Disclosure Clouded By Obscurity
Shockingly, the responsible disclosure debate rears its head once again, and amazingly enough some vendors still don't get it. Guess we'll never learn
Every year or so the responsible disclosure philosophical battle heats up. Some researcher unleashes a zero-day exploit after a vendor buries the bug for months. Then everyone starts pointing fingers. The researchers call the vendors names. The vendors call the researchers other names. The echo chamber on Twitter echoes. And then business returns to normal, with some companies paying researchers for bugs and others sticking their heads back in the sand.
Brad Arkin rekindled the fire at a recent conference by making the (accurate) point that security research gives the bad guys a roadmap to do bad things. Of course, the retort is that the bad guys likely already have the roadmap, which may or may not be true.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
Someone on Twitter made the point that fixing bugs is a cost of doing business for software companies, which cannot be argued. And given the 90 percent plus gross margins of the software business, it's hard to shed a tear for those folks. Yes, it's frustrating for Brad to be in the cat and mouse game. But I believe the eco-system is stronger because you have _good guys_ doing research and sharing their findings, not just the bad guys using exploits, stealing data, and laughing all the way to the bank.
Unfortunately, obscurity remains the default mode for software vendors of all shapes and sizes. My pal Don Weber recently felt the repercussions of that when his Shmoocon presentation was canceled after a vendor objected to the content. As Don explained on his blog, he was going to talk about how to do security testing on smart meters, but alas at least one smart meter vendor didn't like that, so they put the kibosh on the presentation. To Don's credit, he hasn't thrown the vendor under the bus, even though their meters are clearly a steaming pile of fail.
Don's goal was to educate, not to cause harm to any of the vendors in question. The vendors felt threatened and did their best to bury the story. Smart grid buyers were able to stay blissfully unaware, continuing to write checks and life goes on. Don't let anything get in the way of the buying cycle, right? Here's the sad truth: software vendors need customers to stay dumb. Yes, that's harsh, but think about it. Smart customers are a huge liability. They want their stuff to work. They want value for what they pay for. They want their data protected. And they want bugs and security exposures to be fixed. Go figure.
Have you ever called a support desk and they were happy to hear from you? Has the VP of engineering from a software provider from ever called you up to thank you for finding a huge bug that put all of their data at risk? No? Yeah, me neither. They want the problem to be yours. A faulty configuration. A stupid user. Or maybe you need more capacity, so they get sales involved and upsell. W00t!
If you haven't worked in a software company, let's be very clear that they don't want to hear about defects, bugs, broken capabilities, or security vulnerabilities. Like anyone else, they'd rather you call and tell them how great they are. What's disappointing is that some software vendors continue to shoot the messenger, on the eve of the message being delivered. They bury the message and pray their customers remain stupid. Do you think they'd threaten to sue a customer who finds a bug in some ERP vendor's General Ledger program? Of course not. They assess the defect and fix it. Or not. And leave the the lawyers out of it.
Now that's not entirely a fair characterization because there are many enlightened software vendors out there, who appreciate research, understand how it can help them make their products better, and routinely collaborate with the researchers throughout the process. Don points out some of the folks that were helpful to him. But far too many continue to hide behind lawyers and obscurity.
And it's going to get worse as we continue to embrace SaaS and cloud architectures and the like. Because a problem in the cloud (whatever that means) can spread like wildfire to every customer of a SaaS or cloud provider. One for all and all for one! Multi-tenancy is a wonderful thing, but done wrong it basically opens up not just one customer's data, but all of the customers' data. I can't wait to see the lawsuits flying when someone wants to show how to bust a SaaS application or a cloud provider at Black Hat.
Odds are the lawyers will prevail, no one will say anything, and we'll be further away from the New School, where we actually learn from each other's mistakes. A new generation of cloud/SaaS providers will make the same mistakes over and over again, and we'll continue to run all day and all night to stay in the same place.
You know who is happiest every time this responsible disclosure discussion happens? It's the bad guys. You think they like it when a researcher publishes a zero-day they already discovered and had been monetizing? Seems to me obscurity is better for the bad guys than it is for the good guys. Ah, that old law of unintended consequences.
Mike Rothman is President of Securosis and author of The Pragmatic CSO