Re: Re: What is the state of vulnerability research?

[MindsX <mindsx () gmail com>]

Guys,

Again, I mis-communicated my point.... so I shall expand, and hope I
stimulate another fantastic rebutle, maybe from jericho again?

This is more a matter of principle:
Mitre's customers are large defence organisations
Mitre wish to be at the forefront of the IT security scene, in the amount of
information they hold at least....

Yet... with a set of well formed questions... they ask:

> 1) What is the state of vulnerability research?
A Normal Question... Which will have a standard answer... 'crap'
> 2) What have researchers accomplished so far?
Normal Question.. again... 'tip of the iceberg'
> 3) What are the greatest challenges that researchers face?
Normal Question... disclosing without facing prosecution etc etc etc
> 4) What, if anything, could researchers accomplish collectively that
>   they have not been able to accomplish as individuals?
Normal Question.. see above
> 5) Should the ultimate goal of research be to improve computer
>   security overall?
Excuse me? how much does this _potentially_ tell about the answering
researchers ethics? Otherwise this should always be a 'YES' answer - no?
> 6) What is an "elite" researcher?  Who are the elite researchers?
Normal Question followed by a direct information gathering question that
should be answerable only by those who follow / lead...
> 7) Who are the researchers who do not get as much recognition as they
> deserve?

AGAIN.... why are they asking questions like these....

Yes - I'm a cynic.... however, what purpose do the answers of the questions
answer, except to answer the underlying question:
 'Who should we look at more closely in the future?'

I think there is something very sweet in the naivity floating around the IT
security arena, where everyone is willing to divulge all the information
they know to anyone who happens to ask the right question(s) in a 'trusted'
'open' forum / conf.
However, in a good old-fashioned paranoid mindset, I believe that answering
questions such as these, can potentially deal a great more harm. As in this
new world order that has come from certain governments' abilties to do
almost anything they want under the beautifully bold 'terrorism' golf
umbrella, the individuals that hold the information of value have no ability
to know how it is to be used when disclosed.

Sure, its absolutely fine to disclose a 0-day for any random piece of
software... but do it for Oracle / Wind0ze.... look what kind of backlash
researchers recieve. It really does appear that the ability to be nutral has
disappeared and everyone is taking sides.... the choice is not necessarily
the issue, but the question that rarely seems to be raised before choosing
is " to what degree to we hold 'perfect information' regarding the use of
the information"?

<and yes at this bit - I go off topic>
Unfortunately, in the case highlighted by this thread... what we get
instead:

> The questions are part of a hidden motive of mine: to serve the public
> interest (one of MITRE's Corporate Values, by the way [1]).  Asking
> might, in some small way, help part of the research community to do
> more than slouch towards legitimacy, which IMHO is needed for more
> effective security overall.



Exactly who's definition of 'public interest' do you mean to serve?
'slouch towards legitimacy' ? Excuse the security scene for being the
bastard son of Bill Gates et al.
As soon as [inset large closed-source software company names here] realise
that if some thing is done once and done properly, no-one should ever have
to repeat that work again, except for to learn...
If they are so scared to show the world how they did it, they appear, in
retrospect at least, to have not even managed to do it properly themselves,
and to have charged for it to boot!

MindsX

BTW - Mitre's Code of Ethics don't appear to be freely available on the
website...