Dailydave mailing list archives
Re: Re: What is the state of vulnerability research?
From: MindsX <mindsx () gmail com>
Date: Sat, 18 Feb 2006 13:23:34 +0000
Guys, Again, I mis-communicated my point.... so I shall expand, and hope I stimulate another fantastic rebutle, maybe from jericho again? This is more a matter of principle: Mitre's customers are large defence organisations Mitre wish to be at the forefront of the IT security scene, in the amount of information they hold at least.... Yet... with a set of well formed questions... they ask:
1) What is the state of vulnerability research?
A Normal Question... Which will have a standard answer... 'crap'
2) What have researchers accomplished so far?
Normal Question.. again... 'tip of the iceberg'
3) What are the greatest challenges that researchers face?
Normal Question... disclosing without facing prosecution etc etc etc
4) What, if anything, could researchers accomplish collectively that they have not been able to accomplish as individuals?
Normal Question.. see above
5) Should the ultimate goal of research be to improve computer security overall?
Excuse me? how much does this _potentially_ tell about the answering researchers ethics? Otherwise this should always be a 'YES' answer - no?
6) What is an "elite" researcher? Who are the elite researchers?
Normal Question followed by a direct information gathering question that should be answerable only by those who follow / lead...
7) Who are the researchers who do not get as much recognition as they deserve?
AGAIN.... why are they asking questions like these.... Yes - I'm a cynic.... however, what purpose do the answers of the questions answer, except to answer the underlying question: 'Who should we look at more closely in the future?' I think there is something very sweet in the naivity floating around the IT security arena, where everyone is willing to divulge all the information they know to anyone who happens to ask the right question(s) in a 'trusted' 'open' forum / conf. However, in a good old-fashioned paranoid mindset, I believe that answering questions such as these, can potentially deal a great more harm. As in this new world order that has come from certain governments' abilties to do almost anything they want under the beautifully bold 'terrorism' golf umbrella, the individuals that hold the information of value have no ability to know how it is to be used when disclosed. Sure, its absolutely fine to disclose a 0-day for any random piece of software... but do it for Oracle / Wind0ze.... look what kind of backlash researchers recieve. It really does appear that the ability to be nutral has disappeared and everyone is taking sides.... the choice is not necessarily the issue, but the question that rarely seems to be raised before choosing is " to what degree to we hold 'perfect information' regarding the use of the information"? <and yes at this bit - I go off topic> Unfortunately, in the case highlighted by this thread... what we get instead:
The questions are part of a hidden motive of mine: to serve the public interest (one of MITRE's Corporate Values, by the way [1]). Asking might, in some small way, help part of the research community to do more than slouch towards legitimacy, which IMHO is needed for more effective security overall.
Exactly who's definition of 'public interest' do you mean to serve? 'slouch towards legitimacy' ? Excuse the security scene for being the bastard son of Bill Gates et al. As soon as [inset large closed-source software company names here] realise that if some thing is done once and done properly, no-one should ever have to repeat that work again, except for to learn... If they are so scared to show the world how they did it, they appear, in retrospect at least, to have not even managed to do it properly themselves, and to have charged for it to boot! MindsX BTW - Mitre's Code of Ethics don't appear to be freely available on the website...
Current thread:
- What is the state of vulnerability research? Steven M. Christey (Feb 16)
- Re: What is the state of vulnerability research? MindsX (Feb 16)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 16)
- Re: What is the state of vulnerability research? Thomas Pollet (Feb 18)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 16)
- Re: What is the state of vulnerability research? Etaoin Shrdlu (Feb 18)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 21)
- Re: What is the state of vulnerability research? foofus (Feb 22)
- <Possible follow-ups>
- Re: What is the state of vulnerability research? Steven M. Christey (Feb 16)
- Re: Re: What is the state of vulnerability research? MindsX (Feb 18)
- Re: Re: What is the state of vulnerability research? jnf (Feb 21)
- Re: Re: What is the state of vulnerability research? security curmudgeon (Feb 21)
- Re: Re: What is the state of vulnerability research? MindsX (Feb 18)
- Re: What is the state of vulnerability research? Steven M. Christey (Feb 22)
- Re: What is the state of vulnerability research? MindsX (Feb 16)