Re: Re: What is the state of vulnerability research?

[jnf <jnf () nosec net>]

> > 5) Should the ultimate goal of research be to improve computer
> >   security overall?
> Excuse me? how much does this _potentially_ tell about the answering
> researchers ethics? Otherwise this should always be a 'YES' answer - no?

Duh, fixing computer security means most of you folks wouldn't have jobs
anymore, and we've proved time and time again that this industry is more
concerned with FUD/mass hysteria/the corporate bottom line, than actual
security.

Don't kid yourself, releasing advisories and exploits doesn't protect john
q who probably won't even patch his system, it empowers your greatest
money maker. If the goal was secure systems, then why on earth would most
networks be soft and mostly unpatched behind corporate firewalls?

Look at nearly every big group of people who started off as 'underground
researchers', how many of them now are arming generations of both 'black'
and 'white' hat idiots with little to no understanding of the tool they're
using in order to push up their bottom line by selling another
protection?

While this speaks volumes upon ones ethics as you suggested, I'm
suggesting that if more people answered honestly the answer would be 'no'.


> > The questions are part of a hidden motive of mine: to serve the public
> > interest (one of MITRE's Corporate Values, by the way [1]).

I am assuming this means that public interest trumps the shareholders
bottom line.