Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-05 Thread Stuart Moore
Though I share Steve's sentiments on the anti-researcher bias, and I
agree with Gary's yin-yang conclusion, I really hate the question itself.

The disclosure question itself *presumes* that the current state of the
industry (defective products) is economically efficient.  The premise
absolves vendors *and* customers of any role or responsibility in
improving efficiency [I'm of the opinion that organic security would be
economically beneficial].

The question presumes that The Issue with vulnerabilities is either 
squelching the researchers (the researcher as pimp view) or promoting 
detailed disclosures (the researcher as super hero view).

I am much more interested in why vendors make defective products and why 
customers accept this level of quality, and lots of related questions.

So, in reference to Gary's breaking story, why was the Gary McGraw
automaton not able to deal with the icy walk?  Is the severe structural
damage and hours of surgical correction more cost effective than what
any anti-ice protections would have cost?  Those are the Good Questions.
  Asking whether the disclosure of the icy exploit is good or bad is the
Wrong Question.


Stuart Moore

Steven M. Christey wrote:
 On Tue, 27 Feb 2007, J. M. Seitz wrote:
 Always a great debate, I somewhat agree with Marcus, there are plenty of
 pimps out there looking for fame, and there are definitely a lot of them
 (us) that are working behind the scenes, taking the time to help the vendors
 and to stay somewhat out of the limelight.
 Do the people who write the books to avoid the vulns, sell the tools, and
 give talks at conferences stay out of the limelight as well?  What about
 all those podcasts?  They should be discounted too, since they're clearly
 pimping something.  They must have ulterior motives.  Don't get me started
 on those rabble-rousers who complain about voting machine security.
 Not that I don't have issues with how disclosure happens sometimes, but
 the anti-researcher sentiment that castigates them based on looking for
 fame by people who are themselves famous strikes me as a bit
 hypocritical.  Why do we know that Marcus designed the White House's first
 firewall?  'cause he told us, that's why.
 We're very lucky that assumed fame-hunters like Cesar Cerrudo and David
 Maynor have decided that they won't bother telling the vendor about vulns
 they find because of all the trouble it gets them into.  It's quite
 unfortunate that Litchfield has almost single-handedly dared to question
 Oracle's claim that it's unbreakable.  Perhaps we would prefer that these
 pimpers stop giving us disclosure timelines that show that they notified
 vendors about issues months or YEARS before the vendors actually got
 around to fixing them.  We can go back to security through obscurity, the
 old fashioned way, by lawsuits and threats.  Like what happened at Black
 Hat last week, but with less press.
 Basically, I have an issue with the criticism of this aspect of researcher
 pimpage when it's usually the pot calling the kettle black, when most of
 us are getting paid one way or another for this work, and there's a
 pervasive inability to recognize that many such researchers feel forced to
 disclose when the vendor still does nothing.  And many researchers aren't
 in it for the fame, which is the assumption that the pimpage argument is
 based on.
 Sorry, must be a case of the Mondays combined with this building up over a
 year or two.  The vuln researchers are the only parts of this business who
 get no respect.
 - Steve

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

[SC-L] story of 2 patches to fix 1 bug

2005-10-21 Thread Stuart Moore


Cesar Cerrudo wrote a nice little paper about Microsoft's MS05-049 patch 
for a vulnerability in csrss that was supposedly fixed earlier in the 
MS05-018 patch: (Story of a Dumb Patch)

The paper points out that the earlier fix added a validation function 
prior to a call to the vulnerable function, but that there remained 
other code paths to access the vulnerable function.

The new fix addressed the actual vulnerable function.

Stuart Moore LLC