Sunday, November 15, 2009

Clarification to the previous post

Hey all,

I thought I need to clarify something about the previous post: I was trying to explain the fact that people reacted harshly to the hint that a new standard is being drafted, without knowing anything about it. So I talked about the historical perspective on the old OIS draft, and what my thoughts about it were, and what I think the reasons are that researchers usually do not bother with these things much.

This was not meant as a reaction to the ISO standard under discussion. Katie Moussouris clarifies a lot of important points here -- and what she writes is completely sensible.

Anyhow, enough of this :-). The upside of the entire discussion: I really like the pun in the above link. Yes, I know that I have a weird sense of humor.

Why are most researchers not a fan of standards on "responsible disclosure"

I usually try to stay away from the politics of vulnerability disclosure, mostly because I think (to paraphrase Feynman) that politics of vulnerability disclosure are as useful to the vulnerability researcher as ornithology is to birds.

But it seems that the entire discussion is not going away. The intensity of the reactions to k8em0's twitter post might be partially explained by the history of this all. I'll try to refresh what I remember:

A lot of the older vulnerability researchers remember the ghastly OIS attempt at forcing a standard written by a bunch of non-researchers down the throats of the research community. From the outside, it looked mostly like an attempt to kiss up to some vendors that were spending a lot of money on security review during that time.

I might be stepping on some people's toes, but to me it looked like a high-school class where the dimmest students drew up guidelines on how smart students "should" behave, and gave that to the teacher in order to earn brownie points - including clauses like 'not contradicting the teacher'.

Unfortunately, most of the research community prefers to do work instead of discussing with people that have little interesting to say about how the researchers should work. The result of this is that researchers were rarely ever involved in the entire discussion. Not for lack of opportunity, but mostly lack of interest -- if I can actually go and surf, why would I discuss with a bunch of people sitting in an office about the right way to come back to the beach ?

The entire discussion has always been somewhat phony. The entire "responsible/irresponsible" angle is sligthly fraudulent. The way I see it is the following:
  1. It is acceptable for AV companies to charge for signatures, which are in essence "information about malware"
  2. It is acceptable for AV companies to not publish, nor provide, malware to other parties, or to charge for it
  3. It is acceptable for software vendors to charge so I can use their software. It is also acceptable for them to charge more so that I can read their source code.
  4. Why again should a researcher be obliged to provide information to vendors free of charge again ?
  5. If anyone argues it's "responsible" to make everyone safer, I say: I'll give all my bugs to all vendors the same day that all security companies of the world provide free licenses for everyone for their software.
But well. Honestly, I am not sure whether I should post this. I do not really feel like spending too much time discussing this. But perhaps that's part of the problem...

Tuesday, November 10, 2009

Low blogging frequency

Hey all,

first of all, I seriously have to apologize for the low frequency of blog posts nowadays. We have been doing a bunch of interesting things at work that I will post about shortly. Amongst the
things on my "to-post" list are:
  • Rants on our experiences distributing VxClass
  • A method to perform exact directed graph comparison in O(1) (with some caveats ;) -- we have been sitting on this for a year or three, but were caught up in other things so writing it up fell by the wayside
  • Automated generation of byte signatures from the VxClass results
Anyhow, expect a higher blogging frequency from this blog in the next weeks. I will restrict my use of twitter for this.