Dailydave mailing list archives

Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder

From: Jan Muenther <jan.muenther () nruns com>
Date: Mon, 14 Mar 2005 18:42:05 +0100

G'day,

There needs to be some way to create economic incentive for softwarevendors to fixbugs before the product is delivered and installed, and there arereally just two choices:
   1. Hold software vendors liable for damages incurred from intrusions
   2. Create a market for vulnerabilities
In the first case, vendors will have to purchase insurance for theirsoftware, which will bea lot more expensive for widely used software than for niche products.The insurances willget richer. The closed source vendors would have a good argument whycustomers shouldchoose closed versus open source, too: For OSS, there would be nobodyto sue.

Well, strictly speaking, that's not necessarily the case, sinceliability always affects the initiator / author of any given good - andof course, open source software has authors, too. Currently, the vendorsget away with their "Get out of jail for free" cards, yet ifjurisdiction should decide to change that at some point, I'd think forOSS projects and possibly some free giveaways it might still work outthis way.By the way: Software isn't automatically completely liability-free, atleast not in Germany (only legal system I'm rather common with). These"signoffs" do not hold up when you sell custom made software - here, theusual laws kick in. I've seen liability lawsuits ruining small softwarecompanies, although the bugs in discussion were not security-related(but that wouldn't matter, really).

The second case is what is (to an extent, and perhabs not in the mostoptimal way) VSCdoes: MS would have an incentive to spend the membership fee to learnabout bugs early,and the money that MS pays could be used to make it more attractive togive up the exploitsto the vendor. If the vendor decides he doesn't care (which would be aviable position to takeif he is very certain of his code quality) then he does not need tosign up.

Problem is... when you give the vendor a heads up about vulnerabilitiesin their products and then tell them to join your VSC to get thedetails, they might feel they're being blackmailed and just playstubborn. Those who believe in full disclosure (I don't) would arguethat the restricted circle of people who get access to the exploit codeand vulnerability details keeps the pressure on the vendors to fix theirissues low.The question that keeps popping up in my head when these things arebeing discussed is: Cui bono - who benefits from which way of handling bugs?Interestingly, a good share of the recent Win32 worms were based onvulnerabilities that eEye came up with.As of the allegation that "criminals" and possibly terrorists buy theirway into the VSCs... they're already buying people, hiring them forsingle hit jobs, and for them, it's not the 0day that counts, but ratherthe result. Believe it or not, during the plethora of pen tests Ialready conducted, I more often than not succeeded in penetratingwithout even whipping a single piece of exploit code out. 0day-huntingonly starts when it's needed, and memory corruption vulnerabilities areonly one part of the game, anyway.

Personally, I'd say software vendors are liable for their products,period. However, I see that liability restricted to, uhm, the limits ofdue diligence. When some wunderkind comes up with a new bug class, well,how could you have prevented that? However, well-known dangerousconstructions or obvious lack of security precautions in design musthurt, financially, too.Another thing that just makes me boggle is how few (legally binding)security requirements exist for software that is used in integral partsof civil infrastructure. The only thing that springs to my mind is thehealth industry, and there, the use of "validated systems" rather makesthem a heck of a lot more vulnerable than secure, since patching isactually prohibited, as is switching off services, since the system hasbeen approved of with them running. Argh. Talking about energy, banks,transportation etc... there's just nothing in place, all that is done ison a free will basis or because private companies fear for theirexistance if a security hazard strikes them.I've recently stumbled across a bug in a piece of software that's usedin, uhm, certain (rather rare) parts of civil infrastructure, and it wasrather trivial to find and rather cheap to exploit. I'm 120% sure thisthing would not exist if the vendor had been legally obliged to get itchecked before it's deployed. Frankly speaking, I was personally pissedoff by that.


Cheers, j.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Fwd: [ISN] Security experts hit out at "unethical" bug finder Anthony Zboralski (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
  - Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
    - Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder H D Moore (Mar 14)
    - Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
    - Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Isaac Dawson (Mar 14)
    - Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
  - Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Jan Muenther (Mar 14)
  - Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Gadi Evron (Mar 14)
    - Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Gadi Evron (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bug finder robert (Mar 14)