Perimeter
2/21/2012
06:44 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Disclosure Clouded By Obscurity

Shockingly, the responsible disclosure debate rears its head once again, and amazingly enough some vendors still don't get it. Guess we'll never learn

Every year or so the responsible disclosure philosophical battle heats up. Some researcher unleashes a zero-day exploit after a vendor buries the bug for months. Then everyone starts pointing fingers. The researchers call the vendors names. The vendors call the researchers other names. The echo chamber on Twitter echoes. And then business returns to normal, with some companies paying researchers for bugs and others sticking their heads back in the sand.

Brad Arkin rekindled the fire at a recent conference by making the (accurate) point that security research gives the bad guys a roadmap to do bad things. Of course, the retort is that the bad guys likely already have the roadmap, which may or may not be true.

Someone on Twitter made the point that fixing bugs is a cost of doing business for software companies, which cannot be argued. And given the 90 percent plus gross margins of the software business, it's hard to shed a tear for those folks. Yes, it's frustrating for Brad to be in the cat and mouse game. But I believe the eco-system is stronger because you have _good guys_ doing research and sharing their findings, not just the bad guys using exploits, stealing data, and laughing all the way to the bank.

Unfortunately, obscurity remains the default mode for software vendors of all shapes and sizes. My pal Don Weber recently felt the repercussions of that when his Shmoocon presentation was canceled after a vendor objected to the content. As Don explained on his blog, he was going to talk about how to do security testing on smart meters, but alas at least one smart meter vendor didn't like that, so they put the kibosh on the presentation. To Don's credit, he hasn't thrown the vendor under the bus, even though their meters are clearly a steaming pile of fail.

Don's goal was to educate, not to cause harm to any of the vendors in question. The vendors felt threatened and did their best to bury the story. Smart grid buyers were able to stay blissfully unaware, continuing to write checks and life goes on. Don't let anything get in the way of the buying cycle, right? Here's the sad truth: software vendors need customers to stay dumb. Yes, that's harsh, but think about it. Smart customers are a huge liability. They want their stuff to work. They want value for what they pay for. They want their data protected. And they want bugs and security exposures to be fixed. Go figure.

Have you ever called a support desk and they were happy to hear from you? Has the VP of engineering from a software provider from ever called you up to thank you for finding a huge bug that put all of their data at risk? No? Yeah, me neither. They want the problem to be yours. A faulty configuration. A stupid user. Or maybe you need more capacity, so they get sales involved and upsell. W00t!

If you haven't worked in a software company, let's be very clear that they don't want to hear about defects, bugs, broken capabilities, or security vulnerabilities. Like anyone else, they'd rather you call and tell them how great they are. What's disappointing is that some software vendors continue to shoot the messenger, on the eve of the message being delivered. They bury the message and pray their customers remain stupid. Do you think they'd threaten to sue a customer who finds a bug in some ERP vendor's General Ledger program? Of course not. They assess the defect and fix it. Or not. And leave the the lawyers out of it.

Now that's not entirely a fair characterization because there are many enlightened software vendors out there, who appreciate research, understand how it can help them make their products better, and routinely collaborate with the researchers throughout the process. Don points out some of the folks that were helpful to him. But far too many continue to hide behind lawyers and obscurity.

And it's going to get worse as we continue to embrace SaaS and cloud architectures and the like. Because a problem in the cloud (whatever that means) can spread like wildfire to every customer of a SaaS or cloud provider. One for all and all for one! Multi-tenancy is a wonderful thing, but done wrong it basically opens up not just one customer's data, but all of the customers' data. I can't wait to see the lawsuits flying when someone wants to show how to bust a SaaS application or a cloud provider at Black Hat.

Odds are the lawyers will prevail, no one will say anything, and we'll be further away from the New School, where we actually learn from each other's mistakes. A new generation of cloud/SaaS providers will make the same mistakes over and over again, and we'll continue to run all day and all night to stay in the same place.

You know who is happiest every time this responsible disclosure discussion happens? It's the bad guys. You think they like it when a researcher publishes a zero-day they already discovered and had been monetizing? Seems to me obscurity is better for the bad guys than it is for the good guys. Ah, that old law of unintended consequences.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report