< On Large Companies and Staff Retention | Avoid Cross-Site Tracking with Stainless.app (and others) >
Verizon's Wade Baker (with assistance from Dave Kennedy, who I will refer interchangeably to as with Wade, Dave or Verizon) published a post claiming that vulnerability/security researchers are given too much leeway, and are closer to criminals than good guys. He suggests they should rather be called "narcissistic vulnerability pimps" (NVPs) in future. Dan Goodin got some clarification when writing his piece for The Register which expands on some of Verizon's motivations and justifications.
While I think I identify with part of his frustrations, he's wrong. Mostly due to an overconfidence in how vendors optimise for "shareholder value", but also because while scrabbling to paint vuln researchers as bad guys, he forgot about the actual bad guys.
Wade suggests three categories that could be used to describe security professionals, as they are neither exclusive, accurate or sufficient I'm going to ignore them. Instead, I'm going to try and distill what Wade believes is the problem, and his preferred approach while attempting to avoid the straw man.
Wade seems to believe that people who discover vulnerabilities, then publish them to the general public, whether after informing the vendor or not, are motivated predominantly by glory and not good intentions. The few motivated by good intentions, it seems, would also be labeled problematic by Wade (& Dave, as the quote is his) because:
[F]ull disclosure was never a good idea, even in cases, like Ormandy's dust-up with Oracle.
The alternative it seems Verizon would like to see, is that researchers who find vulnerabilities report them to the vendor and walk away. I'm assuming they'd allow for some follow up, but publishing the vulnerability publicly would earn you the NVP label. Once again a quote from Wade/Dave/Verizon/Dan Gooding:
"Apple has a responsibility to their shareholders and to their customers to deal with the vulnerabilities, and their shareholders and their customers can hold Apple's feet to the fire. They have their own ways of exerting pressure on Apple to behave in a way they think Apple should behave."
There's an obvious problem with Wade's approach; it isn't universalisable, and we have hard facts for that. There are many vendors who don't act on reported vulnerabilities as anyone who's ever submitted security flaws to vendors can tell you. David Litchfield has even waited a few years before eventually publishing Oracle vulns. Even if every vendor in existence responded to discovered flaws perfectly, there's no obligation for them to. If we look at the externalities pressuring them to action, sexy new features are going to please both shareholder and customers more. Those same customers and shareholders don't really understand this complex security mumbo jumbo, and so in the rare instances when they can patch a bug without at least one news outlet publishing a "OMFG there's a flaw in product X" the customers and shareholders still aren't going to fully appreciate the security fix. What's more, if a security fix prevents a customer from getting hacked, they will have no idea, and won't credit the vendor. The only time not deploying a fix will be a problem for the company is if a mass or high-profile public hack of their customers occurs. Given that most criminals don't like getting caught and that computer crime is hard to detect, that's a much rarer event than the actual occurrence of hacks. This is exactly why full disclosure came about, *in response* to the way vendors were ignoring bugs, to add another externality to drive them into fixing bugs.
This is where the difference between actual computer criminals and security researchers becomes important. Something Wade get's woefully wrong:
Have you ever heard of a terrorist referred to as a “demolition engineer?” How about a thief as a “locksmith?” No? Well, that’s because most fields don’t share the InfoSec industry’s ridiculous yet long-standing inability to distinguish the good guys from the bad guys.
The security researchers Wade is taking aim at are the one's who publish their work publicly (hence the addition of "narcissistic" I believe). But there are a whole whack of people who don't publish their work publicly, or to the vendor or even via vuln clearing houses like VDI (which eventually gets to the vendor). Wade doesn't pass judgment on them. Even those people aren't criminals. One could argue they aren't optimising for the public good, because an actual criminal could have found the same flaw and be privately exploiting it. They aren't criminals because they haven't committed a crime, or even harmed anyone. Actual criminals are people who either discover or buy flaws and then use them to (or have the intention to) commit a crime. This is the distinguishing difference between a thief and a locksmith, or a terrorist (an already loaded term) and a physical pentester. Their intention, and what they do with the information. One uses it to fix the hole, the other exploits it. This is why full disclosure exists, not the make money, but to encourage people to fix the holes, not exploit them. The fact that it can buy you a limited about of fame is a bonus because it provides an incentive to go public (one that pales in comparison to the hard dollars you can get via other means).
Finally, I do identify with parts of Wade's frustration with regards to people who either disclose without reporting to the vendor first, or hype a vulnerability way beyond it's actual risk. The first leaves the install base vulnerable with the exploit popularised, the second causes people to optimise resources poorly. There's room for updated research on vulnerability life cycles, to ensure the debate revolves around facts and not hypothesis. Either way, one should not be confused about which side those researchers are on. They are the good guys, their work could be used in far more evil ways, they do work the vendor isn't able/capable of. They make us safer, maybe not always in the best way, but in the end they make us safer.
Tracked: Apr 26, 01:59
It disgusts me whenever I think about the manner in which Geohot is be prosecuted by Sony. Unfortunately, there are number of journalists (with absolutely no concept of vulnerability research or security for that matter) determined to portray George as a
Tracked: Feb 13, 10:39