Criminal Intent
InfoSecSellout (who lives up to his name by posting Google Adwords on his blog while criticizing security consultants for being sellouts) posted a great story -- Conversations with a Blackhat. I'd like to highlight a few of his comments.
I recently had the opportunity to share some drinks and interesting conversation with a group of self confessed "bad guys"... These guys make a living in various ways but it seems that spamming, phishing, and carding are their main source of income and of course, once they are done with a zero day exploit they will go ahead and make a few dollars selling it to the highest bidder...
[T]hese guys, and most like them, are against Full Disclosure. Their reason for this is also very obvious, Full Disclosure takes away their opportunity to use exploits that they have been previously able to use...
[They said] "there should be laws to prevent people from releasing exploit code on the Internet." This is obviously a self serving statement as the people already breaking the current laws are not going to care about breaking some new ones and this would take care of their problem with Full Disclosure...
[They also said] "A law like this would take the information away from the actual smart people and leave the retards who feel that having alphabet soup behind their name gives them some sort of self and professional worth watching the vault."
All of this rings true to me, and I can't find a plausible way to argue against it. (It's similar to the argument over firearms in the US. If possessing guns is illegal, only criminals will have guns.) If possessing exploits is illegal, only criminals will have exploits. There will be no way to test if vendor patches work. There will be no way to test if new code possesses older vulnerabilities, or if "security products" (e.g., host IPS and/or AV) introduce previously patched vulnerabilities. There will be no way to understand how exploits work to detect and/or prevent them. Criminals would roam freely while the world sits dumb and blind. (We're not that far away from that situation now, but it would be worse in a world without free information on exploits.)
I always like reporting on real threats, because without these insights we're playing soccer-goal security.
For a timely example of the full disclosure debate, check out Chris Shiflett's publication of a vulnerability in Amazon.com's infrastructure. If you need to understand Cross Site Request Forgeries I recommend this post.
I recently had the opportunity to share some drinks and interesting conversation with a group of self confessed "bad guys"... These guys make a living in various ways but it seems that spamming, phishing, and carding are their main source of income and of course, once they are done with a zero day exploit they will go ahead and make a few dollars selling it to the highest bidder...
[T]hese guys, and most like them, are against Full Disclosure. Their reason for this is also very obvious, Full Disclosure takes away their opportunity to use exploits that they have been previously able to use...
[They said] "there should be laws to prevent people from releasing exploit code on the Internet." This is obviously a self serving statement as the people already breaking the current laws are not going to care about breaking some new ones and this would take care of their problem with Full Disclosure...
[They also said] "A law like this would take the information away from the actual smart people and leave the retards who feel that having alphabet soup behind their name gives them some sort of self and professional worth watching the vault."
All of this rings true to me, and I can't find a plausible way to argue against it. (It's similar to the argument over firearms in the US. If possessing guns is illegal, only criminals will have guns.) If possessing exploits is illegal, only criminals will have exploits. There will be no way to test if vendor patches work. There will be no way to test if new code possesses older vulnerabilities, or if "security products" (e.g., host IPS and/or AV) introduce previously patched vulnerabilities. There will be no way to understand how exploits work to detect and/or prevent them. Criminals would roam freely while the world sits dumb and blind. (We're not that far away from that situation now, but it would be worse in a world without free information on exploits.)
I always like reporting on real threats, because without these insights we're playing soccer-goal security.
For a timely example of the full disclosure debate, check out Chris Shiflett's publication of a vulnerability in Amazon.com's infrastructure. If you need to understand Cross Site Request Forgeries I recommend this post.
Comments