Re: Re: What is the state of vulnerability research?

[security curmudgeon <jericho () attrition org>]

: Again, I mis-communicated my point.... so I shall expand, and hope I 
: stimulate another fantastic rebutle, maybe from jericho again?

Count on me! And please, don't take my previous comments as an attack on 
you personally. Well, maybe 0.05% =)

A lot of what I said is pent up frustration in having to read, digest and 
often correct/followup on a ton of disclosure issues for years. The curse 
of helping to maintain a VDB is that you have to rely on thousands of 
people, some very bright, some very unaware/unexperienced (or any other PC 
term for 'dumb'). That builds up and causes a world of grief and extra 
work that shouldn't be required if the masses are doing a baseline level 
of 'adequate research'.

: Mitre's customers are large defence organisations
: Mitre wish to be at the forefront of the IT security scene, in the amount of
: information they hold at least....

While true, one thing to consider about this. I am not taking sides on 
this part of the debate, just bringing up another aspect.

Mitre's "customers" also include you and me, not just defense 
organizations. Mitre gets funding from the US Government, which means 
American tax payers fund it to a degree. CVE is widely adopted and used by 
people and companies all over the world, wether we like it or not. Until 
something better comes along, supporting them isn't a bad idea. 

: >1) What is the state of vulnerability research?
: A Normal Question... Which will have a standard answer... 'crap'
: >2) What have researchers accomplished so far?
: Normal Question.. again... 'tip of the iceberg'
: >3) What are the greatest challenges that researchers face?
: Normal Question... disclosing without facing prosecution etc etc etc
: >4) What, if anything, could researchers accomplish collectively that
: >   they have not been able to accomplish as individuals?
: Normal Question.. see above
: >5) Should the ultimate goal of research be to improve computer
: >   security overall?
: Excuse me? how much does this _potentially_ tell about the answering
: researchers ethics? Otherwise this should always be a 'YES' answer - no?
: >6) What is an "elite" researcher?  Who are the elite researchers?
: Normal Question followed by a direct information gathering question that
: should be answerable only by those who follow / lead...
: >7) Who are the researchers who do not get as much recognition as they
: > deserve?
: 
: AGAIN.... why are they asking questions like these....

Here is where I will agree with you. I have already mentioned in email to 
Christey that I felt the questions were a bit vague. His response was very 
well reasoned and I understand why the questions were worded as they are. 
It lead me to realize that very broad like this may lead to more free 
style responses, where more specific questions may paint someone into a 
corner wether they realize it or not. The downside to the current 
questions are some people may not be willing to spend the time to answer 
them thoroughly.

: Yes - I'm a cynic.... however, what purpose do the answers of the questions
: answer, except to answer the underlying question:
:  'Who should we look at more closely in the future?'

This is an interesting conclusion and one I don't agree with, but again, 
this is likely due to working with a VDB for some time and having steady 
dialogue with Christey and several other VDB folks. Consider this:

If the purpose of a VDB like CVE (or any other) is to track all 
vulnerabilities disclosed, why would they care about who to look at more 
closely? Shouldn't they be looking at everyone equally?

: Sure, its absolutely fine to disclose a 0-day for any random piece of 
: software... but do it for Oracle / Wind0ze.... look what kind of 
: backlash researchers recieve. It really does appear that the ability to 
: be nutral has disappeared and everyone is taking sides.... the choice is 
: not necessarily the issue, but the question that rarely seems to be 
: raised before choosing is " to what degree to we hold 'perfect 
: information' regarding the use of the information"?

And all of this falls under what Etaoin Shrdlu mentioned as a risk to 
researchers, which you expand on here. This will continue to be a problem 
for a long time I bet, as some companies will frown upon all facets of 
research/disclosure until they finally get it(tm).

: Exactly who's definition of 'public interest' do you mean to serve?
: 'slouch towards legitimacy' ? Excuse the security scene for being the
: bastard son of Bill Gates et al.

Some could argue that it's more the bastard child of vendors like Sun and 
IBM before Microsoft =)