funsec mailing list archives
Security research vuln pimps
From: "Hubbard, Dan" <dhubbard () websense com>
Date: Mon, 26 Apr 2010 09:18:04 -0700
http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/ This should cause some nice stirring of the preverbal pot. Have you ever heard of a terrorist referred to as a "demolition engineer?" How about a thief as a "locksmith?" No? Well, that's because most fields don't share the InfoSec industry's ridiculous yet long-standing inability to distinguish the good guys from the bad guys. Perhaps we're just in one of those moods lately but it seems to be getting worse. It's far too easy for anyone who has anything to do with information security to be labeled (by themselves or by others) a "security researcher" without regard to their behavior. "Security Researcher Breaks This" and "Security Researcher Exposes That" say the headlines. Ugh; we really need to clean up our language. This begins with setting a few principles and regularly using more accurate descriptors in our publications and daily conversations. Why does this matter? Well, it's a matter of principle: One is either part of the problem or part of the solution. Problem-makers and Solution-makers should no more have the same label as terrorists and engineers. Sure, they both interact with explosives in their daily business but they put their skills to vastly different uses. Is there a reason we must continue to label people by the elements of their trade rather than the merit of their deeds? We think not. We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use the following definitions: * Security Researcher: One who studies how to secure things and/or how things are not secure in order to find a solution. * Security Practitioner: One who applies the findings of the Security Researcher in order to make things more secure. * Narcissistic Vulnerability Pimp: One who - solely for the purpose of self-glorification and self-gratification - harms business and society by irresponsibly disclosing information that makes things less secure (or increases risk). * Criminal: One who actively subverts security without authorization or deliberately creates ways for others to do so. It's time to draw a line in the sand. If you too are tired of seeing criminals elevated to a podium of legitimacy and bestowed the same job title you possess, join us. We'd be grateful to have the company. ***** Update: I put this as a comment but I felt it needed to go as an update to the main article. I enjoy (many of) the comments and healthy debate on this important topic...but please stop using analogies that compare the disclosure of software/hardware vulnerabilities to auto part defects and sharks in the water. Whatever your stance on disclosure, this line of logic simply does not apply. If you make known an auto defect or shout a warning to people about a shark in the water (I avoided a shark attack as little boy bc of this, btw), you DO NOT INCREASE THE LIKELIHOOD OF ATTACKS OR THEIR SUCCESS RATE. Other drivers will not start crashing into you at higher rate and more sharks will not swarm from across the ocean to attack you because of this knowledge/warning. You can deal with the vulnerability (defect/exposure) without an increase in the likelihood of attacks or incidents. If you tell the world about a flaw in operational software/hardware, you increase the pool of threat agents that know about it, increase the likelihood they will attack, and increase the chance they will be successful. All of this happens when you make the information known. Therefore, risk is increased unless the problem is addressed beforehand. No way around it. Argue as you wish...just pick a different line of reasoning (notice I'm not even mentioning the fact that auto defects and imminent shark attacks aren't typically announced under a spotlight). -Wade Protected by Websense Hosted Email Security -- www.websense.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
- Re: Security research vuln pimps Dave Paris (Apr 26)
- Re: Security research vuln pimps Rich Kulawiec (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
- Re: Security research vuln pimps Michal Zalewski (Apr 28)
- Re: Security research vuln pimps Jeffrey Walton (Apr 26)
- Re: Security research vuln pimps Peter Kosinar (Apr 26)
- Re: Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps Peter Kosinar (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)