability is A RIDICULOUS IDEA, but I am not opposed to regulation regarding software manufacturer’s disclosure about the "touch points" to their applications. See here and here for more details.

TQBF: To Lindstrom: In 1996 the overwhelming majority of public-facing Internet software could be compromised by obvious stack overflow attacks. It was virtually impossible to run a secure network. I tried. I’m good at this game. I got burnt (I tracked this down after someone broke my fairly popular ISP using the one line-by-line audited privilege-revoking SUID I had left enabled). What hope did an IT guy have?

Umm, okay? I don’t know how to answer this, nor do I understand why it matters in 2005. I don’t know what you did wrong, but I suspect you have a couple of ways to address that problem today – with proxies. In 1996, the risk was higher, though the ultimate impact was likely lower for most people. There were fewer people even on the Internet, and of those, most were technical elites. Tell me again why this matters today? Is it to evoke some sort of emotional commitment on my part? I don’t know – things change. Get over it.

TQBF: Ignoring the progress we’ve made as a result of the "disclosure research movement" is disingenuous.

It is exactly impossible to ignore the "progress" we’ve made, because you’ve forced us not to be able to. So, are you suggesting we are better off today? I have a hard time seeing that. Did you make Microsoft accede (at least in part) to your demands? Sure. Was it necessary? Who knows? Did it help? Doubtful. What is impossible is to ascertain whether we could have made this progress anyway.

TQBF: This is a battle you people are going to lose. You’re going to lose for a variety of reasons.

For some reason, the whole "it’s not going to change anything, anyway" or "you’re going to lose" routines are big this time around. Shows quite a misunderstanding of the nature of risk (I recommend "Against the Gods" as a primer). You see, for me to win, I only have to convince one white hat who would have discovered a vulnerability not to do it. I only have to convince one person at one organization to employ slightly better security than the patch management we are all forced to do when we can. My victory is risk reduction, and risk reduction is a game of very small numbers.

TQBF: The disclosure research movement operates in parallel with the non-disclosure research movement, which is funded by the Russian Mafia and the monetization of security breaches.

Thank you for making this point. I would like to further it by suggesting that disclosure research is also independent from the Russian Mafia, North Korea, China, and anyone else being brought up these days when discussing vulnerability research. That realization should bring you to another point: Remember when I said risk reduction is a game of very small numbers? Well, compromises are, too, but in reverse. In order to somehow claim that vulnerability research is assisting us, WE HAVE TO FIND EVERY SINGLE VULNERABILITY THAT THE BAD GUYS FIND; it only takes one to attack and compromise a system. Even the most generous research suggests that only 7% of vulns are rediscovered.

Thus, we are all better off acting as if the black hats are out there finding their own vulnerabilities and compromising systems. I believe there are, and it amazes me that nobody seems to want to focus their efforts on thwarting their efforts. To act as if we know when and where the black hats will attack is making the same mistake that every defeated military commander in the past 2000 years has made. Let’s face it: vuln discovery/disclosure today is the equivalent of DHS’ color coded threat level – it really just isn’t meaningful, but makes some people feel more comfortable.

Security through obscurity is a bad idea. Security DESPITE obscurity is the only way to survive.