Right. And while you're calculating costs, don't forget to factor in the costs of all of the opiates that the McGraw automaton is now faced with eating as he wiles away his "patching time" on the orange chair. The break was severe indeed.
I think some vendors have come around to the economics argument. In every case, those vendors with extreme reputation exposure have attempted to move past penetrate and patch. Microsoft, for one, is trying hard, but (to use my broken leg analogy) they had a sever case of osteoporosis and must take lots of calcium to build up bone mass. The financial vertical, led by the credit card consortiums is likewise making good progress. Other vendors with less brand exposure (or outright apathy from users) are slower on the uptake. Ultimately, the economic decision will rule the day. gem P.S. I would rush out and buy some ice remover, but the weather has warmed up and I am currently immobile. company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -----Original Message----- From: Stuart Moore [mailto:[EMAIL PROTECTED] Sent: Mon Mar 05 21:18:03 2007 To: SC-L@securecoding.org Cc: Steven M. Christey Subject: Re: [SC-L] Disclosure: vulnerability pimps? or super heroes? Though I share Steve's sentiments on the anti-researcher bias, and I agree with Gary's yin-yang conclusion, I really hate the question itself. The disclosure question itself *presumes* that the current state of the industry (defective products) is economically efficient. The premise absolves vendors *and* customers of any role or responsibility in improving efficiency [I'm of the opinion that organic security would be economically beneficial]. The question presumes that The Issue with vulnerabilities is either squelching the researchers (the researcher as pimp view) or promoting detailed disclosures (the researcher as super hero view). I am much more interested in why vendors make defective products and why customers accept this level of quality, and lots of related questions. So, in reference to Gary's "breaking story," why was the Gary McGraw automaton not able to deal with the icy walk? Is the severe structural damage and hours of surgical correction more cost effective than what any anti-ice protections would have cost? Those are the Good Questions. Asking whether the disclosure of the icy exploit is good or bad is the Wrong Question. Stuart -- Stuart Moore SecurityTracker.com Steven M. Christey wrote: > On Tue, 27 Feb 2007, J. M. Seitz wrote: > >> Always a great debate, I somewhat agree with Marcus, there are plenty of >> "pimps" out there looking for fame, and there are definitely a lot of them >> (us) that are working behind the scenes, taking the time to help the vendors >> and to stay somewhat out of the limelight. > > Do the people who write the books to avoid the vulns, sell the tools, and > give talks at conferences stay out of the limelight as well? What about > all those podcasts? They should be discounted too, since they're clearly > pimping something. They must have ulterior motives. Don't get me started > on those rabble-rousers who complain about voting machine security. > > Not that I don't have issues with how disclosure happens sometimes, but > the anti-researcher sentiment that castigates them based on "looking for > fame" by people who are themselves "famous" strikes me as a bit > hypocritical. Why do we know that Marcus designed the White House's first > firewall? 'cause he told us, that's why. > > We're very lucky that assumed fame-hunters like Cesar Cerrudo and David > Maynor have decided that they won't bother telling the vendor about vulns > they find because of all the trouble it gets them into. It's quite > unfortunate that Litchfield has almost single-handedly dared to question > Oracle's claim that it's unbreakable. Perhaps we would prefer that these > pimpers stop giving us disclosure timelines that show that they notified > vendors about issues months or YEARS before the vendors actually got > around to fixing them. We can go back to security through obscurity, the > old fashioned way, by lawsuits and threats. Like what happened at Black > Hat last week, but with less press. > > Basically, I have an issue with the criticism of this aspect of researcher > "pimpage" when it's usually the pot calling the kettle black, when most of > us are getting paid one way or another for this work, and there's a > pervasive inability to recognize that many such researchers feel forced to > disclose when the vendor still does nothing. And many researchers aren't > in it for the fame, which is the assumption that the pimpage argument is > based on. > > Sorry, must be a case of the Mondays combined with this building up over a > year or two. The vuln researchers are the only parts of this business who > get no respect. > > - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________