RE: Security Industry Under Scrutiny: Part One

[hellNbak <hellnbak () nmrc org>]

I get flamed everytime I post to this list but here it goes anyways.

> > * security advisories are rarely based on original concepts
>
> Agreed.

There has been a lot of "XYZ found a vuln simular to this blah blah blah"
type advisories lately.  But, a vuln is a vuln is a vuln is it not?

> And sometimes enough information for me to repeat the test and check if
> I'm also vulnerable.

Agreed.

> my clients' computers. They also help better

This isn't a shot at the author of this reply but his comment about the
existance of tools help him help his clients helps illustrate something
that lately has been making me sick enough to start rethinking things.

The problem isn't full disclosure.  The problem isn't the so called
white-hats.  The real problem is the armies of clueless "consultants" who
use lists like this one, Bugtraq, VulnWatch, etc. to give themselves more
fodder to swarm on corporate america with.  Half of these people are not
even taking the time to fully understand the issue.  New vulnerabilities
equals more money.  More script kiddie web site defacements equals more
money.  When did learning about technology drop from this picture?

Back in the day I remember using the mailing lists to learn about security
and more importantly to learn about how vulnerabilities are found and how
they effect various systems.  I had a lot of fun and I learned a lot.  Was
I a consultant trying to sell security?  No, I was an IT grunt just trying
to have some fun while paying my bills.  I have always supported
full-disclosure because I feel I have learned a lot because of full
disclosure and felt that others would too.  Unfortunately, this doesn't
seem to be the norm anymore.

Today, I am part of that army of security consultants and as hard as it is
to look at myself in the mirror I at least find comfort in knowing that I
still learn a lot from these lists and I still try and take the time to
understand the issues and not just take them and use them to try and sell
work.  Sure, I would rather not be yet another "security consultant" but
until I find myself a more respectable job that lets me continue with my
hobby it pays the bills.

> And what to do when they ignore you ? The mechanics of "full disclosure"
> (or "posting to public foruns" as you put it) is that vendors will not
> correct software problems just because they exist, but they'll do it to
> protect theur image and reputation. Before "full disclosure" it wasn't
> strange to have a software company like Sun to take years to produce a fix
> for a security bug. I don't want to go back to that dark age.

I think this issue is black and white.  Vendor ignores you release
information on vulnerability.  That does not however mean you release a
point and click script.

> That's what I'm doing, unfortunately positions like yours make my job and
> all of those in the security industry more difficult and more expensive,
> making sure that we'll have less, not more security.

Killing full disclosure will make security more expensive I agree.
Without full disclosure we will see a bunch of companies selling their
zero days to the highest bidder which in the long run will not improve
security one bit.

I am asking myself what is worse, the clueless using
lists like this to get rich or companies at least paying those who can
find vulnerabilities a fat salary to then resell the vulns to their
clients.  I don't think either improves security.

I remember years ago people saying to be careful - "the security industry
is full of snake oil salesmen".  This has never been more true.  It makes
me puke everytime I see some suit wearing fast talking "expert" who can
barely use a computer but is armed with all kinds of "tools" and the
knowledge that the CXO knows less than he does.  The scary thing is,
consistantly these guys will win the work because they talk a good game.
Leaving organizations less secure then they were when they started.

Why doesn't someone sue a vendor?

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html