Perimeter
2/21/2012
06:44 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Disclosure Clouded By Obscurity

Shockingly, the responsible disclosure debate rears its head once again, and amazingly enough some vendors still don't get it. Guess we'll never learn

Every year or so the responsible disclosure philosophical battle heats up. Some researcher unleashes a zero-day exploit after a vendor buries the bug for months. Then everyone starts pointing fingers. The researchers call the vendors names. The vendors call the researchers other names. The echo chamber on Twitter echoes. And then business returns to normal, with some companies paying researchers for bugs and others sticking their heads back in the sand.

Brad Arkin rekindled the fire at a recent conference by making the (accurate) point that security research gives the bad guys a roadmap to do bad things. Of course, the retort is that the bad guys likely already have the roadmap, which may or may not be true.

Someone on Twitter made the point that fixing bugs is a cost of doing business for software companies, which cannot be argued. And given the 90 percent plus gross margins of the software business, it's hard to shed a tear for those folks. Yes, it's frustrating for Brad to be in the cat and mouse game. But I believe the eco-system is stronger because you have _good guys_ doing research and sharing their findings, not just the bad guys using exploits, stealing data, and laughing all the way to the bank.

Unfortunately, obscurity remains the default mode for software vendors of all shapes and sizes. My pal Don Weber recently felt the repercussions of that when his Shmoocon presentation was canceled after a vendor objected to the content. As Don explained on his blog, he was going to talk about how to do security testing on smart meters, but alas at least one smart meter vendor didn't like that, so they put the kibosh on the presentation. To Don's credit, he hasn't thrown the vendor under the bus, even though their meters are clearly a steaming pile of fail.

Don's goal was to educate, not to cause harm to any of the vendors in question. The vendors felt threatened and did their best to bury the story. Smart grid buyers were able to stay blissfully unaware, continuing to write checks and life goes on. Don't let anything get in the way of the buying cycle, right? Here's the sad truth: software vendors need customers to stay dumb. Yes, that's harsh, but think about it. Smart customers are a huge liability. They want their stuff to work. They want value for what they pay for. They want their data protected. And they want bugs and security exposures to be fixed. Go figure.

Have you ever called a support desk and they were happy to hear from you? Has the VP of engineering from a software provider from ever called you up to thank you for finding a huge bug that put all of their data at risk? No? Yeah, me neither. They want the problem to be yours. A faulty configuration. A stupid user. Or maybe you need more capacity, so they get sales involved and upsell. W00t!

If you haven't worked in a software company, let's be very clear that they don't want to hear about defects, bugs, broken capabilities, or security vulnerabilities. Like anyone else, they'd rather you call and tell them how great they are. What's disappointing is that some software vendors continue to shoot the messenger, on the eve of the message being delivered. They bury the message and pray their customers remain stupid. Do you think they'd threaten to sue a customer who finds a bug in some ERP vendor's General Ledger program? Of course not. They assess the defect and fix it. Or not. And leave the the lawyers out of it.

Now that's not entirely a fair characterization because there are many enlightened software vendors out there, who appreciate research, understand how it can help them make their products better, and routinely collaborate with the researchers throughout the process. Don points out some of the folks that were helpful to him. But far too many continue to hide behind lawyers and obscurity.

And it's going to get worse as we continue to embrace SaaS and cloud architectures and the like. Because a problem in the cloud (whatever that means) can spread like wildfire to every customer of a SaaS or cloud provider. One for all and all for one! Multi-tenancy is a wonderful thing, but done wrong it basically opens up not just one customer's data, but all of the customers' data. I can't wait to see the lawsuits flying when someone wants to show how to bust a SaaS application or a cloud provider at Black Hat.

Odds are the lawyers will prevail, no one will say anything, and we'll be further away from the New School, where we actually learn from each other's mistakes. A new generation of cloud/SaaS providers will make the same mistakes over and over again, and we'll continue to run all day and all night to stay in the same place.

You know who is happiest every time this responsible disclosure discussion happens? It's the bad guys. You think they like it when a researcher publishes a zero-day they already discovered and had been monetizing? Seems to me obscurity is better for the bad guys than it is for the good guys. Ah, that old law of unintended consequences.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

CVE-2014-6395
Published: 2014-12-19
Heap-based buffer overflow in the dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap before 8.1 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted password length value that is inconsistent with the actual length of the password...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.