Re: Security research vuln pimps

[Rich Kulawiec <rsk () gsp org>]

On Mon, Apr 26, 2010 at 09:18:04AM -0700, Hubbard, Dan quoted:
> If you tell the world about a flaw in operational software/hardware,
> you increase the pool of threat agents that know about it, increase
> the likelihood they will attack, and increase the chance they will
> be successful. All of this happens when you make the information known. 

This is a whiney argument for purported security-by-obscurity, and it
completely ignores the possibility of independent discovery.  If person
A has studied piece of software X looking for vulnerabilities, then
persons B, C, D, etc. have done so as well...or will soon enough.  It is
only a matter of who will be successful, when they will be successful,
and what they will choose to do when they succeed.  There is no point
in pretending that B, C, D, et.al. don't exist.  There is even less in
presuming that they're not as smart or diligent or clueful as A.

What really increases the likelihood of attack is bad engineering,
especially chronically bad engineering.  Because after vulnerability
#673 is found in piece of software X, it's a reasonable guess to presume
that #674 is there waiting to be found.  What increases the likelihood
of *successful* attack is using any of the dumb ideas (e.g., default permit,
enumerating badness) that we should all be avoiding like the plague.
And what exacerbates both are futile attempts to pretend that all of
this information can and should be kept secret.  It won't.  It can't.

Yes, I'm quite sure it's inconvenient for some people that the toothpaste
can't be stuffed back in the tube.  (It's been inconvenient for me on
occasion, too.)  But petulantly demanding that everyone else do it is a
non-starter.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.