Ugh – Herding Cats

Another disclosure article from CNET. My comments in context.

This story was printed from ZDNet UK, located at

Do ‘irresponsible’ security researchers help or hinder?
Robert Lemos
January 26, 2005, 16:20 GMT

To many software makers and security consultants, flaw finder David Aitel is irresponsible.

The 20-something founder of vulnerability assessment company Immunity hunts down security problems in widely used software products. But unlike an increasing number of researchers, he does not share his findings with the makers of the programs he examines.

And he has that right.

Last week, Immunity published an advisory highlighting four security holes in Apple Computer’s Mac OS X — vulnerabilities that the company had known about for seven months but had kept to itself and its customers.

"I don’t believe that anyone has an obligation to do quality control for another company," Aitel said. "If you find out some information, we believe you should be able to use that information as you wish."

This is the problem with "responsibility" – people are often "irresponsible."

Despite efforts from Microsoft and other companies to direct how and when security alerts are sent out, independent researchers like Aitel are sticking to their own vision of flaw disclosure.

For them, software companies have become too comfortable in dealing with vulnerabilities — a situation that has resulted in longer times between the discovery of security holes and the release of patches.

Interesting. Before vulnerabilities were disclosed, we said the process would lead to more secure software. Some would say that this is the case (the writer of the CNet article asserts that this is the case). Now, with everyone working in harmony (ahem) the researchers need to find another way to stir up controversy. Here’s a tip: the reason that this takes a long time is, um, because it takes a long time. Nobody is trying to create these vulnerabilities. People are bombarding them with vulnerabilities.

At the heart of the issue is the software industry push for "responsible" disclosure, which calls on researchers to delay the announcement of security holes so that manufacturers have time to patch them. That way, people who use flawed products are protected from attack, the argument goes. But the approach also has benefits for software makers, a security expert pointed out.

"As long as the public doesn’t know the flaws are there, why spend the money to fix them quickly?" said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring company. "Only full disclosure keeps the vendors honest."

I disagree. I don’t inherently believe vendors are dishonest. I do believe they have to manage their resources and make decisions.

In the past, many hackers and security researchers outed glitches without much thought of the impact on Internet users. Microsoft, among others, changed this. As part of its 3-year-old "Trustworthy Computing" initiative to tame security problems in its software, the began an outreach program to support the work of the security community. At the same time, it started chastising those researchers who, it believed, released details of flaws too early.

There was never any reason to believe that the "bad guys" would follow the "rules." (Hint: that’s what makes them bad).

The result is a tradeoff between security researchers and software businesses that is supposed to benefit product users.

Survey says: (make a sound of a buzzer)!!!

Apple, for example, keeps the work of its security team wrapped in secrecy and issues patches approximately every month. Microsoft has moved to a strict second-Tuesday-of-each-month patch-release schedule, unless a flaw arises that poses a critical threat to customers’ systems. Database maker Oracle has settled on a quarterly schedule.

"We think it is in the best interest of our customers," said Kevin Kean, director of Microsoft’s security response centre. "A large portion of the research community agrees with us and works with us in a responsible way."

But some security researchers believe the tradeoff is benefiting companies too much, as it allows them to tweak their patching processes at their convenience, and without the need to introduce fixes disturbing the progress of software development. That adds up to a lax attitude to security, some experts believe.


eEye Digital Security abides by Microsoft’s responsible disclosure guidelines, but posts the length of time since it reported a vulnerability to the software giant on a special page on its Web site. The top-rated flaw on the company’s Web site was first reported to Microsoft almost six months ago, for example.

What is strange is that people are okay with that. If we worry about non-disclosure, we should be worried about the eEye list.

…rest of the article deleted because I am beating a dead horse…

Copyright © 2005 CNET Networks, Inc. All Rights Reserved.
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET NETWORKS, Inc.