Thinking about it, you’re right. The worms of the early 2000s are what caused people to HAVE patching programs. Disruption wins again.
Even “APT” isn’t being the disruptor for us because its something that happens to other companies, with military connections.

So, I throw the idea of “drop more 0-day” out as a means to get people thinking. For different environments, the meaning of that statement varies wildly. For IT operations, dropping more 0-day means exactly what you point out; it would cause more out of band patching and disrupt the normal ebb and flow of your security and systems ops staff. For vuln researchers, it means not getting paid because they could have sold the 0-day on the open market and made some $ out of it. For product vendors, it means a hurried patch and PR process b/c the researcher didn’t follow “responsible” disclosure. And for the security vendors it’s a lost opportunity to have bought vuln information from the researcher and used that knowledge to differentiate their product from the other products on the market (why do you think they buy vuln info?).

Basically, it disrupts everyone. Which is the point I’m trying to make. The battle we fight in data centers every day isn’t a polite one where product companies get to shame attackers by not telling them about their weaknesses. It’s not one where IT operators get advanced knowledge of the attack. It’s not one where some other researcher can suddenly get paid b/c they were doing research on the same attack method but didn’t sell it prior to the attack happening. It’s chaotic and aggressive and interrupts everything.

It’s also a fact of life.

So dropping 0day puts everyone in an uncomfortable situation… which in turns changes policies, procedures, and technology so that the next 0day that’s dropped doesn’t hurt as bad. I’m not saying all vuln information should be dropped out of the sky onto a mailing list/conference. However I do think that if there was as much 0day droppage as we saw 10-15 years ago, we may be a better industry overall than we are now.

I’d like to see researchers still have some system where they can be monetarily rewarded for public disclosure, even if they didn’t sell it to the vendor or a security company. I’d like to see security companies not rely on “who knows more secrit vuln info” to differentiate themselves in the market. I’d like to see enterprises be able to deal with in-the-wild-yet-unpatched vulnerabilities better (which is ultimately a need that the product vendors would fulfill). All these are, IMO, nice characteristics to have in our community. Dropping 0day is one way in which that can be accomplished. There are others as well. But I use the 0day example as a pointy-stick with which to jab people to get them thinking

Also, to your point about not dropping 0day “sucks for the conference organizer”… that’s never really crossed my mind. We really don’t run our con for fame or profit or whatever. We run it b/c it’s the right thing to do for the community. I wish one day there’s not enough demand in the security space to support all the cons we have now… it would mean we’ve been successful in our attempts to make more secure systems.

We’re currently battling out Microsoft Lync versus Cisco for enterprise IM so I was happy to see Cisco listed. I do have some questions, I’ll follow up with my Actiance sales guy.

http://www.actiance.com