Help!
Thomas Ptacek | October 31st, 2005 | Filed Under: Disclosure
Buried in a comment, Peter says:
Why on earth should people be forced to “make a case” against helpfulness? If it was really just help, couldn’t they decline the favor? No, the onus is on bugfinders (finding a buffer overflow really isn’t research anymore) to offer their service and wait for a request - that’s how “help” works.
Peter has misunderstood something fundamental about the process. Let’s “help” him get his head around this:
Vulnerability researchers aren’t “helping” the vendors and producers of software by publishing vulnerabilities (though that is often a side-effect of their work). They’re “helping” the customers who deploy that software. Those customers very much want that “help”, which is why providing that “help” pays so fucking well.
If Peter Lindstrom is advocating for a process whereby researchers will post to Bugtraq and say, “I’ve found a new remote code execution bug in Snort, would anybody like to take me up on my offer to help them identify and eliminate it?”, that’s a valid, though stupid, argument to make. Peter Lindstrom will simply have added about 34 seconds to the exact process we have now[*].
I don’t think that’s Lindstrom’s argument, but I’m waiting to hear the coherent alternative argument to synthesize from the points he’s making.
Global 2000 enterprises spend tens of millions of dollars a year —- just shy of 100 million dollars, not counting in-house headcount expenses or revenue from products whose value props depend on security research —- on targeted vulnerability research. This is an existence proof of the demand for information about vulnerabilities in deployed software.
tqbf
October 31st, 2005 11:21 am[*] 34 seconds not counting the 18-27 hours it takes for a Bugtraq post to propagate in 2005.
Pete
October 31st, 2005 5:56 pmThe whole “vulnerability disclosure” process is a ridiculous by-product of the even more destructive “vulnerability discovery” process. It’s always kind of cute to say that people are making a lot of money doing something to validate it. The fact that mass tribute is required due to the inextricably-linked domination by the techno-elitists over my grandmother, et.al. says nothing about its impact on the nature of the ‘Net’s risk, which bugfinders are driving up, not down, by necessity.
I know exactly who you think you are helping, but feel free not to - “help” should be determined by the recipient, not the blackmailer…er, bugfinder. That is the problem with “help” in this area - it forces other people into servitude.
tqbf
November 2nd, 2005 10:51 amThe whole “vulnerability discovery” process is a ridiculous by-product of the even more destructive “vulnerability insertion” process. It’s always kind of cute to say that people are making a lot of money doing something to further it. The fact that click-wrap licenses are required due to the inextricably-linked domination by the techno-elitists over my preschool daughter, et. al., says nothing about its impact on the nature of the ‘Net’s risk, which software companies are driving up, not down, by necessity.
Leave a reply