Several days ago, Rich Mogull was asking a question that fired a very interesting and passionate discussion. About the same time, TechCrunchIT posted an unrelated article about the top 10 best ever hackers. Even though the two posts are not related at all, there are few dots that can connect the two.
In my opinion, the two posts are influenced by Dan Kaminsky's DNS vulnerabilities saga (Disclaimer: I know another Dan(iel) Kaminsky):
I read and evaluated the TechCrunchIT post in the same light that I read the tabloids' top 10 diet tips / love secrets / ways to get rich / whatever. Smile, move on, and forget.
Securosis has a good point. Answering Rich's question: Why? The answer is simple: 'Coz we are living in a material world.... there are benefits for name recognition.
IMHO, researchers that reveal full details of the vulnerabilities they discovered to anyone but the vendor are creating more damage than good. I believe that in some cases, their intentions are good, but in some cases, they did not understand the full potential of their postings and the overall result is negative (SQL slammer anyone?)
TechCrunch published a list of the 10 best hackers (in their opinion), glorifying some actions that should not. I personally know researchers that discovered vulnerabilities that will make your hair bristle, but never published them to anyone but the vendor. Sure, no one will get the same amount of credit for undisclosed exploit, yet I am confident that this is the right approach. But then, sometimes people will not get credit even for finding a vulnerability in the wild (SQL slammer anyone?)
When companies are involved and especially when a company with a security research team is involved, it's more challenging since the value of the credit goes beyond 'simple' name recognition. It also serves as a "proof" that this research team is better than others and then, following natural logic, company A is better than company B and all of its other competitors.
My personal opinion is that vendors should be notified and once they release a patch, credit can be given to the researchers. When dealing with open source applications, or applications without recognized owner (are there?) efforts can be coordinated via CERT. At Imperva, we are following this policy. Our own Application Defense Center (ADC) researchers often discover vulnerabilities in databases and web applications. The details are provided to the vendors, solutions are implemented within SecureSphere.
Some would argue that disclosing vulnerability details is a good thing: it forces the vendors to deliver a patch to an existing vulnerability, before the bad guys can silently exploit it. For example, Oracle fixed a zero-day in record time and while the window of opportunity was open for 11 days, enterprises are NOW protected (unless they hada our WAF). Others would add that it helps the 'other good guys' to develop a solution. But as you know, I think that there's only one kind of a good 0-day).
In short: Full disclosure when ALL the vulnerability details are revealed is a bad idea from a security stand point. I would like to see the community develop other methods to credit the important work of security researchers.
In my opinion, the two posts are influenced by Dan Kaminsky's DNS vulnerabilities saga (Disclaimer: I know another Dan(iel) Kaminsky):
- Securosis (more or less: ) Unless you are a bad guy, what good is served by releasing weaponized attack code immediately after patches are released, but before most enterprises can patch?
- TechCrunch: There are hundreds of thousands of hackers who you have never heard about, mostly because they never got caught, who went on to start companies and attain high positions within corporations.
I read and evaluated the TechCrunchIT post in the same light that I read the tabloids' top 10 diet tips / love secrets / ways to get rich / whatever. Smile, move on, and forget.
Securosis has a good point. Answering Rich's question: Why? The answer is simple: 'Coz we are living in a material world.... there are benefits for name recognition.
IMHO, researchers that reveal full details of the vulnerabilities they discovered to anyone but the vendor are creating more damage than good. I believe that in some cases, their intentions are good, but in some cases, they did not understand the full potential of their postings and the overall result is negative (SQL slammer anyone?)
TechCrunch published a list of the 10 best hackers (in their opinion), glorifying some actions that should not. I personally know researchers that discovered vulnerabilities that will make your hair bristle, but never published them to anyone but the vendor. Sure, no one will get the same amount of credit for undisclosed exploit, yet I am confident that this is the right approach. But then, sometimes people will not get credit even for finding a vulnerability in the wild (SQL slammer anyone?)
When companies are involved and especially when a company with a security research team is involved, it's more challenging since the value of the credit goes beyond 'simple' name recognition. It also serves as a "proof" that this research team is better than others and then, following natural logic, company A is better than company B and all of its other competitors.
My personal opinion is that vendors should be notified and once they release a patch, credit can be given to the researchers. When dealing with open source applications, or applications without recognized owner (are there?) efforts can be coordinated via CERT. At Imperva, we are following this policy. Our own Application Defense Center (ADC) researchers often discover vulnerabilities in databases and web applications. The details are provided to the vendors, solutions are implemented within SecureSphere.
Some would argue that disclosing vulnerability details is a good thing: it forces the vendors to deliver a patch to an existing vulnerability, before the bad guys can silently exploit it. For example, Oracle fixed a zero-day in record time and while the window of opportunity was open for 11 days, enterprises are NOW protected (unless they had
In short: Full disclosure when ALL the vulnerability details are revealed is a bad idea from a security stand point. I would like to see the community develop other methods to credit the important work of security researchers.
Leave a comment