Let's start with
CanSecWest, and the vulnerability commercialization panel they had on Wednesday. There was much spirited debate but no end agreement between the parties... takes me back to
ShmooCon and the BOF panel on training... but I digress.
In the
press, Michael Sutton is quoted as saying that vendors need to pay for vulns, and later in the article a customer states he expects vendors to pay for vulns as well.
"The only economic model that does not make sense to me is the vendor's," Sutton said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay for them."
Let's blithely assume for a moment that vendors and researchers could agree on the dollar value of a vulnerability (ROTFLMAO). There is still a big problem with the 'buying vulnerabilities protects customers' argument: if Oracle buys a vuln from David Litchfield, Oracle now owns the vuln. That means that they don't EVER have to fix it if they don't want to. I'm not just picking on Oracle - this is true of ANY vendor. They wouldn't be buying vulns, they'd be buying silence. And that would just piss everyone off - hell, that's why full disclosure practices started to begin with - the only way to get a vendor to fix a security bug was to publicly shame them with it. So I wholeheartedly disagree that vendors buying bugs would make me as a computer user any safer.
I have no problem with reputable third parties buying vulnerabilities and working with vendors to protect customers. I'll admit I think Tipping Point's
ZDI program does a better job of that than iDefense's
VCP program simply because iDefense's customers leak their confidential advisories all the time before patches are available. But these programs do play an important role in the security ecosystem that benefit customers, researchers, and vendors.
Other stuff:Dates for
HOPE number 6 have been announced - July 21-23, just a week or so before
Black Hat Vegas. Of course I've added HOPE to the upcoming cons list...
Check this out - I've heard
most people aren't having much trouble with Apple's
Boot Camp beta, but
this guy managed to get the legendary
Blue Screen of Death. I haven't seen that on one of my boxes in over five years. Wow.
Comments on the blog suggest that this was a known bug in the beta relating to iSight... doh!
Adam Shostack makes some interesting observations on recent media regarding rootkits on the
Emergent Chaos blog. Yeah, he is right, this is a Captain Obvious type of situation where everyone in the security space already knew that rootkits were a big dangerous problem. But I think (or at least hope) the point of the Microsoft presentation at InfoSecWorld in FL that spurred the
eweek article was to educate less security savvy customers about threats we are facing today and give guidance on how to deal with them. Adam also mentions the extremely cool work being done by John Heasman of
NGS on ACPI BIOS rootkits that was presented not only at
Black Hat Federal, but
Black Hat Amsterdam and will again be presented in May at the
Computer and Enterprise Investigations Conference. Right now it is super cutting edge stuff - so maybe if John gives the talk often enough, more people will pay attention (and by someone I don't mean the bad guys). After giving the talk at Black Hat Federal in January, Rob Lemos ran a
story which quoted Greg Hoglund as saying:
"It is going to be about one month before malware comes out to take advantage of this," said Greg Hoglund, CEO of reverse engineering firm HBGary and editor of Rootkit.com. "This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in."
It would be a shame if the security industry didn't pay attention in January to John's early warning and is surprised when malicious bios rootkits emerge.
And since I've mentioned
CEIC, I may as well throw a shameless plug out for Vinnie Liu's talk on Defeating Forensic Analysis (with his business partner Patrick Stach) on Thursday May 4 at the con. Vinnie is a very smart guy - if you are attending CEIC, I'd definitely attend their session. I'm such a groupie I'd go to NV just to see this talk, but I think that would violate the restraining order...
~Elphie
Labels: apple, cansecwest, conferences, emergent chaos, heasman, hogllund, HOPE, liu, responsible disclosure, rootkits, security