Computer Security Community Rant

Posted: August 8th, 2006

There are two things I’ve long decided not to blog about (to quote South Park, “I’m not touching that one with a 60 foot pole“):

1) The Arab-Israeli conflict
2) Mac OS

So you’ll forgive me (or not) if I totally sidestep the issue – the one Thomas Ptacek, Rui Carmo and others have been going on about – and quote Rui Carmo, totally out of context, to rant about something I’ve been meaning to rant for a while:

bragging about what they can do before publishing their methods and results

Unfortunately many security “experts” and “researchers” these days are big fat press whores. They spread FUD for weeks, even months, giving numerous interviews greatly exaggerating the risks exposed by their yet-to-published “research”. Or slightly better, their published research no one in the security community really gave a damn about. Or considerably worse, their never-to-be-openly-published “research”.

1) Unpublished research has no credibility. It is usually referred to as “claims” as in “I claim I’ve mastered cold fusion”. The person who made those claims might have credibility. Something they are likely about to lose, at least partially.
2) Greatly exaggerating the results (risks/benefits/whatever) of your research to the public not only harms your own credibility, it also harms the credibility of your peers. And FYI, withholding information on purpose to mislead others is just as bad as lying.
3) Not openly publishing your research and only sharing it with certain individuals in closed rooms (at a price) is shameful, unethical, should be criminal and might very well come back and bite you in the ass.

Not too long ago, real security experts would be ignored when presenting real problems to developers and to the general public. Today “security experts” are enjoying from quite a lot of (often undeserved) attention. Instead of using it responsibly, they will say almost anything to get their 15 minutes of fame. The problem? The public is getting increasingly skeptical and tired of hearing “wolf” when there are none. The security community risks alienating the public.
Individual “experts” aren’t the only ones to blame here and the trend to exaggerate risks didn’t appear in the last couple of years. Download a trial of any of the famous anti virus or personal IDS and see how they respond to something like finding the source code for the ADMw0rm in your windows XP box. Or how they respond to an nmap scan. Or take a look at third party advisories from a random “security services” company and look at how they label their advisories – you’ll probably see a lot of “Critical”/Red… you might even see something like “Extremely Critical” or as I like to call it “End of Days Stuff” kind of analogous to some WWIII mentions in the media (gotta love the Colbert Report). Oh and don’t blame the media for this. It’s a known fact that the current “news industry” is sensationalist and does not fact check or anything like it – it’s basically the “PR regurgitation industry”. They are just manipulated and they make money out of it so they don’t care.
I considered giving actual examples. Using names. quotes and links. That could (and probably would) be construed as personal attacks which is not what I want. Anyway chances are that if anyone in the computer security community reads this, they’ll know what I’m talking about.

Actually commenting on this case:
Is it good research? Probably (I haven’t looked at it but Maynor and Ellch are serious security experts). Is the Washington Post’s article sensationalist? Yes. Is it big news device drivers have security vulnerabilities? _NO_! (as a quick reference, read this 1yr old article at securityfocus). Who’s fault is it – the OS developers’ or the driver developers’? Both – OpenBSD devs are laughing and probably said something like “ahahaha and they gave us funny looks when we told vendors to shove their proprietary drivers where the sun doesn’t shine”.
I’m not going to get in the middle of the debate but one thing Rui is entirely right to question: “the way and sequence of events during which it was made public, before a comprehensive technical disclosure“. It was wrong – Maynor and Ellch failed to this right.

[Updated From Comments]:
What I think they should’ve done is publish their work BEFORE going to the press about it. Or at least be clear about what products are (known to be) vulnerable and under what circunstances. Otherwise it spreads FUD – even if that’s not the intent (which I’m sure it isn’t).

Creative Commons License
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution 3.0 Unported License.

Related posts:

  1. VoIP Security Alliance
  2. The Six Dumbest Ideas in Computer Security
  3. How To Keep Your Computer Spyware Free – Basic Windows Security