Over the past six months, Marcus Ranum, a well-respected player in the security field and CTO of Network Flight Recorder, has become a focal point in one of the most heated debates in the security community. In July 2000, Ranum called for a reassessment of the ethics of security practice, and in so doing, challenged one of the community's most sacred of cows: the way in which security vulnerabilities are disclosed to the public.
Sm@rt Partner: Very briefly, what is the disclosure debate all about, and why has it been so divisive?
Marcus Ranum: The problem is that there are a number of "gray hat" hackers in the community who feel that the right way to get vendors to fix problems is to expose vulnerabilities immediately. My issue with that practice is that it leaves most people—who are not part of the security game and really don't care about it—vulnerable up until they finally get around to fixing it, which is usually after they've gotten hurt. So essentially we're shortcutting the process so that the vendor doesn't really have a chance to propagate a patch effectively enough.
There are a few reasons I think my views are so unpopular. One, security practitioners are curious people and tend to be control freaks, so they really want to know what's going on. Two, there are a lot of folks out there who are trying to have their cake and eat it, too. Really what these people want to do is have all of the privileges and practices of being hackers with none of the downside. They want to play, they want to act tough, they want to go to DefCon and dress like goths. They want to do all of this nonsense, and they also want to get paid big salaries and be treated like responsible practitioners. I'm trying to call them on that, and they get defensive.
People seem to miss the fact that I also argue that vendors should be held liable if they are notified of a security vulnerability and shrug it off. That's just insane. Anyone who's informed about a serious problem with something they're selling—that's putting other people at risk in any way, shape or form—has to take the situation seriously. And I think that we should be utterly intolerant of vendors that don't take it seriously.
It's been very interesting to me. On one hand, I've come down pretty hard on the hackers. But I've also come down pretty hard on the vendors, and I came down pretty hard on the security analysts, too. Everybody in this industry is doing the wrong thing, and they're doing it very hard.
