Bruce Schneier has a post about Sybase suing NGS Software. I wonder if he knows how strange this sounds, especially from someone who expresses such a strong interest in security economics:
I can see why Sybase would prefer it if people didn’t know about vulnerabilities in their software — it’s bad for business — but disclosure is the reason companies are fixing them. If researchers are prohibited from publishing, then software developers are free to ignore security problems.
I wrote about this particular situation briefly here and have an expanded opinion here. I am still trying to come up with the right way to explain why I think vulnerability SEEKING is a bad idea. Let me try again, using Schneier’s post as a starting point.
I infer from Schneier’s comment that without disclosure software vendors would ignore security problems. but wouldn’t a compromise force a vendor to fix their software problems? In fact, isn’t compromise the only reason we would care? Put another way, if there were no compromises, why SHOULD developers care? There are likely many, many vulnerabilities in existence (heck, if history is our guide, there are about sixty in the queue for discovery/disclosure next week, but we don’t seem to care) and there is no way we will find all of them, so I want developers to focus on the ones that will do me most harm, don’t you? And let’s say that some platform has a particularly long history of compromise, wouldn’t that be a better way of forcing them to fix their software than rattling a door and saying it is unlocked? I think so.
Let me try to lay it out:
- There are many vulnerabilities in the wild.
- In the wild (i.e. unconstrained), there is no reason for us to think that white hats will find the exact same vulnerabilities as black hats. There are just too many vulnerabilities out there (likely).
- The white hats are driving the threat by disclosing vulnerabilities on platforms that may or may not be crucial to an organization’s defenses. If they are not crucial, an organization must now consider the risk to be increased and perhaps allocate more resources. Thus, the white hats are driving our defensive strategies even if they may not be most important to us.
- Meanwhile, the black hats don’t need to follow the white hats’ rules, so they go somewhere else, in the same way that criminals may go somewhere other than the place where a video camera exists. So we are stuck defending against a threat that may not exist (there is a bit of human weakness here: it is easier to do this than attempt to protect against zero days) while the black hats target other vulnerable systems. Script kiddies keep us busy by launching worms and other noise that distract from the real problem.
- The costs of fixing self-created problems is through the roof. The time to exploit is only decreasing if one ignores all the vulnerabilties that have never been exploited.
We say interesting things like "vulnerability seeking protects us" and yet anytime a new vulnerability is disclosed, the appropriate level of risk is raised (not lowered). Any single vulnerability is highly unlikely to have a significant impact on long term risk level.
I believe black hats exist. I believe they are compromising out systems even today. I don’t think there is any reason to believe that white hat bug hunters are doing anything to stop this from happening. Why do you? More importantly, why don’t you want to spend all of your time dealing with this problem instead of dealing with self-made ones?
Collusion? Ah, now there is an interesting question. I am going to assume that all the rumors and snide remarks from vendors about secretly being glad that bug hunters exist simply to generate business are just gossip. Did I mention that I believe black hats exist? If they do, we have nothing to worry about. If they don’t, the only people that have to worry about it are the people making money hand over fist pretending that they do.
Conflict of interest, you say? (Actually, I said it). Absolutely, for product vendors. Did I mention that I believe black hats exist? If they do, I want my vendors PERFECTING THEIR PRODUCT rather than targeting their competitors’ products. There isn’t a vendor out there in the Threat Management space that doesn’t claim to protect against zero days. Let’s do it.
Beautifully put.
There is a lot of noise out there including that from those with a vested interest. And so much of it seems ridiculous… another RPC vulnerability in my public web server? I guess that is why we block all ports but the essentials ones, but we still patch like crazy and hope the patches do less damage than the threats.
We need to spend more time and thinking on issues like application logging and affordable analysis to see what might really be happening in our environments. Sarbanes may be seriously contributing to solutions now that more logs are being stored. I have advocated the use of data mining tools against those logs to find ‘interesting’ associations – the proverbial needle in a haystack.