Continued- Page 2
SP: Aren't there accepted standards for responsible disclosure, wherein the bug spotter contacts the vendor and waits for a patch to be released before going public?
MR: Actually, I'm against that, too—I think it's profoundly lame. What's the point in doing that? If the ostensible reason for disclosing the vulnerability is to get the vendor to fix the problem, at the moment when the vendor's issued the patch you've done your job, right? You've won. You've saved the world for humanity. But no, that's not good enough for these guys. They want to stand up on their little soapbox and get five seconds of fame by saying, "Hey, look at how smart I am! I found a hole in this thing!"
I have no respect for that. If you want to market yourself, do something useful—write a better firewall, a better router or intrusion-detection system, or whatever. I don't believe that as a society we should really reward people for throwing rocks at other people's backs, basically.
SP: Don't they serve a useful purpose, though, pushing vendors to fix problems they would otherwise ignore?
MR: I think that's true, but I think it's true because they're making the situation worse in order to make it better. They're doing it through an extortionistic practice. People who are Good Samaritans do not stand by someone's bleeding body and wait for the TV crews to show up so they can act like a hero. If the reason you're doing it is to get credit, then don't pull this knight in shining armor s**t.
SP: Won't exploit techniques get out anyway? The bad guys are going to find this stuff, so won't eliminating disclosure just leave the good guys in the dark?
MR: I think you're overestimating most of the bad guys; most people calling themselves "hackers" don't have the skill to find these problems. As for those that do, limiting disclosure would make things tougher for them because now they've got to keep secrets, too. As soon as they start spreading around one of their techniques, the good guys are going to find out about it and shut it down.
SP: So how do the good guys get enough information to assess their risk and exposure?
MR: That's certainly a serious issue. What we need to do is come up with a way in which disclosure is done so that the minimum number of people are placed at risk, but everybody has the information they need that would allow them to quantify vulnerability. The real issue becomes distinguishing between what information people need and what they merely want. There's a big difference between releasing data about how a problem impacts an end user and explaining in detail how to exploit that problem.
You've got to look at the number of people placed at risk at any given time by your actions. That's the litmus test that I've been offering to the industry. All I'm saying is, it's time to grow up. If you want to be a respectable practitioner, your actions should be predicated on nothing other than reducing the risk to the people on the Internet as much as possible.
