Security research vuln pimps

["Hubbard, Dan" <dhubbard () websense com>]

http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/

This should cause some nice stirring of the preverbal pot.

Have you ever heard of a terrorist referred to as a "demolition engineer?" How about a thief as a "locksmith?" No? 
Well, that's because most fields don't share the InfoSec industry's ridiculous yet long-standing inability to 
distinguish the good guys from the bad guys. Perhaps we're just in one of those moods lately but it seems to be getting 
worse. It's far too easy for anyone who has anything to do with information security to be labeled (by themselves or by 
others) a "security researcher" without regard to their behavior. "Security Researcher Breaks This" and "Security 
Researcher Exposes That" say the headlines. Ugh; we really need to clean up our language. This begins with setting a 
few principles and regularly using more accurate descriptors in our publications and daily conversations.

Why does this matter? Well, it's a matter of principle: One is either part of the problem or part of the solution. 
Problem-makers and Solution-makers should no more have the same label as terrorists and engineers. Sure, they both 
interact with explosives in their daily business but they put their skills to vastly different uses. Is there a reason 
we must continue to label people by the elements of their trade rather than the merit of their deeds? We think not.

We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use the following definitions:

    * Security Researcher: One who studies how to secure things and/or how things are not secure in order to find a 
solution.
    * Security Practitioner: One who applies the findings of the Security Researcher in order to make things more 
secure.
    * Narcissistic Vulnerability Pimp: One who - solely for the purpose of self-glorification and self-gratification - 
harms business and society by irresponsibly disclosing information that makes things less secure (or increases risk).
    * Criminal: One who actively subverts security without authorization or deliberately creates ways for others to do 
so.

It's time to draw a line in the sand. If you too are tired of seeing criminals elevated to a podium of legitimacy and 
bestowed the same job title you possess, join us. We'd be grateful to have the company.

*****

Update: I put this as a comment but I felt it needed to go as an update to the main article. I enjoy (many of) the 
comments and healthy debate on this important topic...but please stop using analogies that compare the disclosure of 
software/hardware vulnerabilities to auto part defects and sharks in the water. Whatever your stance on disclosure, 
this line of logic simply does not apply. If you make known an auto defect or shout a warning to people about a shark 
in the water (I avoided a shark attack as little boy bc of this, btw), you DO NOT INCREASE THE LIKELIHOOD OF ATTACKS OR 
THEIR SUCCESS RATE. Other drivers will not start crashing into you at higher rate and more sharks will not swarm from 
across the ocean to attack you because of this knowledge/warning. You can deal with the vulnerability (defect/exposure) 
without an increase in the likelihood of attacks or incidents.

If you tell the world about a flaw in operational software/hardware, you increase the pool of threat agents that know 
about it, increase the likelihood they will attack, and increase the chance they will be successful. All of this 
happens when you make the information known. Therefore, risk is increased unless the problem is addressed beforehand. 
No way around it. Argue as you wish...just pick a different line of reasoning (notice I'm not even mentioning the fact 
that auto defects and imminent shark attacks aren't typically announced under a spotlight). -Wade




 Protected by Websense Hosted Email Security -- www.websense.com 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.