Mac hack challenge sparks (another tired) debate

Mac hack challenge sparks (another tired) debate

Summary: Like an old grandfather clock, the controversy surrounding last month's CanSecWest MacBook hijack contest just keeps on ticking, loud enough to stick in your ear but so monotonous and tiring that it's near impossible to perk up and listen.

TOPICS: Security, Apple, Hardware

Like an old grandfather clock, the controversy surrounding last month's CanSecWest MacBook hijack contest just keeps on ticking, loud enough to stick in your ear but so monotonous and tiring that it's near impossible to perk up and listen.MacBook Pro

Just as Apple was releasing a patch for the QuickTime flaw, Gartner researchers Rich Mogull and Greg Young set off the new brouhaha with a note highlighting the "danger of vulnerability research conducted in public."

Public vulnerability research and "hacking contests" are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers.

The Gartner duo called on vendors and security services firms to "consider ending public vulnerability marketing events" because of the risk of "unanticipated consequences that endanger IT users."McAfee logo

The ink had not yet dried on the Gartner's news analysis when McAfee's Rahul Kashyap turned up the heat on TippingPoint's Zero Day Initiative (the company that bought the QuickTime flaw details), railing against an "ethical disconnect" in using the flaw details to protect paying customers ahead of a patch for everyone.

On McAfee's official blog, Kashyap writes:

As security vendors, our mission is to protect our customers and the internet community at-large , not to create hype and FUD by giving the world a chance to exploit unpatched flaws!! Failing to disclose to anyone leaves the good guys in the dark - but supporting irresponsible disclosure give the bad guys night vision… 

It's amusing to listen to an anti-virus vendor decry "hype and FUD" when that entire industry is built on overblowing computer security threats to sell more subscriptions.  It's even more comical when you consider that McAfee is part of a secretive industry that jealously guards information on new virus samples -- just so they can race each other to say (via press release) who had a signature out first.  If you don't believe me, ask Val Smith why he created Offensive Computing.

Matasano Security's Thomas Ptacek would soon join the fray, tossing out a challenge for Kashyap to post McAfee's vulnerability disclosure code-of-conduct.

If McAfee wouldn’t touch a contest like CanSec’s PWN-TO-OWN, what would they do? If McAfee pledges to protect the Internet at large, and pledges not to prioritize their own customers, they should say that.

ZDI has defended itself against all the criticism, insisting that all the accepted norms of "responsible disclosure" were followed and echoing the argument that hackers should be paid for finding holes in software products.

Security and Vulnerability Research is valuable. It leads to more secure products, and more secure customers. Without supported research many vulnerabilities would continue to remain behind closed doors, and used for nefarious purposes. A researchers' time is valuable. They've just provided a really important service to the information technology industry. 

ZDI opened itself to criticism when it floated the idea of adding a $10,000 bounty to the MacBook takeover challenge and.  Sure, it was a marketing gambit but can any vendor -- or research firm -- say with a straight face that PR/marketing doesn't drive a lot of its actions?   Not a chance.

All this just strengthens the argument that software vendors should be the ones paying for vulnerability research.   The only way to remove these perceived risks is to bypass the middle man, sweeten the pot for hackers and purchase control of the way flaw information is released to the public.

Microsoft did it beautifully for Windows Vista under the guise of a massive pen-testing initiative.  Apple, Cisco, Oracle and others should now perfect it by implementing their own well-managed flaw bounty programs.  That's the only way to stop this stupid clock from ticking.

Topics: Security, Apple, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "sweeten the pot for hackers"

    Cut with the euphemism and just say it right out.

    Vendors should pay protection money.
    • lol

      "Awful nice OS youse got dere. Downright shame, if sumtin' bad happened to it. Sumtin' real real bad."
  • Huh

    "Microsoft did it beautifully..."

    There's four words I never thought I'd see strung together ever again. Even when MS does something right it's supposed to be criticized. Did you miss the meeting? :)

    Carl Rapson
    • Basher Bashing

      Whether it's bashing Mac bashers or bashing Microsoft bashers. it's wearisome.
    • Meaning That ...

      Neither bashing nor basher bashing contributes to any meaningful discussion.
  • Older Macs hacked

    My G3 Blue & White got hacked from a virus on our home network.
    It is a worm virus with the files Ms-Dos & MacOs. Attached itself to Norton Securty. Also saw this virus on a Mac Mini.
    Nothing is secure forever..Chip
    • Stop opening up porn emails or whatever .

      I'm not having any problems with my G-3 B&W . You probably downloaded some illegal software of a P2P and got hit .
    • Oh yeah?

      Which version of Mac OS are you running? And what was the Virus?
      • porbably

        a Word virus. There STILL aren't any Mac viruses.
    • ??????

      Well, I've heard there are Trojans being distributed on peer to peer networks, but
      Trojans aren't viruses.

      For a moment I wondered if your B&W is running OS 9. There were viruses for the
      old platform but they couldn't affect a Mac Mini.

      BTW, don't use NU. It actually damaged file threads when I used it years ago and
      when my backup drive (Castlewood ORB) failed I lost those files completely.