Attackers, Vuln Finders and Exploits – It just ain’t fair!

  • Article

Recently took a look at "The Vulnerability Disclosure Game: Are We More Secure?" (https://www2.csoonline.com/exclusives/column.html?CID=28072) by Marcus Ranum, which in turn links to "Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'" (https://www2.csoonline.com/exclusives/column.html?CID=28073). I've got a lot of respect for Marcus – he's always been on the right side of the fight, and let's face it – anyone who goes jogging with his horse is pretty cool in my book. Not that I'd be biased towards people with horses…

That said, both of these guys have it wrong, or at least partially. Marcus is right that there's a lot of people out there busy being part of the problem. In my earlier post about the economics of the vulnerability finding game, I outlined some of the forces at work. If we look at the overall picture, it's highly asymmetrical – a vuln finder spends a few thousand at best finding a vuln, the vendor spends anywhere from tens of thousands to hundreds of thousands making a fix, testing it, and getting it out, and then the customers spend even more deploying the fix. All so someone gets their 2 minutes of fame (15 if they're lucky). It just ain't fair.

If I were a CSO or CIO, I don't think I'd spend my money with vendors who ran around giving yet more exploits to the script kiddies and other rabble that's out there attacking my systems. The attackers have plenty of weapons to start with, and I'd rather help out the people who are part of the solution. If all these folks would just straighten up and behave responsibly, we'd be so much better off – or at least that's the premise. Unfortunately, we wouldn't be any better off. There's a whole lot more people who find these things, keep the secret, sell them, use them for personal gain, and it's all underground. The stuff the people writing bulletins find is a drop in the bucket. It's nice that they're generally responsible, and it's nice that they let the vendor know about things (so they get their name in lights), but if they all took up a different job tomorrow, I don't think we'd be noticeably any more or less secure. Unless it's someone really smart who truly does a thorough job and works with the vendor to get a complete solution (a good example of this was David Litchfield's analysis of the /GS switch – it's a lot better now and he deserves credit for helping), all these little ankle-biting exploits don't amount to much. We find a LOT more of this sort of thing internally than comes in from outside.

In a previous career, I was involved in helping clean up the environment – gee, if everyone would just recycle, landfills wouldn't fill up so fast, we wouldn't use up so many resources, and so on. Same sort of thing as wishing the vuln finders would all go fishing and not come back – guess what? People are for the most part going to do what is in their economic self interest, and never mind the effect on the rest of the world. If there's enough economic incentive, they'll start doing the right thing. Unfortunately, there's economic incentive to do the wrong thing in this case, but that's the way it is. It just ain't fair.

Then the other side of the argument is that without Full Disclosure, no one would fix anything. Maybe that's the way it used to be, for some vendors, but things change. Used to be if I wailed my head off, people would bring me food, but that hasn't worked for a very long time. Things change. I'm always suspicious of Things In Capital Letters. If it isn't a proper name, then it's probably a synonym for the One True Way, and now we're talking dogma, not reason. The reality is that if there are people out there attacking your customers, then you better put a lot of effort into security, and these people running around making "wow, look how smart _I_ am" posts to mailing lists are really one of your smaller problems. The reality is that it just gives the attackers more weapons to play with, and makes the Internet a more hostile and difficult place to communicate and conduct business than it already is. It's the tragedy of the commons on a global scale. If that premise were true, I would have never gotten much of anything fixed, and it's been quite the contrary – I only went public without a fix once, and that was after the vendor told me that buffer overruns weren't exploitable on Windows (seriously, they did tell me that). But if all those people just went fishing one day, we still wouldn't be a lot better off – there are still real criminals to worry about. And ironically, they serve a purpose in some cases – occasionally, they'll steal an attack from the underground and bring it to light, where it will get fixed – but if they'd quietly let a responsible vendor know about the problem, it would get fixed anyway. And this deal of concluding that since one person found it, everyone else will magically notice via telepathy – hogwash. Sometimes people do figure out the same things about the same time – LaPlace and Newton both figured out the foundations of calculus at around the same time – but more often, they don't.

Bruce went on to say "… and that software companies will spend time and money fixing secret vulnerabilities. […] full disclosure is the only reason vendors routinely patch their systems." There's all sorts of evidence these assertions are false. Let's take my employer out of the picture for a moment, and the fact I have direct knowledge of Microsoft not only fixing vulns no one else knows about, but fixing things that just look sort of like a vuln (but we're not completely sure) that no one else knows about. Consider the guys at OpenBSD – they just "fix the bugs". I don't agree with them about everything, but they're so completely right about that, I just can't say it loud or often enough.

As the story goes, someone asked Jesse James (a famous Western US outlaw from the late 1800's) why he robbed banks. "That's where the money is" was the alleged reply. As much money as there is running around the Internet these days, there's a lot of incentive for people to do bad stuff. Wishing it wasn't so won't get us anywhere. Facing reality and building apps that stand up to current threats will get us somewhere. Life just ain't fair – TANSTAAFL – There Ain't No Such Thing As A Free Lunch.