Two infosec veterans weigh in on Full Disclosure

Marcus J Ranum (MJR) says (http://www2.csoonline.com/exclusives/column.html?CID=28072)

“After 10 years of full disclosure, security has not gotten any better”.

First off, how would we know what security would have been like without full disclosure? Perhaps it could have been said that security would have gotten exponentially (or even linearly) worse. In which case, statments like “security hasn’t gotten any better” and “the number of vulnerabilities is pretty much constant” would imply that full disclosure works? But, wait, that presupposes that only one factor contributes to the state of security – which is a logical fallacy as well. Hmmm, ok. I can’t draw any logical conclusions here. Let’s go to Bruce’s argument.

Bruce says: (http://www2.csoonline.com/exclusives/column.html?CID=280723)

“Bugs exist whether or not they are disclosed in a public forum. Vendors are more responsive when it could cause bad PR. Public disclosure forces vendors to more quickly fix flaws which makes systems more secure”.

Bruce’s argument logically implies that with full disclosure we have a *potential* for better system security. Unfortunately, we can’t measure the rate at which these fixes actually get deployed and we can’t measure the rate at which crackers use publicly disclosed bugs to exploit unpatched systems. So, at the end of the day, I can’t say whether or not public disclosure actually helps the end user. I can say
that public disclosure at least creates a Potential ™ for better system security….and, that’s something.

A good portion of MJR’s article is devoted to the lambasting of security
researchers. Some quotes:

‘For longer than a decade, we’ve lived under the mob rule, where for some security consultants and companies, “marketing” has been replaced by “splashily announcing holes in commercial products to get 20 seconds of fame on CNN.” ‘

‘Now that we can look back at 10 years of what disclosure has brought us, it’s brought us…well, nothing much. Nothing much, that is, except a grey-market economy in exploits, where independent “vulnerability researchers” attempt to cash in by finding new attacks that they can sell to security companies or spyware
manufacturers—whichever bids higher. Nothing much unless you count the massive amounts of “free” marketing exposure for companies that trade in exploits.’

‘The state of ethics in the computer security industry is pathetic; it’s on par with where medicine was in the 1820s—except that some of the snake-oil salesmen in the 1820s actually believed in their products.’

‘Those of you who are playing the disclosure game are just playing for your two minutes of fame: You’re not making software better. Sure, some of you work for consultancies and startups, and it saves you a ton of money by not having to have a marketing budget, but isn’t shouting “fire!” in a crowded theater so…um, ’90s? I know that the typical security customer is (to you) an unsophisticated rube, but
that does not justify you placing them at increased risk just so you can publish a new signature for your pen-testing tool or get your funny-haired “chief hacking officer” on CNN one more time. ‘

‘Unfortunately, if you look at the last 10 years of security, it’s a litany of “one step forward, one step back,” thanks in part to the vulnerability pimps, parasites and snake-oil salesmen who flocked into the industry when they smelled money and a chance to get some attention. ‘

I think I see a little bias creeping in here and perhaps even a bit of hypocrisy.
Marcus abhors the hacker/security-researcher type. I don’t know if he hates that they are getting attention that is undue, that they are making money off the attention, or that he isn’t getting the attention that he once did. At any rate, it’s getting damn old. The guy that shouts “fire” may very well be annoying. The guy that jumps up and down shouting “Hey, he’s shouting fire” is equally annoying.
In the past, MJR has been spot-on with his analysis. Now, his ‘analysis’ seems as much a PR-trolling rant as any of the mob that he is criticizing. And, let’s not forget that Marcus gets paid by a company that discloses holes in major products and perhaps benefits from the free ‘marketing’. I bet no one is inviting this motherfucker to the company barbecue ;-)

Anonymous

Share
  • achtung

    I think this post is a bit personal and it shouldn’t be on securiteam.com blogs.. I check securiteam.com every day since a couple of years now, what I liked was the neutrality and the fact that all the information was never commented, just a good place to find/post exploits, tools, etc.

    Bring back the old school securiteam or die like the rest! :P

  • Pingback: Alessandro "jekil" Tanasi blog

  • jp

    I agree with achtung. Especially, the last sentence about the company bbq was rather personal and childish, and has no logic behind it.
    MJR’s article was a bit rant-ish, and opinionated, but he kept his professional status, and I fully respect his opinions, regardless of whether I agree with him.
    Full Disclosure game has changed to the point, that it is about the fame, not about making the software more secure. It’s like news reporter finding which airport is most vulnerable to smuggle a bomb, and writing down how to do it, and putting it online.
    IMHO, the idea of Full Disclosure is necessary, but we need a better implementation such that the main idea is about securing software, but about finding vulnerabilities, and 15 minutes of fame.

  • Administrator

    Ren and Stimpy are both our fictional satire characters, as well as a way for anyone to post anonymous posts. We don’t censor even when some choices we may or may not agree with are made as to language.