Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/21/2012
06:44 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Disclosure Clouded By Obscurity

Shockingly, the responsible disclosure debate rears its head once again, and amazingly enough some vendors still don't get it. Guess we'll never learn

Every year or so the responsible disclosure philosophical battle heats up. Some researcher unleashes a zero-day exploit after a vendor buries the bug for months. Then everyone starts pointing fingers. The researchers call the vendors names. The vendors call the researchers other names. The echo chamber on Twitter echoes. And then business returns to normal, with some companies paying researchers for bugs and others sticking their heads back in the sand.

Brad Arkin rekindled the fire at a recent conference by making the (accurate) point that security research gives the bad guys a roadmap to do bad things. Of course, the retort is that the bad guys likely already have the roadmap, which may or may not be true.

Someone on Twitter made the point that fixing bugs is a cost of doing business for software companies, which cannot be argued. And given the 90 percent plus gross margins of the software business, it's hard to shed a tear for those folks. Yes, it's frustrating for Brad to be in the cat and mouse game. But I believe the eco-system is stronger because you have _good guys_ doing research and sharing their findings, not just the bad guys using exploits, stealing data, and laughing all the way to the bank.

Unfortunately, obscurity remains the default mode for software vendors of all shapes and sizes. My pal Don Weber recently felt the repercussions of that when his Shmoocon presentation was canceled after a vendor objected to the content. As Don explained on his blog, he was going to talk about how to do security testing on smart meters, but alas at least one smart meter vendor didn't like that, so they put the kibosh on the presentation. To Don's credit, he hasn't thrown the vendor under the bus, even though their meters are clearly a steaming pile of fail.

Don's goal was to educate, not to cause harm to any of the vendors in question. The vendors felt threatened and did their best to bury the story. Smart grid buyers were able to stay blissfully unaware, continuing to write checks and life goes on. Don't let anything get in the way of the buying cycle, right? Here's the sad truth: software vendors need customers to stay dumb. Yes, that's harsh, but think about it. Smart customers are a huge liability. They want their stuff to work. They want value for what they pay for. They want their data protected. And they want bugs and security exposures to be fixed. Go figure.

Have you ever called a support desk and they were happy to hear from you? Has the VP of engineering from a software provider from ever called you up to thank you for finding a huge bug that put all of their data at risk? No? Yeah, me neither. They want the problem to be yours. A faulty configuration. A stupid user. Or maybe you need more capacity, so they get sales involved and upsell. W00t!

If you haven't worked in a software company, let's be very clear that they don't want to hear about defects, bugs, broken capabilities, or security vulnerabilities. Like anyone else, they'd rather you call and tell them how great they are. What's disappointing is that some software vendors continue to shoot the messenger, on the eve of the message being delivered. They bury the message and pray their customers remain stupid. Do you think they'd threaten to sue a customer who finds a bug in some ERP vendor's General Ledger program? Of course not. They assess the defect and fix it. Or not. And leave the the lawyers out of it.

Now that's not entirely a fair characterization because there are many enlightened software vendors out there, who appreciate research, understand how it can help them make their products better, and routinely collaborate with the researchers throughout the process. Don points out some of the folks that were helpful to him. But far too many continue to hide behind lawyers and obscurity.

And it's going to get worse as we continue to embrace SaaS and cloud architectures and the like. Because a problem in the cloud (whatever that means) can spread like wildfire to every customer of a SaaS or cloud provider. One for all and all for one! Multi-tenancy is a wonderful thing, but done wrong it basically opens up not just one customer's data, but all of the customers' data. I can't wait to see the lawsuits flying when someone wants to show how to bust a SaaS application or a cloud provider at Black Hat.

Odds are the lawyers will prevail, no one will say anything, and we'll be further away from the New School, where we actually learn from each other's mistakes. A new generation of cloud/SaaS providers will make the same mistakes over and over again, and we'll continue to run all day and all night to stay in the same place.

You know who is happiest every time this responsible disclosure discussion happens? It's the bad guys. You think they like it when a researcher publishes a zero-day they already discovered and had been monetizing? Seems to me obscurity is better for the bad guys than it is for the good guys. Ah, that old law of unintended consequences.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.