Like an old grandfather clock, the controversy surrounding last month's CanSecWest MacBook hijack contest just keeps on ticking, loud enough to stick in your ear but so monotonous and tiring that it's near impossible to perk up and listen.
Just as Apple was releasing a patch for the QuickTime flaw, Gartner researchers Rich Mogull and Greg Young set off the new brouhaha with a note highlighting the "danger of vulnerability research conducted in public."
Public vulnerability research and "hacking contests" are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers.
The Gartner duo called on vendors and security services firms to "consider ending public vulnerability marketing events" because of the risk of "unanticipated consequences that endanger IT users."
The ink had not yet dried on the Gartner's news analysis when McAfee's Rahul Kashyap turned up the heat on TippingPoint's Zero Day Initiative (the company that bought the QuickTime flaw details), railing against an "ethical disconnect" in using the flaw details to protect paying customers ahead of a patch for everyone.
On McAfee's official blog, Kashyap writes:
As security vendors, our mission is to protect our customers and the internet community at-large , not to create hype and FUD by giving the world a chance to exploit unpatched flaws!! Failing to disclose to anyone leaves the good guys in the dark - but supporting irresponsible disclosure give the bad guys night vision…
It's amusing to listen to an anti-virus vendor decry "hype and FUD" when that entire industry is built on overblowing computer security threats to sell more subscriptions. It's even more comical when you consider that McAfee is part of a secretive industry that jealously guards information on new virus samples -- just so they can race each other to say (via press release) who had a signature out first. If you don't believe me, ask Val Smith why he created Offensive Computing.
Matasano Security's Thomas Ptacek would soon join the fray, tossing out a challenge for Kashyap to post McAfee's vulnerability disclosure code-of-conduct.
If McAfee wouldn’t touch a contest like CanSec’s PWN-TO-OWN, what would they do? If McAfee pledges to protect the Internet at large, and pledges not to prioritize their own customers, they should say that.
ZDI has defended itself against all the criticism, insisting that all the accepted norms of "responsible disclosure" were followed and echoing the argument that hackers should be paid for finding holes in software products.
Security and Vulnerability Research is valuable. It leads to more secure products, and more secure customers. Without supported research many vulnerabilities would continue to remain behind closed doors, and used for nefarious purposes. A researchers' time is valuable. They've just provided a really important service to the information technology industry.
ZDI opened itself to criticism when it floated the idea of adding a $10,000 bounty to the MacBook takeover challenge and. Sure, it was a marketing gambit but can any vendor -- or research firm -- say with a straight face that PR/marketing doesn't drive a lot of its actions? Not a chance.
All this just strengthens the argument that software vendors should be the ones paying for vulnerability research. The only way to remove these perceived risks is to bypass the middle man, sweeten the pot for hackers and purchase control of the way flaw information is released to the public.
Microsoft did it beautifully for Windows Vista under the guise of a massive pen-testing initiative. Apple, Cisco, Oracle and others should now perfect it by implementing their own well-managed flaw bounty programs. That's the only way to stop this stupid clock from ticking.