Dailydave mailing list archives
Re: Re: What is the state of vulnerability research?
From: security curmudgeon <jericho () attrition org>
Date: Sun, 19 Feb 2006 03:50:44 -0500 (EST)
: Again, I mis-communicated my point.... so I shall expand, and hope I : stimulate another fantastic rebutle, maybe from jericho again? Count on me! And please, don't take my previous comments as an attack on you personally. Well, maybe 0.05% =) A lot of what I said is pent up frustration in having to read, digest and often correct/followup on a ton of disclosure issues for years. The curse of helping to maintain a VDB is that you have to rely on thousands of people, some very bright, some very unaware/unexperienced (or any other PC term for 'dumb'). That builds up and causes a world of grief and extra work that shouldn't be required if the masses are doing a baseline level of 'adequate research'. : Mitre's customers are large defence organisations : Mitre wish to be at the forefront of the IT security scene, in the amount of : information they hold at least.... While true, one thing to consider about this. I am not taking sides on this part of the debate, just bringing up another aspect. Mitre's "customers" also include you and me, not just defense organizations. Mitre gets funding from the US Government, which means American tax payers fund it to a degree. CVE is widely adopted and used by people and companies all over the world, wether we like it or not. Until something better comes along, supporting them isn't a bad idea. : >1) What is the state of vulnerability research? : A Normal Question... Which will have a standard answer... 'crap' : >2) What have researchers accomplished so far? : Normal Question.. again... 'tip of the iceberg' : >3) What are the greatest challenges that researchers face? : Normal Question... disclosing without facing prosecution etc etc etc : >4) What, if anything, could researchers accomplish collectively that : > they have not been able to accomplish as individuals? : Normal Question.. see above : >5) Should the ultimate goal of research be to improve computer : > security overall? : Excuse me? how much does this _potentially_ tell about the answering : researchers ethics? Otherwise this should always be a 'YES' answer - no? : >6) What is an "elite" researcher? Who are the elite researchers? : Normal Question followed by a direct information gathering question that : should be answerable only by those who follow / lead... : >7) Who are the researchers who do not get as much recognition as they : > deserve? : : AGAIN.... why are they asking questions like these.... Here is where I will agree with you. I have already mentioned in email to Christey that I felt the questions were a bit vague. His response was very well reasoned and I understand why the questions were worded as they are. It lead me to realize that very broad like this may lead to more free style responses, where more specific questions may paint someone into a corner wether they realize it or not. The downside to the current questions are some people may not be willing to spend the time to answer them thoroughly. : Yes - I'm a cynic.... however, what purpose do the answers of the questions : answer, except to answer the underlying question: : 'Who should we look at more closely in the future?' This is an interesting conclusion and one I don't agree with, but again, this is likely due to working with a VDB for some time and having steady dialogue with Christey and several other VDB folks. Consider this: If the purpose of a VDB like CVE (or any other) is to track all vulnerabilities disclosed, why would they care about who to look at more closely? Shouldn't they be looking at everyone equally? : Sure, its absolutely fine to disclose a 0-day for any random piece of : software... but do it for Oracle / Wind0ze.... look what kind of : backlash researchers recieve. It really does appear that the ability to : be nutral has disappeared and everyone is taking sides.... the choice is : not necessarily the issue, but the question that rarely seems to be : raised before choosing is " to what degree to we hold 'perfect : information' regarding the use of the information"? And all of this falls under what Etaoin Shrdlu mentioned as a risk to researchers, which you expand on here. This will continue to be a problem for a long time I bet, as some companies will frown upon all facets of research/disclosure until they finally get it(tm). : Exactly who's definition of 'public interest' do you mean to serve? : 'slouch towards legitimacy' ? Excuse the security scene for being the : bastard son of Bill Gates et al. Some could argue that it's more the bastard child of vendors like Sun and IBM before Microsoft =)
Current thread:
- What is the state of vulnerability research? Steven M. Christey (Feb 16)
- Re: What is the state of vulnerability research? MindsX (Feb 16)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 16)
- Re: What is the state of vulnerability research? Thomas Pollet (Feb 18)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 16)
- Re: What is the state of vulnerability research? Etaoin Shrdlu (Feb 18)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 21)
- Re: What is the state of vulnerability research? foofus (Feb 22)
- <Possible follow-ups>
- Re: What is the state of vulnerability research? Steven M. Christey (Feb 16)
- Re: Re: What is the state of vulnerability research? MindsX (Feb 18)
- Re: Re: What is the state of vulnerability research? jnf (Feb 21)
- Re: Re: What is the state of vulnerability research? security curmudgeon (Feb 21)
- Re: Re: What is the state of vulnerability research? MindsX (Feb 18)
- Re: What is the state of vulnerability research? Steven M. Christey (Feb 22)
- Re: What is the state of vulnerability research? MindsX (Feb 16)