Comments

1. As I am a little slow and usually comprehend by concrete example, if “It’s time to draw a line in the sand”, could you name some names of people, groups, or events (discovered vulnerabilities) to the different categories so that we may be better able to distinguish them in the future?

   Posted by: Ken Worth on April 22nd, 2010 at 10:33 pm

2. Completely agree with the sentiment, and I love the label “Narcissistic Vulnerability Pimp”. Descriptive, if a bit pejorative. However, I am afraid fine gentlemen in large hats, pink fur coats, red leather pants and white shoes would object to your attempt at bringing their long standing community in ill repute by mixing in shady characters from some un-real world.

   They strike me more as “Attention Seekers”. I’m certain fine gentlemen in large hats, pink fur coats, red leather pants and white shoes would have replaced “seekers” part with a more descriptive word from their daily lingo, but that’s what they are.

   Sadly that term covers too many occasions and too many types of people. Maybe “Vulnerability Mercenaries” would be more fitting. They do their work for personal gains, think code of honour is a computer game, and anyone involved in any type of business with them feels as if they were just covered in slime. No soap ever washes that feeling away. Or so I have been led to believe.

   Posted by: Saso on April 22nd, 2010 at 11:57 pm

3. Companies seem to encourage the thought that the security researchers are breaking the product when in fact they simply exposing a flaw that has always existed. If the tables were turned and this was a car that suddenly deployed its airbag if you pressed radio on and some combination of buttons the general public would see though this thin veil of FUD companies use as an excuse. Shame on your for attempting to use people’s ignorance of technology as a way to not stand behind your product.

   The researchers are not putting bugs into the product. They are in fact telling the public about a flaw in something that could be used every day to secure their personal information. The reality is that there is no difference between a whistle blower and a security researcher. The flaw exists no matter what and should be fixed.

   Posted by: wastedimage on April 23rd, 2010 at 5:06 pm

4. Uh, opinions and all that, but you might want to remove “Criminal: *Everyone else*”, it just looks strange.

   Posted by: Stefan P on April 23rd, 2010 at 5:48 pm

5. How is disclosure of information making anything less secure? If I disclosed to you that your front door was open – have I made your house less secure, or simply pointed out that already insecure state of your house?

   Who is more irresponsible? The developer that releases an application housing sensitive PII that has huge gaping holes in it? Or the security researcher who spends his or her own free time finding a hole and reporting it in order to get it fixed and make people safer?

   You also only mentioned those who disclose for “self-glorification and self-gratification” – what about those who disclose for money (ZDI, iDefense, etc.) – or are they just “criminals”?

   Is HD Moore, then, a criminal? He created metasploit, which “deliberately creates ways for others” to “actively subvert security”.

   I normally have a lot of respect for the research and blogging done here by VZB, but this is just flame bait garbage.

   Posted by: apparentlyapimp on April 23rd, 2010 at 5:54 pm

6. So, to break down the matter and look at the process:

   1.) Vendors write and sell insecure code (from either ignorance, or in their haste to meet management’s demands for time-to-market).
   2.) Security Researchers find these flaws and hold the vendors accountable in the public eye.
   3.) Under duress, patches are released by said vendors to close holes.
   4.) People/companies who bought vulnerable software have the opportunity to close the holes and make themselves more secure.
   5.) Goto (1.)

   So it’s the position of Verizon that those at fault for security issues are people who find the holes, not the software authors who wrote and sold the flawed product for cold, hard, cash?

   Isn’t that a bit like saying it’s not Toyota’s fault for selling unsafe vehicles, that it’s the government’s fault for pushing them to recall?

   Moreover, there are plenty of Other Smart People out in the world that do the same work as Security Researchers that release vulnerabilities to the public. These Other Smart People can and do find the same vulnerabilities, as well as other vulnerabilities which the world may not yet know about.

   These Other Smart People then in turn have the capability to compromise the world’s computers and data, and no one is any the wiser. There is then no means to protect. There is then no means to detect. Pwnage will occur and data will be lost, and it will all be done in secret.

   Whom do these Other Smart People work for? Foreign governments, criminal organizations, and even…REAL terrorists.

   The vulnerabilities are all out there, whether we all know about them or not, waiting and hiding to be discovered. If the Security Researchers were really bad people, they’d never share their secrets with you, you’d never know their names. There’s much more money to be made by keeping it quiet and using it to achieve real criminal ends.

   In the end, motivated and financed people have, do, and will continue to find vulnerabilities and use them in secret for nefarious purposes.

   Our best line of defense is to force the vendors to secure their stuff. Vendors do not make money from patches. Vendors make money with new features and new software packages on rapid release & short time to market. Security is a cost to them that they’d rather not incur.

   Ignorance is bliss, so it’s no wonder that people may so lament the state of affairs. But, let’s not blame those who are trying to do right and force software vendors to do what they should have done in the first place – write secure code that we the consumers can trust to not allow Other Smart People to steal our money, our identities, and our valuable information.

   Huzzah to the Security Researcher. Thank you for making the Internet a safer place.

   Posted by: Wanderer on April 23rd, 2010 at 6:18 pm

7. So, everyone constructing software not formally derived from a formal specification, which has been matematically proved to hold some security property is deliberativelly making ways for others to subvert security. CRIMINALS!

   Posted by: feliam on April 23rd, 2010 at 6:23 pm

8. May I suggest the “Narcissistic Vulnerability Pimp” definition be slightly expanded to include those who blatantly throw FUD at Congress and the media to further their consulting opportunities? There’s a responsible way to raise risk and and irrepsonsible way. Personally I think some of them are nothing more than pimps for their businesses.

   Posted by: Carl on April 23rd, 2010 at 6:23 pm

9. Where do smrt programmers that code insecure programs fit in?

   Posted by: Hi on April 23rd, 2010 at 6:29 pm

10. @Stephan P

    How is disclosure of information making anything less secure? If I disclosed to you that your front door was open – have I made your house less secure, or simply pointed out that already insecure state of your house?

    Good point. It’s not less secure, but rather more risk-y to the general population. Risk (in terms of “likelihood” as a factor) is highly dependent on “contact” or “attempt” by the attacker. We might easily reason that a lack of knowledge in the general population limits “contact”.

    Posted by: Alex on April 23rd, 2010 at 6:48 pm

11. It’s a good point about “Everyone else.” We had in our minds the range of folks typically crammed under the “security researcher” umbrella. You’re right “Everyone else” is a bit broad. We did not, for instance, intend to refer to ordinary users under the “criminal” label. We removed that.

    The questions about where honest but errant programmers go is also good. Since our focus is to distinguish between groups commonly lumped under “security researcher,” they are out of scope. That doesn’t mean they don’t have a label somewhere.

    Again, our main desire is to encourage the security community to re-think the rather loose usage of a specific term. A researcher studies problems to find a solution. If that shoe doesn’t fit, they shouldn’t wear it.

    Posted by: Wade Baker on April 23rd, 2010 at 6:57 pm

12. While your characterization is humorous, it seems to come from one who’s been burnt. In general, I think you should be looking to place blame more with vendors than researchers. The early origins of this, researchers took their vulnerabilities to many vendors, only to get shunned. You might think this behavior gone, but see Tavis Ormandy’s recent Java flaw, which Sun decided to take a dump on rather than fix.

    I think you misrepresent what’s really going on, vendors create an insecure place, researchers try to point out the holes to get them fixed, and due to poor practice and ignorance, many vendors do nothing, causing the researcher to make an issue public.

    Believe it or not, the public has a right to know when they are at risk.

    Did you get pissed at the weather forecasters when they misread where hurricanes land?

    Posted by: Anonymous on April 23rd, 2010 at 7:00 pm

13. “Again, our main desire is to encourage the security community to re-think the rather loose usage of a specific term. A researcher studies problems to find a solution. If that shoe doesn’t fit, they shouldn’t wear it.”

    How many researchers don’t provide a solution to the vendor by telling them how to fix it?

    Posted by: Anonymous on April 23rd, 2010 at 7:20 pm

14. He’s not doing either one of those. He’s basically telling everyone this lock needs to be fixed because if you insert a bic pen into it, it pops open. Your saying that so long as the public does not know about this huge flaw everything is fine. Its ridiculous and you know it.
    Why does the research get blamed instead of the guy who wrote the broken code. This isn’t rocket science.

    Posted by: wastedimage on April 23rd, 2010 at 7:29 pm

15. I wrote a post about this, as I felt it more appropriate then a ridiculously long comment:

    http://m0nastic.tengulabs.com/post/543703553/do-names-matter

    Posted by: m0nastic on April 23rd, 2010 at 7:34 pm

16. “disclosing information that makes things less secure”

    “makes things less secure”

    Things were already less secure if a security pimp disclosed a vulnerability.

    I and specially my employer get a lot of good press, but you get much more. You get a better system, most of the time, for free.

    Posted by: ortegaalfredo on April 23rd, 2010 at 7:38 pm

17. Wade Baker:

    Your analogy to apparnetlyapimp doesn’t hold. If you bought and installed a vulnerable door, it wouldn’t help you if apparentlyapimp told you it was vulnerable, because you can’t fix it.

    Rather, apparentlyapimp needs to convince the door manufacturer there is a problem. Once the door manufacturer is on board and is ready to commit the resources to the problem, then that organization can then produce a fix for you, at a cost to them. Once that fix is available, you the customer can then install (or not, it’s your door).

    You can’t fix it yourself, and apparentlyapimp can’t fix it either because, guess what – it’s a closed source door and you can’t get inside of it to make the needed changes to close the vulnerability.

    Moreover, if you try and patch the door yourself (or, apply a patch from anyone else besides the door manufacturer) you’ll probably end up doing more harm than good, because doors are complex constructs that require a lot of regression testing. If the patches aren’t done right, the change to the door may well break the door, causing more harm than good.

    Without the door manufacturer providing a fix, you are already screwed as soon as you bought the vulnerable door, whether or not you know that you just paid for a lemon.

    Of course, apparentlyapimp could tell no one, and let someone else equally smart find the vulnerability in your door, who could then proceed to exploit that vulnerability. At that point, you’d be robbed without having known it, because unless you know how the door is vulnerable, then you don’t know how to look for someone breaking into your vulnerable door.

    Posted by: Wanderer on April 23rd, 2010 at 7:54 pm

18. Narcissistic Vulnerability Pimp? Is that a technical term? The distinguishing characteristics as described:

    Party 1: “how things are not secure in order to find a solution.”

    Party 2: “harms business and society by irresponsibly disclosing information that makes things less secure.”

    Not a whole lot of wiggle room between those two, door open in the neighborhood metaphor notwithstanding. Determining motivation is a tough sell (especially if the authoring party doesn’t provide it), and people might disagree legitimately about what is the best way to ‘find a solution’. Proponents of full disclosure will tell you that the solution is most quickly found when the most complete details are provided quickly. One could make the case that a line can be drawn from early efforts like Bugtraq straight to companies admitting and dealing with security vulnerabilities (the Patch Tuesday phenomenon).

    Is there a way to benefit society at the cost to an individual, perhaps irresponsible, business. Could a researcher’s benefiting a business through private disclosure hurt society, maybe the majority of folks would have preferred to have known up front and taken a mitigating step?

    For example, let’s say I figured out my model of car accelerated for no reason sometimes. Would it be better to tell the manufacturer to fix it, which they may do privately without ever disclosing the problem, and in the meantime others would be put at risk or not know about the defect being the cause of their accident. Should I call the newspaper and let them know what I had found? It will hurt the manufacturer, but more people (society) could make an informed decision on whether they wanted to continue driving, or even buy that type of car.

    The problem with lines in the sand is that as soon as a little wind or water acts upon them, they move, wobble, or fade.

    Please don’t lump this post together with your excellent and timely reaction to the APT deluge.

    - Long time reader, first time caller.

    Posted by: Prefect on April 23rd, 2010 at 7:55 pm

19. This entire debate is as silly and as fruitless as the hacker/cracker/knick-knack-paddy-whacker debate. Similar to many “hackers,” “security researchers” are referred to as such in the press and elsewhere because this is how they self-identify.

    Your categories and examples are not mutually exclusive. There are several legitimate security researchers who have performed and been convicted of illegal, criminal activities. I’m sure there are locksmiths who are thieves and “demolition engineers” who are terrorists too (doesn’t every movie bank heist need their “demo” guy to get the dynamite? :> ).

    What’s next from the Verizon Security Blog — “OMFG!!! Oh no you don’t, Bill Simmons! Don’t call Gilbert Arenas ‘basketball player’ because he’s really a ‘gunslinger.’”

    What about definitions for “researchers” and “practitioners” who “responsibly” disclose but still solely do it for the purpose of self-glorification and self-gratification?

    Posted by: Anonymous on April 23rd, 2010 at 8:04 pm

20. Seems to me that your arguing against “irresponsible disclosure”, that’s fine and understandable.

    However lets hypothetically say that a researcher find a fault in your product
    (i.e. “your door is open”) and you don’t do anything about it for….lets say 6 months,
    and all this time this issue would allow people to access customer records, gain root
    access on servers etc.
    If it is perceived that your company is doing nothing, because your company either
    isn’t communicating to the researcher about what timeframe this will be fixed in
    or because you don’t believe it to be a credible issue, then shouldn’t other stakeholders be made aware of this issue?

    after all if your managing my information, then that makes me a stakeholder in your
    business and i for one, would very much like to know what business process you
    follow that drives people to become pimps, because if you’re not closing your door
    then anyone can steal my data from you.

    perhaps the current pimps aren’t disclosing things to you responsibly, and i understand that you would find that frustrating (to say the least), however their choice may be due to historical inaction on your part. and that’s probably worse.

    Posted by: userwithanopinion on April 23rd, 2010 at 8:23 pm

21. You’re wrong! What you’re realy complaining about is the cost to you and your group to plug holes in short order. But, the fact is you should do it anyway. There’s plenty of “non-security researchers” out there who will find the vulnerabilities, and rip you and your customers off for millions. Of course, you would rather those things don’t become “public information” because it leaves you legally vulnerable and give you bad “PR.” That’s like saying after someone robbed a bank, no one should talk about it because other people might get the same idea. Just fix the problems! Or, write your on proprietary operating systems and software. Either way it doesn’t matter. Some smart devious people will still figure out how to crack your systems.

    Posted by: lasuit on April 23rd, 2010 at 8:31 pm

22. lasuit –

    we haven’t said anything like “after robbing a bank, no one should talk about it.” We publish reports discussing how incidents occur (for the purpose of finding a solution). NVPs don’t just objectively describe or “talk” about some bad thing that happened. They actively look for problems and rather than trying to fix them or discretely making it known to a particular group who can, they tell the world about it to get their 5 minutes of fame.

    Posted by: Wade Baker on April 23rd, 2010 at 9:21 pm

23. apparentlyapimp:

    If you told ME that my door was open, you’d be a good neighbor and contributing to a solution. If you told other people without telling me, you wouldn’t. If you sold that knowledge to criminals so they could rob me or if you entered my house and robbed me, you’d be a criminal.

    Why is this hard?

    Posted by: Wade Baker on April 23rd, 2010 at 9:22 pm

24. You’ve done your argument a substantial disservice by using terrorism at a metaphor.

    The phrase “Narcissistic Vulnerability Pimp” is also glib and offensive, and implies that Verizon is not reacting rationally to this issue. This is made worse when you fail to define your terms; what is “irresponsible” disclosure to you?

    This was a missed opportuntity to act with the same professional grace you seemingly demand from the rest of the industry. It’s a shame.

    Posted by: TP on April 23rd, 2010 at 9:30 pm

25. “Criminal: One who actively subverts security or deliberately creates ways for others to do so.”

    Nonsense.

    A criminal is someone that breaks the law. People aren’t “criminals” simply because you don’t like what they do, or how they do it.

    Posted by: HK on April 23rd, 2010 at 9:35 pm

26. It could be argued that the real narcissists are the people and companies who sell IT Security services and products that will not benefit the people who buy them. If companies hired more testers or actually took QA and security testing more seriously, you might have a basis in your claim. We’ve just seen McAfee hose likely thousands of systems worldwide because of a bad DAT file for one of their products. What about IT Security vendors who inadvertently destroy servers and desktops because of a lack of QA testing of their products that they provide their customers? Who pays for that mistake? While there is a lot of hype in IT Security especially by vendors, any IT Security researcher who provides proof in the form of documentation and exploit code to a vendor before public disclosure is being responsible and is following the ethics of scientific publishing and inquiry. This differs from marketers who sell IT security software that is broken or flawed, and this post as well. Both do not provide proof so much as opinion or fabrication. If you sell a service or a product in the public marketplace and someone proves that you sold a defective product or service, you have no one to blame for your mistakes but yourself. The mark of a man isn’t in making mistakes. Making mistakes is human. It’s owning up to your mistakes and correcting them that is a sign of maturity. Shooting the messenger rather than acting on the message is something people do to protect their reputations, their paycheck, and their pride, and is the sign of immaturity. Also, what is a IT Security blog doing coming down against transparency? Do you realize that this makes the poster look like a hypocrite? Usually Verizon Business is debunking security myths and shining a little light on the world, not helping to perpetuate bad practices and hide in the dark like Verizon does.

    Posted by: jbmoore on April 23rd, 2010 at 10:07 pm

27. “Why is this hard?”

    It’s not. The flaw doesn’t just exist with your door, it exists with all doors of that make and model. The economic route is to inform the door vendor so the vendor can inform its customers of the problem and supply them with a fix, plus ensure that no more doors are made with that flaw. You seem to expect that “security researchers” should develop a fix, identify all customers who own the flawed door, and supply the fix directly to them in addition to the vendor. That’s clearly infeasible, so I hope you don’t actually expect that.

    “If you told other people without telling me, you wouldn’t [be a good neighbor contributing to a solution].”

    Depends on the vendor’s response to the vulnerability. If the vendor fixes it, then great. If the vendor says they’ll fix it, and then doesn’t (within a reasonable amount of time), we have a problem. Of course, we also have a problem if the vendor refuses to fix it at all. In such circumstances, public disclosure is the True Security Pimp’s last option. Explaining the vulnerability to people other than the vendor or the vendor’s customers may not be neighborly in your eyes, but it absolutely does contribute to a solution by forcing the vendor to respond.

    Of course, there exist people who will disclose vulnerabilities before giving anyone a chance to fix them. I’m pretty sure we can agree that these people are, in fact, Narcissistic Vulnerability Pimps. But just as there are those sorts of people, there are also vendors who won’t listen (or don’t care), and they’ll be made to take responsibility for their problems whether they like it or not.

    Posted by: Anonymous on April 23rd, 2010 at 10:38 pm

28. http://www.schneier.com/essay-146.html

    Posted by: George Capehart on April 23rd, 2010 at 10:42 pm

29. Wow, I think they invented the phrase “Just doesn’t get it” for people like Wade Baker here. Throwing straw man examples up to justify companies’ inept laziness is foolhardy at best and dangerous at worse. Where has non-disclosure got us? Security researchers expose these vulnerabilities because companies are either too lazy or mismanaged so as to not have enough money/resources put towards fixing security vulnerabilities. As evidenced by Charlie Miller (kudos to you sir), many of these problems would never be fixed if security researchers did not expose them.

    A better example then yours would be, what do you call a person who finds that a bomb detector for an airport is broken, tells the TSA, is ignored, and then releases the information publicly. I’d personally call them a hero, because they could save many lives by forcing the TSA’s hand to actually do something about a problem.

    Posted by: K on April 23rd, 2010 at 11:07 pm

30. the analogy of you leaving your door open and the neighbor telling you doesnt fit because you are the vulnerability in that case but the one about a vulnerability in your door lock does.

    so the question becomes would you rather take your chances that i just tell the vendor there is an issue with the door and hope they put out a recall/fix to let their customers know (which they probably wont)

    or

    would you rather a post to the world/full disclosure saying there is a problem with that door lock and at least give you the opportunity to go get a new lock to protect yourself?

    Posted by: CG on April 24th, 2010 at 12:59 am

31. Using the “terrorist” analogy in the first sentence pretty much removes all potential credibility.

    Also, you forgot a category for businesses that write crappy code and rely on security by obscuring rather than actually fixing bugs.

    Posted by: theprez98 on April 24th, 2010 at 12:59 am

32. Thanks “K”. While there are certainly many things I don’t get, I may not be the only one. Follow the logic: if someone warns people about a bomb, they are concerned with saving lives. That doesn’t fit the “solely for their own self-gratification and self-glorification” criterion.

    Posted by: Wade Baker on April 24th, 2010 at 1:27 am

33. “One who actively subverts security”

    Apparently I’m a criminal when my job is legal penetration testing. Interesting.

    Having sold a vulnerability to ZDI before, I probably fall under something other than “Security Researcher” as well. Having released details of vulnerable software to Full-Disclosure, I also probably fall under something other than “Security Researcher.”

    While I appreciate the author being upset with researchers disclosing xyz, that’s what a researcher does. In the scientific community, researchers are the ones who find and disclose their results of a new quark or a new cancer treatment or whatever. While full-disclosure vs. responsible disclosure vs. no disclosure is another can of worms, saying that a researcher who advises the public of something is akin to someone in the porn industry is not only offensive, but wrong. While there are those who do so just to receive their 15 minutes of fame, there are also those who felt they had no other route. I myself have become quite jaded when it comes to reporting vulnerabilities to companies such as Microsoft. I’d rather sit, sell, or release publicly the details of vulns than tell Microsoft at this point. Their attitude towards researchers such as myself does not encourage us to be responsible in telling them about our discoveries. For example, in one instance, I told Microsoft about a vuln that had significant implications for IE6 and 7. They stated that they knew about the issue but would not fix it until IE 8. Instead, they chose to silently fix the issue in a patch for 7 (not sure about 6) and “fix” it in 8. No credit, no acknowledgment, nothing. And this is not the first time they have done this to me, nevermind other researchers. Please tell me how I and others like me are supposed to approach this problem other than sit on, sell, or publicly disclose these vulnerability details?

    I’m a researcher, thank you. I research, apply, and share my results, just like researchers in other industries.

    Posted by: SneakySimian on April 24th, 2010 at 7:23 am

34. LOL this is a pretty funny story. “Security Researcher” is a politically neutral term. Oh and I think you owe my friend a monitor she spit coffee all over hers loling at this story

    Posted by: threethirty on April 24th, 2010 at 1:15 pm

35. The comment about authorized penetration testing is well-taken. This isn’t criminal activity. I would argue that this is already covered under the researcher definition for those who study “how things are not secure in order to find a solution.” Just to make it more clear that pen testers aren’t lumped in with criminals, we’ve updated the definition to include “without authorization”.

    Posted by: Wade Baker on April 24th, 2010 at 2:33 pm

36. Wade

    Your premise seems to be that vulnerability research (and disclosure) makes us less secure, since nobody would know about the vulnerability if it hadn’t been disclosed. Therefore people trying to find vulnerabilities (and disclosing them) are hurting society. Yes?

    So let me correct your logic

    This isn’t a metaphysical question. (i.e. “if a tree falls in the forest…”). A vulnerability exists or it doesn’t. If it exists, it can be used for nefarious purposes.

    A prime example is the recent Operation Aurora attack on Google. The vulnerability (CVE-2010-0249) existed. Just because it was not known and disclosed did not make it any less real.

    As any good leader will tell you, it is better to know of a problem so it can be addressed. Pretending it doesn’t exist is a recipe for disaster. We should be working harder to discover more unknown vulnerabilities, and rewarding people for their hard work.

    Posted by: Vikram Phatak on April 24th, 2010 at 3:26 pm

37. One more thing to think about. While software vendors may feel they are under seige, a more accurate description would be that they are collateral damage. Vulnerabilities in software are the field of battle between global crime networks and security researchers.

    In this case vulnerable software is the lowlands of Belgium. It is land is desired by both sides, and the locals just want to be left alone.

    Posted by: Vikram Phatak on April 24th, 2010 at 3:49 pm

38. Vikram,

    I agree with your terminology and have updated the definition accordingly. The level of awareness of a vuln may not change the level of security but it without question changes the level of risk. Therefore, my premise is that risk is increased when information is exposed that increases the rate/capability of threat agents/actions unless that increase is offset beforehand in some manner (i.e., helping/allowing the vendor to fix the problem before making it known). I understand that many disagree but I believe they’re wrong. I believe that because it simply cannot be any other way. If that makes me hated by a certain segment of the population, so be it. It wouldn’t put me in bad company, that’s for sure http://www.csoonline.com/article/440110/The_Vulnerability_Disclosure_Game_Are_We_More_Secure_.

    Posted by: Wade Baker on April 24th, 2010 at 4:26 pm

39. Let’s take the following scenario:

    1. Company A releases a software product.

    2. Unrelated software researcher (let’s call him “Z”) says that there are so many vulnerabilities in the product and notifies the company.

    3. Company A doesn’t care a damn about this !@#$ Z guy and does not patch the software.

    4. Since the vulnerabilities are not patched, lots of viruses, malware, crashes blah blah blah make life miserable for the rest of us.

    5. Company A gets a lot of bad press and loses out in the end, big time…

    Seriously, don’t you think that it’s only due to these “researchers” (you call them “Narcissistic..whatever!”) that software companies are forced to patch more quickly?

    Would you rather be notified by black hats, red hats, green hats, whatever:) about “vulnerabilities” in your product(s) or would you like your product to lose popularity more quickly thanks to “unpatched bugs/vulnerabilities etc.”?

    The choice is yours.

    Posted by: What? on April 24th, 2010 at 5:17 pm

40. Oh come on Verizon, you’ve got to be kidding me…

    Folks who disclose early might be malicious. I think that more often, they’re just tired of getting the run around from vendors. I certainly disagree with your assertion that the Pimps make things “less secure”. That’s poor vocabulary coming from security professionals. Products are “less secure” the very moment they’re released with bugs or poor design.

    Why aren’t you complaining about the people who find bugs and *don’t* report them? That’s much more harmful overall.

    Posted by: pboin on April 24th, 2010 at 6:05 pm

41. Sorry Wade, but I liken this to an ostrich sticking its head in the sand. While I’m not a fan of full-disclosure without at least attempting to notify the RP first, sometimes that’s what it takes to protect the overall population. The problem, as I noted in my Microsoft example, is that sometimes vendors are stubborn and refuse to acknowledge that they have a problem. This is dangerous behavior, as I’m sure most if not all of us in the security industry have seen before. Having a vendor refuse to acknowledge that they have a problem when it is clear that there is a problem is harmful to users of that vendor. The criminals will find that vulnerability and will exploit it. The question isn’t whether criminals will find it, but rather if the vendor will fix it in a timely manner. Sometimes, unfortunately, what needs to happen is the public told about the problem so that they can pressure the vendor in to fixing the problem. As a user, I don’t appreciate my vendors being slow to fix something can could cost me money, embarrass me, or turn my computer into a member of a crime syndicate’s escapades. And if it requires that the public know about these possibilities in order for a vendor to do something about it, then that’s what needs to happen.

    Posted by: SneakySimian on April 24th, 2010 at 7:14 pm

42. Well..

    If a narcisstic vulnerability pimp gives me the impetus to get management buy-in through FUD and are the sole reasons we today can have comfortable lifestyles due to their hard work, then I think we need more of them……….

    My 2cents.

    Posted by: frank moreton on April 24th, 2010 at 11:58 pm

43. People:

    Please stop using analogies that compare the disclosure of software/hardware vulnerabilities to auto part defects and sharks in the water. Whatever your stance on disclosure, this line of logic simply does not apply. If you make known an auto defect or shout a warning to people about a shark in the water (I avoided a shark attack as little boy bc of this, btw), you DO NOT INCREASE THE LIKELIHOOD OF ATTACKS OR THEIR SUCCESS RATE. Other drivers will not start crashing into you at higher rate and more sharks will not attack you. You can deal with the vulnerability (defect/exposure) without an increase in the likelihood of an incident.

    If you tell the world about a flaw, you increase the pool of threat agents that know about it, increase the likelihood they will attack, and increase the chance they will be successful. All of this happens when you make the information known. Therefore, risk is increased.

    I enjoy the healthy debate on an important topic…just pick another analogy, please.

    Posted by: Wade Baker on April 25th, 2010 at 5:00 pm

44. Sure, if I or you or someone else releases something tomorrow, more people will know about it. But the criminals already know. Or on the rare chance that they didn’t, they will soon. But so will the people that can do something about it. Remember all of the unofficial patches that came out (and worked well, at least for the PCs I deployed them on) for the WMF vuln? It takes Microsoft and others public embarrassment sometimes to do something. Meanwhile, we as users are suffering because the vendors refuse to be responsible. Again, I am not advocating not contacting vendors, but sometimes there’s no other choice.

    Posted by: SneakySimian on April 26th, 2010 at 1:25 am

45. Your line of thinking would be close to the truth if and ONLY if the software makers would have demonstrated so far that they DO CARE about security problems, and that they do solve the security bugs from their products in a good-will fashion.
    Unfortunatelly the history and day-to-day experience proved that, upto now, very few software care about these things ! They do solve their bugs on very loose terms, and they DO NOT patch critical bugs based on their own good-will, but rather forced by these public disclosers you rant about here…
    Without these public disclosures, there will be very slow line of bugs patching from the vast majority of software makers !!! The experience told this so far !!
    Please, name only ONE company that patched their products on a regular basis, and based on their own research about vulnerabilities in their products !!!
    Please.. only ONE !!!
    These <> are the ones that forces companies (like even your own company) to solve security bugs in their products. So I can’t see a real reason to mock them !

    Posted by: Cornel Diaconu on April 26th, 2010 at 7:08 am

46. Your locksmith/demolition expert comparison is only valid for cases when the locksmith steals things, demolition expert blows up people [or give their knowledge to bad guys before informing producers/security guys or general public].

    I advocate releasing info to public, in cases when vendors put their money higher than security of their customers. I.e. do not react timely or do not give concrete response when the problem would be solved.

    Imagine if some locksmith finds a method to easily break the lock which was considered “quite secure”, informs vendor, and in response gets “FU”? Plus vendor continues publicly to claim “Our locks are most quite secure locks in the world”.
    I as a potential or existing user of their lock would be thankful to locksmith if he would inform the public (including me) about 1) weakness of the lock; 2) irresponsibility of the vendor.

    However probably there really are such a “narcissistic vulnerability pimps”, which would release info to public immediately, no matter what the vendor does or promises to do.

    So again – no black & white.

    Posted by: wrong on April 26th, 2010 at 7:32 am

47. I’ve been down this road repeatedly for more than 25 years, and it never fails to amaze me how tone deaf companies can be. If you want to influence people’s behavior, calling them terrorists and pimps is not the way to proceed.

    Your post has all the hallmarks of someone who is new to the field and having to respond to publicly reported vulnerabilities for the first time.

    You have done your position a great disservice.

    Posted by: Lester on April 26th, 2010 at 5:01 pm

48. If only there were some research that showed the likelihood of an attack happening compared to how recently a vulnerability were announced. Then we could look at the short and long term risk of a particular vulnerability with regard to knowing about the issue, there being a patch available and it actually being exploited to actual gain.

    Posted by: Arthur on April 26th, 2010 at 5:26 pm

49. I think when you publish a vulnerability, you increase the onus on the buyer (whether of a car or a piece of software or anything) to take their own precautions seriously. Always a good thing in my book. If a company can’t respond to the disclosure in a timely manner, they lose market share. Again, a good thing.

    Posted by: Keith on April 26th, 2010 at 6:19 pm

50. blackhats often mourn security disclosures

    Posted by: anonymous on April 26th, 2010 at 6:23 pm

51. wrt your update:

    sure, you’d increase the probability of an attack. but sometimes the probability of a solution is so minimal, that pimps seem to be providing the only impetus for the supplier to fix their product.

    Posted by: dot tilde dot on April 26th, 2010 at 7:30 pm

52. I could not disagree more with the statements in the original article. Especially the “narcisstic” part.

    Fixing bugs costs money. Vendors are not terribly likely to fix bugs if they have got no incentive to do so. If nobody (or only a few black hats) know about a security issue, it likely is not going to be fixed, even if the vendor knows of the issue in question.

    Comes the hacker (no, not a narcisstic kid) and threatens to reveal the information within 30 days if the vendor does not do his homework.
    Now, the vendor has an incentive to fix the security issue.

    Talking about sharks and cars misses the point: that the vendor should mend his software. Period. And please don’t tell me that vendors fix bugs without an incentive. Please. Otherwise, I’ll split my sides laughing.

    Posted by: Flying Circus on April 26th, 2010 at 7:56 pm

53. @Wastedimage:
    “The reality is that there is no difference between a whistle blower and a security researcher. The flaw exists no matter what and should be fixed.”

    It’s a fact that far more exploits occur against publicly announced vulnerabilities than vulnerabilities not previously known, so how does one explain this?

    @Apparentlyapimp:
    “If I disclosed to you that your front door was open – have I made your house less secure, or simply pointed out that already insecure state of your house?”

    You have [edit]made my house less secure[/edit] put my house at greater risk of burglary if you announce the fact my door is open on a mailing list any reasonably educated person knows is frequented by criminals hoping to break into houses. How you do not realize this is beyond me, and others. Responsible disclosure of my door’s position would be to call me, and only me.

    “what about those who disclose for money (ZDI, iDefense, etc.)”

    They’re title depends on how their information is handled. If they disclosed for money and say; “I don’t care what happens to the information now that I’m paid”, they’re criminals. If they disclose and insist the information is handled responsibly after they get paid, they’re researchers. The money has nothing to do with it since we all get paid somehow.”

    @Wanderer:
    “So it’s the position of Verizon that those at fault for security issues are people who find the holes, not the software authors who wrote and sold the flawed product for cold, hard, cash?”

    Not what we said at all. A developer doesn’t likely hold any of the titles we referred to, and isn’t claiming to. Our issue is with your idea that “Security Researchers find these flaws and hold the vendors accountable in the public eye.”

    Do you really believe that everyone disclosing a vulnerability is holding the vendors accountable? Do you really believe the vast majority of the public would be happy with how things worked if it was explained to them? We don’t. When you hold a vendor accountable in the public eye, you are forcing the vendor and public to pay attention to your issue. You’re insisting it is the most important issue they must deal with at the moment, a moment convenient to you but not necessarily to everyone else concerned. That’s where the term “narcissistic” comes from, derailing everyone else from whatever their doing to pay homage to your accountability exercise. Fact is, irresponsible disclosure occurs when the discoverer feels like it, feels spurned by the vendor, or just gets fed up waiting…none of which appreciate the public’s situation.

    Consider this. You discover a gaping vulnerability that could allow any criminal to get in on a whim, but as far as you know nobody is exploiting it. If you told the vendor and did nothing else, have you changed risk? No. If you told the world would risk change? Yes.

    Case A: Full and immediate disclosure
    You tell everyone all you know. Those who hear you may be able to protect themselves (let’s assume you told them how they can.) Many will not hear you, and will likely remain vulnerable. The Vendor hears you, and starts working on a fix. Criminals hear you, and start working on exploiting anyone who is still vulnerable. How many people will be compromised?

    Case B:Disclosure only to the Vendor
    You tell only the vendor and wait for a fix. Meanwhile, a huge worm started rampaging the Internet an hour ago, and you realize it’s exploiting the vulnerability you discovered. You publish all you know, and within hours the situation is exactly the same as Full and immediate disclosure. How many people will be compromised? Some more? Lots more? Remember, the majority of the public with the vulnerability never heard you.

    Even situations where you know criminals are already exploiting a vulnerability don’t benefit from Full and immediate disclosure. How many criminals already know? How many are actively exploiting? Will that increase by disclosure? How many people with the vulnerability hear you? You have no control over that. How many will never hear you, but only ever download a patch (as opposed to take some corrective action on their own?)

    Claiming that you are giving the few people who are hearing you the tools they need to secure themselves is always at the expense of the rest of the people who don’t hear you. You get kudos from those that hear you, but those that don’t get the grief. See how the term “narcissistic” is so spot on again?

    @Anonymous:
    “Believe it or not, the public has a right to know when they are at risk.”

    Hahahaha…I just love how the “right to know” is always thrown in. The public has an equal, and I would agrue greater, right to believe everyone will act responsibly. Besides, I don’t hear very many in the public demanding to know how to exploit vulnerabilities. You’re trying to say; “I have a right to tell the public, because they have a right to know!” Hardly the same thing.

    @SneakySimian:
    “Apparently I’m a criminal when my job is legal penetration testing.”

    No, you are responsibly performing your job, unless of course you post the results of your pen-tests to Full Disclosure.

    “In the scientific community, researchers are the ones who find and disclose their results of a new quark or a new cancer treatment or whatever.”

    Scientific discoveries are accepted according to how responsible the research has been. There are thousands of “cures for cancer” on the Internet…how many passed scientific peer review and responsible field trials? The rest, arguably, could be seen as snake oil and treated with derision for their irresponsible attempt to create false hopes. Do it right, or don’t bother.

    Posted by: Russ Cooper on April 26th, 2010 at 8:22 pm

54. “It’s a fact that far more exploits occur against publicly announced vulnerabilities than vulnerabilities not previously known, so how does one explain this?”

    Who’s more popular: Lada GaGa or Dragonette? Who has more advertising: Lady GaGa or Dragonette?

    Your question is a moot point entirely. Of course more exploits occur against publicly announced vulnerabilities– because they’re advertised. So what? This argument is akin to the justification of anti-gun legislation. Has the act of making guns illegal in Great Britain rendered gun violence irrelevant? No– it’s still an issue, because guns aren’t the problem.

    In the same regard as a gun is used to shoot something and atypically used to kill, a well-crafted vulnerability package exists to run unexpected code on a machine and atypically used for criminal means (where criminal here is in the pure technical sense). If the vulnerability isn’t advertised, someone who wants to find a vulnerability WILL find a vulnerability and USE the vulnerability for their own means– that just means it’s not going to be used as widely.

    What I believe you’re trying to say that ultimately applies to my analogy is this: you shouldn’t sell guns to criminals. Like guns, there’s an underground market and an above-ground market. In the above-ground market, you have checks and balances– criminal background checks, for example. But that of course doesn’t exist in the underground market. The existence of these two markets causes the bad guys to still get guns, even though there’s a system of checks and balances for people who want guns for legitimate purposes.

    This is one reason why “don’t tell the whole world the vulnerability” is unreasonable. There is absolutely no way to determine whether or not someone who receives vulnerability information is a criminal. Setting up a private mailing list for full disclosure will not work– white-hats masquerade as black-hats all the time. Plus, if a vulnerability exists, the bad guys will find it. Thus, no matter the situation, no matter what semblance of checks and balances you put in place– and much like guns– the bad guys will always get them.

    Here’s why the gun analogy eventually fails: there’s not really a patch for guns. You can’t exactly apply a “Bullet Patch” to prevent yourself from being shot in the head by a criminal who wants to murder you. Additionally, a gun doesn’t really have an army of engineers behind it– probably just a few guys behind the assembly line. Unless the assembly line breaks down completely, a defect usually only affects a single gun– otherwise, it affects a batch of guns. And the batch of guns only harm the person who attempts to fire the gun rather than by a remote party– unlike vulnerabilities.

    This leads me to this quote:

    “You have made my house less secure if you announce the fact my door is open on a mailing list any reasonably educated person knows is frequented by criminals hoping to break into houses. How you do not realize this is beyond me, and others. Responsible disclosure of my door’s position would be to call me, and only me.”

    This “door” analogy is not only a strawman argument but an invalid analogy as well. Reporting a vulnerability is not like reporting someone’s door is open. Reporting that someone’s door is open is a personal thing– that open door affects a single person or a single family and thus should be reported to that single person. This is not how vulnerable software works.

    For the door analogy to work, there would need to be a universal flaw that exists in the door– such as a brand of hinge that would have been affected by a bad batch in an assembly line. If you noticed a brand of hinge was vulnerable to, say, a screwdriver attack, telling every household you discover that has the hinge would be a waste of time– you would not be able to cover every household in a reasonable amount of time. Not only that, but there’s a potential for the criminal to discover the flaw in the same amount of time you’re busy reporting it to everyone who is affected. The only way to inform the public who MAY be affected by this door vulnerability would be to tell the public as a whole.

    This is another reason why “don’t tell the whole world the vulnerability” is not only unreasonable but irresponsible as well. (It’s also why this door analogy was silly from the start.) This flaw affects the people who use the door– and DOES NOT AFFECT THE PRODUCER in any way EXCEPT for public relations. Hence, a disclosure of a vulnerability for the sake of preventing the most damage from occurring should happen like this:

    * Researcher discovers vulnerability in universal door hinge.

    * Researcher goes to producer to report univseral door hinge issue. From here, three paths can happen:

    1. Producer fixes flaw and coordinates disclosure of issue to customers as to allow them to get a new, fixed hinge, preventing criminals from breaking into their home. Criminals who just so happen to use these types of hinges are thusly informed of the vulnerability– but if they’re informed, so are the rest of the customers, diminishing their ability to break into homes using this flaw.

    2. Producer acknowledges flaw, but never fixes it. For the sake of public safety, the researcher informs the public as a whole of the vulnerability, giving them the information they need in order to mitigate the vulnerability themselves. Criminals pick up on the information and learn how to break into homes with these types of hinges. A fix is finally issued after the full disclosure and people’s houses are broken into.

    3. Producer refuses to fix the flaw and potentially threatens legal action in the event that the flaw is publicized, the researcher is then silenced. Criminals do not know about the information on the flawed hinge. Eventually, there is a possibility a criminal does discover this flaw and begins quietly breaking into homes for unknown reasons, potentially leading to a surprising epidemic of break-ins by the flaw. A fix is finally issued after the producer is berated both by the media as well as by their customers.

    Thus, this door argument is flawed and biased in favor of the companies who created the vulnerability in the first place. The entire point of full disclosure is to protect the users of the vulnerable software and has absolutely no interest in protecting the companies who created the vulnerability in the first place.

    In conclusion, you’re asking security researchers to disclose vulnerabilities to vendors to protect THE VENDOR’s interests, rather than the interest of their CUSTOMERS, which is what the researchers are trying to do in the first place. That’s irresponsible disclosure.

    This is why no one is “understanding” this argument: it argues in favor of the COMPANIES who are LEAST affected by the issue, not in favor of the PEOPLE who are MOST affected by the issue. Thus, it’s a misguided argument that does not acknowledge the issues at hand.

    Posted by: Anonymous on April 26th, 2010 at 11:46 pm

55. I’m not always comfortable with how some things are done in computer security, but I wanted to add a couple of thoughts that I have on this post.

    First, you’ve laid out your opinion on the burden of responsibility that security researchers have. However, I don’t see the responsibilities of software companies being assigned. If the researcher is required to act in a way that improves security (by your definition of improve), what are the responsibilities of the software companies?

    Second, if these companies decide to ignore vulnerabilities provided to them by researchers, what is the next appropriate step to improve security? I really hope the response isn’t that the customer takes the beating until they decide to try another company’s product and hope that it has fewer vulnerabilities that cause them pain.

    Last, was your intention to just make people angry or make a real point? You’ve tried very hard to associate anyone who handles a vulnerability in any way that you don’t like to a pimp, a thief, a criminal or a terrorist. And you’ve done nothing to define what a “good guy” researcher could do to improve security.

    You’ve pointed out a (probably legitimate) issue, but provided no solution. I’m not sure if that makes this post a “Problem-maker”, but it certainly isn’t a “Solution-maker”.

    And so I am not accused of ranting about an issue but providing no solution, here are a couple of ideas that might have made this post more useful.
    – Avoid assigning blame/responsibility to one party in the issue without doing the same for the other party.
    – If you have an issue with disclosure, propose a better alternative.
    – If you want to be taken more seriously, do less name calling. Particularly if the previous two points are skipped.

    Posted by: Jason on April 26th, 2010 at 11:56 pm

56. [edited out speculation that this post had something to do with Verizon software getting pwned. This post had absolutely nothing to do with anything like that.]

    It’s a fair point about the openness of information, especially in security, so that people are aware of the risks involved with the technology. It’s also fair to say that publicly posting these things will increase the risk involved in these vulnerabilities. This article however was obviously posted by someone throwing a temper tantrum. It got a lot of traffic because it riled people up at your being flat out ignorant and one-sided in the argument.

    The vulnerabilities associated with the md5 hash were published along with tools to do it yourself. This however was not considered an issue, because in showing the details of the attack people were able to realize that it was only useful under certain conditions, and not nearly as universal as the layperson believes when they heard that md5 was “broken”. There are attacks for hijacking facebook quickly and easily that I think needs to be more publicized because the company simply doesn’t care for how rarely it’s exploited, and that’s just wrong. Sharing information with people allows them to know exactly how they’re vulnerable, and what they can do to avoid an attack until it is properly thwarted.

    The point here is that there are two sides to the coin, and just because you’re on the side that keeps calling tails every time, doesn’t mean that’s the only good outcome.

    Posted by: Martin on April 27th, 2010 at 1:22 am

57. This post appears to have two major assumptions that appear to be unfounded.

    The first assumption is with the level risk associated with different disclosure methodologies. Exploits for non-disclosed vulnerabilities are often generated through patch analysis once the patch is released, so regardless of disclosure method once a patch is released it should be assumed that an exploit is available. So, removing the fact that once a patch has been released, everyone who has not patched is considered vulnerable, you a are left with two scenarios, a few people (those that have found the vulnerability, potentially including criminals and nation states) able to compromise anyone for a long period of time (years), or a lot of people able to compromise those that don’t implement a workaround for a short period of time (days). I would consider case two less risky to both our critical infrastructure, and the public in general. This is primarily due to the time difference involved, and the fact that you can mitigate risk if you know about it (which anyone serious about security should as they should be monitoring these tpyes of thngs).

    The second assumption is that a vendor is the best person to perform a risk analysis of a vulnerability. The vendor has different priorities and drivers than the consumer, such as how much a vulnerability costs to fix. An outside party does not care how much it costs to fix and therefore that cost is not part of the risk analysis process, allowing an outside party to more effectively perform a risk analysis of a vulnerability. A vendor also cannot perform a risk analysis for all the parties using their product, only those parties fully understand the impact of the vulnerability. Therefore, by providing those parties with the full information, including workarounds, they are better able to perform their own risk analysis and implement mitigating controls if required.

    These two assumptions clearly sway the writer into deciding that some public disclosure policies are irresponsible, where I believe that public disclosure is often responsible, and needed, if done correctly.

    Posted by: niconz on April 27th, 2010 at 1:43 am

58. Announcing a previously unknown vulnerability prior to notifying the vendor clearly increases risk. You are right in calling a spade a spade. I support your endeavor!

    Posted by: edca on April 27th, 2010 at 7:32 pm

59. Perhaps we also need to categorise vendors:

    Good vendors – don’t release security flaws

    Responsible vendors – fix security flaws as soon as Security Researchers tell them

    Cheap vendors – fix security flaws only when embarrassed by Narcissistic Vulnerability Pimps

    tOM

    Posted by: TomTrottier on April 29th, 2010 at 2:56 am

60. The person who actively looks for bugs, and when they find a bug do not
    consider reporting it to the software vendor, news agencies, or users because
    they want to exploit the bug as long as possible is a criminal.
    Like Virus writers, I don’t think society has found severe enough penalties
    for these people.

    Someone who actively or accidentally finds a bug, and goes straight to the press
    is being your NVP. The criminals will learn about the bug faster than the vendor
    can fix the problem.

    Someone who actively or accidentally finds a bug and goes to the software vendor
    to work with them to fix the bug is not an NVP.
    This person might contact the vendor support and be told they can not report a
    bug because they have not bought support.
    If they get the bug reported, the vendor may say they will fix it right away in 3 years.
    They may need to resort to threats like “I am telling the world in 3 months,
    I hope you have it fixed by then”.
    At this point I call these people Security Researchers, or saints, but not NVP’s.

    Posted by: bgbeuning on April 29th, 2010 at 10:42 pm

61. I have to wade in here. So many of the comments are completely wrong; but I do empathize with their frustrations and perspectives.

    We have all dealt with the ISVs (independent software vendors) that hate security people and are a PITA to deal with. Heck – some even threaten you. I get it.

    I got to recording conversations with ISVs on security issues when I used to do vuln disclosure years ago, because I had two ISVs call my clients and tell them I was blackmailing the ISV. Simply because I tried to get them to agree to RFP’s old disclosure guidelines. (I also worked with some great vendors, like Nokia, on 0days.)

    However, the author of the article is very correct, especially in the world of web security. The bad guys don’t always know the vulns.

    We (WhiteHat Security) discovered a zero-day in .NET a few years ago, and found MS already knew and promptly issued a fix/patch. It mostly worked, but then we found a new way to bypass it late last year. So I know of about 300 major business websites off the top of my head vulnerable to significant attack vectors here. My estimates are that at least 10% of .NET sites in the world are vulnerable, maybe as high as 50%.

    We have been working with MS slowly to ensure the quality of the fix while minimizing impact to production websites (our customers, MS customers, sites you use). MS has been stellar to work with ( and no, MS is not a customer of mine).

    To date:

    * We have found only *one* other person on the planet who knows about this 0day….who is internal to MS.

    * Nobody in the world has disclosed/published the issue, which has been around for *YEARS*. And we all know every Vuln-Pimp on the planet would publish a .NET ’sploit in an instant if they had one in hand.

    * Nobody can find any examples of attackers exploiting this issue in the wild. Otherwise the way it is handled would be far different.

    If we had published this the effect on .NET sites on the Internet would be entirely net-negative. As it stands most of the world will get a fix and will probably never know about the issue. If exploits show up in the wild, I believe MS will do the right thing, notify people, and given mitigation & remediation work-arounds. But that didn’t happen.

    I used to believe in aggressive disclosure, and I don’t any more.

    Knowledge = power. To exploit and to protect. The bad guys are not always ahead of the good guys, and in this case, controlled application of knowledge of this issue has enhanced the power to protect. Sorry. This is:

    Controlled 0day Protectors = +1

    Vuln Pimp FD-Lovers = 0

    Ciao,

    -aeSolipsistic Software Security Sophist

    Posted by: Arian Evans on April 30th, 2010 at 4:57 am

62. LOL In other words, “Please don’t tell anybody how insecure the private systems are”. Do you know how the open systems are so secure (yes, superior to any corp. system)? That’s because there are a lot of people testing and improving the systems, and you must know that nobody pays the “Narcissistic Vulnerability Pimp” every discover on gaps on the security just demonstrates that the closed systems are too difficult, and expensive to mantain and obviously insecure.

    Posted by: Jairo on April 30th, 2010 at 5:47 pm

63. Laughs: Redefining “Security Researcher”…

    Got a kick out of this Verizon Business Risk Intelligence post: “Problem-makers and Solution-makers should no more have the same label as terrorists and engineers. Sure, they both interact with explosives in their daily business but they put their skil…

    Posted by: ESET ThreatBlog on May 1st, 2010 at 10:59 am

64. So you are saying that Security by Obscurity is real security?

    Posted by: Griff on May 4th, 2010 at 7:52 pm

65. Wade, you need to juxtapose this position with the concept of vendor responsibility as well, because until you do, you can’t legitimately complain about the pimps.

    Case in point: Apple. I love Apple products and I am a classic Mac fanboy, but I entered into this relationship with the expectation that Apple is doing little or nothing in the way of responsibly managing the security of their products or protecting me. They rely on security by obscurity, they assume no responsibility for vulnerability remediation timelines, and they live off a false perception that Mac is a more secure platform, when it clearly isn’t.

    So when one of your narcissistic pimps exposes their weaknesses, I look at this as an opportunity for Apple to come clean and fix their flaws, and not as someone who is out seeking glory, money, (or both) at my expense. The reality is, we don’t spend enough time in our code, security is often relegated to an afterthought at best, and that Apple is getting rich off of a lie.

    Posted by: Krycheq on May 4th, 2010 at 9:17 pm

66. Although when you release information, risk is increased on one hand, it is reduced on the other – people are more alert and are able to find workarounds against the threat even before a patch is out – whereas if the information was not disclosed it will equate to an un-patched zero-day bug in the hands of unknown attacker(s).

    Posted by: Avri on May 5th, 2010 at 6:57 am

67. Pimpin’ for life I guess…

    The preponderance of anecdotal evidence cited here has to sway opinion. With so much unquantifiable hearsay how could anyone disagree?

    I think it’s a well established fact that software is insecure. Security researchers get no compensation for their disclosures in general. White Hat security and other commercial providers at least get paid by customers to do research. The rest of us do it as a hobby and so recognition is the only reward. Anyone who has danced back and forth for months, or years, with a vendor, trying to get them to take a vulnerability seriously, has to appreciate the power of full disclosure.

    I have to contest the fact that the researcher is irresponsible when the software manufacturer is ultimately the one who is responsible for producing, selling, and distributing a product with defects. Silencing researchers certainly does help to hide the dirty laundry – that much is verifiable. If vendors are so concerned about this problem why don’t they devote internal resources to the problem? If a single researcher can find the issue in their free time a team of internal testers with access to source code and tools could certainly do a better job. What’s that you say? Creating such a team would cost money? Well, there, you’ve hit upon the real issue – cash, not self promotion or responsibility.

    Posted by: Mad Irish on May 6th, 2010 at 7:44 pm

Leave a Comment

Name

Mail (will not be published)

Website

All submissions, like other use of this site, are subject to the Terms of Use. By using the site, I agree to those terms.

CAPTCHA Code