Do ethics in the security community need to be re-examined? Marcus Ranum thinks so.

Over the past six months, Marcus Ranum, a well-respected player in the security field and CTO of Network Flight Recorder, has become a focal point in one of the most heated debates in the security community. In July 2000, Ranum called for a reassessment of the ethics of security practice, and in so doing, challenged one of the community's most sacred of cows: the way in which security vulnerabilities are disclosed to the public.

Sm@rt Partner: Very briefly, what is the disclosure debate all about, and why has it been so divisive?

Marcus Ranum: The problem is that there are a number of "gray hat" hackers in the community who feel that the right way to get vendors to fix problems is to expose vulnerabilities immediately. My issue with that practice is that it leaves most people—who are not part of the security game and really don't care about it—vulnerable up until they finally get around to fixing it, which is usually after they've gotten hurt. So essentially we're shortcutting the process so that the vendor doesn't really have a chance to propagate a patch effectively enough.

There are a few reasons I think my views are so unpopular. One, security practitioners are curious people and tend to be control freaks, so they really want to know what's going on. Two, there are a lot of folks out there who are trying to have their cake and eat it, too. Really what these people want to do is have all of the privileges and practices of being hackers with none of the downside. They want to play, they want to act tough, they want to go to DefCon and dress like goths. They want to do all of this nonsense, and they also want to get paid big salaries and be treated like responsible practitioners. I'm trying to call them on that, and they get defensive.

People seem to miss the fact that I also argue that vendors should be held liable if they are notified of a security vulnerability and shrug it off. That's just insane. Anyone who's informed about a serious problem with something they're selling—that's putting other people at risk in any way, shape or form—has to take the situation seriously. And I think that we should be utterly intolerant of vendors that don't take it seriously.

It's been very interesting to me. On one hand, I've come down pretty hard on the hackers. But I've also come down pretty hard on the vendors, and I came down pretty hard on the security analysts, too. Everybody in this industry is doing the wrong thing, and they're doing it very hard.

Continued- Page 2

SP: Aren't there accepted standards for responsible disclosure, wherein the bug spotter contacts the vendor and waits for a patch to be released before going public?

MR: Actually, I'm against that, too—I think it's profoundly lame. What's the point in doing that? If the ostensible reason for disclosing the vulnerability is to get the vendor to fix the problem, at the moment when the vendor's issued the patch you've done your job, right? You've won. You've saved the world for humanity. But no, that's not good enough for these guys. They want to stand up on their little soapbox and get five seconds of fame by saying, "Hey, look at how smart I am! I found a hole in this thing!"

I have no respect for that. If you want to market yourself, do something useful—write a better firewall, a better router or intrusion-detection system, or whatever. I don't believe that as a society we should really reward people for throwing rocks at other people's backs, basically.

SP: Don't they serve a useful purpose, though, pushing vendors to fix problems they would otherwise ignore?

MR: I think that's true, but I think it's true because they're making the situation worse in order to make it better. They're doing it through an extortionistic practice. People who are Good Samaritans do not stand by someone's bleeding body and wait for the TV crews to show up so they can act like a hero. If the reason you're doing it is to get credit, then don't pull this knight in shining armor s**t.

SP: Won't exploit techniques get out anyway? The bad guys are going to find this stuff, so won't eliminating disclosure just leave the good guys in the dark?

MR: I think you're overestimating most of the bad guys; most people calling themselves "hackers" don't have the skill to find these problems. As for those that do, limiting disclosure would make things tougher for them because now they've got to keep secrets, too. As soon as they start spreading around one of their techniques, the good guys are going to find out about it and shut it down.

SP: So how do the good guys get enough information to assess their risk and exposure?

MR: That's certainly a serious issue. What we need to do is come up with a way in which disclosure is done so that the minimum number of people are placed at risk, but everybody has the information they need that would allow them to quantify vulnerability. The real issue becomes distinguishing between what information people need and what they merely want. There's a big difference between releasing data about how a problem impacts an end user and explaining in detail how to exploit that problem.

You've got to look at the number of people placed at risk at any given time by your actions. That's the litmus test that I've been offering to the industry. All I'm saying is, it's time to grow up. If you want to be a respectable practitioner, your actions should be predicated on nothing other than reducing the risk to the people on the Internet as much as possible.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.