3Com’s Southern Strategy

Thomas Ptacek | July 31st, 2005 | Filed Under: Uncategorized

If David Endler isn't our industry's Karl Rove, he's at least its Frank Luntz.

Lots of people will talk on mailing lists about the ethics of the "Zero Day Initiative", whether "publishing" to it will hurt your reputation (yes) or damage the vulnerability research community (yes). The ZDI terms dictate that they see your findings before naming a price. The Terms give them the rights to all submissions without compensation. Will they steal vulns? (probably not). Will they withhold from competitors? Etc, etc. What fun.

You're all missing the point. Believing that TPTI is going to aggressively exploit a position as the world's vulnerability clearinghouse is like having believed that George Bush was going to trot out Osama bin Laden to win the election. Even if they were capable of executing that plan (like Bush, they aren't), they don't need to.

Here's the operative disclosure about the program from 3Com:

3Com and TippingPoint will be protected from the vulnerability in advance, but they will not be able to tell from the description what the vulnerability is.

Here's what's going to happen:

• "Zero Day" vulns will get names like ZDI-3920, ZDI-4031, etc.

• Most of these ZDI "signatures" will be for variants of other attacks; exploit signatures, different payloads, etc.

• The "real" vulnerabilities will mostly be XSS and cgi-bin detritus.

• A few times a year, TPTI will coordinate and launch a "real" vulnerability, with fanfare and press releases.

• The line between "real" and "bullshit" findings thus blurred into illegibility, TPTI will begin press-releasing things like "472 zero-day vulnerabilities disclosed to date", and use it to claim higher signature counts and better response times than vendors like ISS.

In other words, the antivirus playbook.