Security is productized, so real research is hampered
on March 2nd, 2007 at 8:57 am
I know I am a little late to this game, but I have to say that it absolutely drives me insane that HID is trying to push Chris Paget around. Just like it drove me nuts last year that ISS caved to pressure and caused one of their last real talents (Michael Lynn) to quit because he dared to reveal a Cisco flaw.
I am all about responsible disclosure. I am all about letting the manufacturer know of the issue before revealing it to the public. But neither of these cases involve something that is not known already. So basically this is effectively doing nothing but hampering security research. And the reason is because security has become uber-productized. Everyone has a product they want to sell to everyone to make a buck, and you will be strung up with red tape and lawyers’ neckties if you find a flaw and try to disseminate it to the public.
Don’t get me wrong. I am a capitalist to the core. I am all about making the money. I don’t work for free. If I was smart enough to start a company and make a few million, I would have already done it. But I will say that if I made a security widget of some sort and Mr. Paget or Mr. Lynn or Mr. Whoever told me there was a problem with my product, could demonstrate it to me, and that they were going to show it at BlackHat, I would walk on the frickin’ stage with them, put my arm around them, and say this guy is da’ bomb. I would push out a damn press release that said what I was doing to fix the problem, and I would probably try to hire the guy who found the flaw so I could get some better QA.
AAAAAAAAAAAHHHHHHHHHH!!!!!
This is the height of ridiculousness. People that do security research such as these two gentlemen deserve praise, respect, and adoration, not lawsuits.
And sorry to Alan and all other bloggers about the little bit of cursing. I am not a guy normally driven to expletives, but this has me fired up.
Vet
LonerVamp definitely hit the nail on the head. Security Research teams are cost effective for all companies. They are not going to find everything. Heck, they may only find the “sexy” stuff that is exploitable. But, if the code is already broken, and you have to fix it anyway, why would you want to spend more money on lawyers when you could have spent it on improving the product and investigating the root cause (hello SDLC!)? That does not sound cost effective and perhaps a few CFOs should be looking into it.
Don’t worry, Vet. We feel your pain and, as a Marine, I have a few pointed and disgusting words you can use in your next article. Just drop me a line and I’ll fill you in.
Go forth and do good things,
Cutaway
Michael- you don’t have to apologize to me about the language. Its your blog, you write what you want. You have to make your own peace with the man
Don’t forget last year’s David Maynor/Cache and Apple fiasco. That’s now three years and three major cons that have experienced this frustration. And these are only the wide-spread and known cases.
Much like the RIAA and MPAA are slow to move and react to technology and end up being very heavy-handed in their dealings with people they typically look down upon, so too are many businesses coping more slowly than I think they will admit when it comes to things like security and the disclosures of.
I think it will just take time (sadly, too much time) for people and thus companies to get used to the reality of security in a digital world. This stuff just is. It happens. It will always happen. It doesn’t have to mean that one mistake drops your stock price x points. It will take time for more people to deal positively to such things and accept a little outside criticism.
It makes me mad too. Hell, how much money would it have taken for each of these three incident companies to have spent to find these issues on their own? And they end up getting some free research and help! Even a piece of malware can be seen in a positive light, just like seeing a real health threat virus. We can then look at it, learn from it, and work to prevent it.