Dear Bruce – On Zero Days

I dont mean to do a pretentious open letter, think of this as more of a writing style than an actual letter.
Hey Bruce,
I was trying to understand your comments from the opening greetz at shmoocon this year.
As I understand it, you’re saying that we need more public zero days to secure people.   That caused me some cognitive dissonance, so I tried to spend some time thinking this through so I could understand your point better.   Let me know if I’m misrepresenting you.
I found your defcon 15 slides where you seem to talk about this a bit.  (my paraphrase)
 ‘full disclosure is dead’   Whether you believe in “responsible” disclosure or not, the people in the bug bounty programs believe in it, so the choice is really get paid or not.   As a side effect people aren’t dropping oh-days all over conferences, which sucks as a conference organizer.
In your slides, you said “[the people selling bugs] are profiting at the expense of the end user.”   How is that?
I’m guessing it is because many software companies patch very very slowly except when there media pressure due to public exploitation.   That leaves a hole in which private exploitation can take place if the bad guys also found the vulnerability.
Lets not forget that dropping a zero day starts the clock early.   The bad guys are exploiting while the good guys at best have a workaround.   I have a hard time seeing that a good thing.  I’m guessing your answer would be at least then you know about the vulnerability
As a guy doing the vulnerability management program at my company, I like the predictability of patch Tuesday.   I’ve got plenty of other things to deploy.   Those unexpected patches really foul things up.
Full/Responsible Disclosure approaches a religious debate with some people.  I dont mean to mean to do that.

2 Comments

  1. Heh. Glad that got someone thinking. I’ve been mumbling about this for a while but no one ever seems to get offended. It may just got lost in the ranty-ness of it all 😉

    So, I throw the idea of “drop more 0-day” out as a means to get people thinking. For different environments, the meaning of that statement varies wildly. For IT operations, dropping more 0-day means exactly what you point out; it would cause more out of band patching and disrupt the normal ebb and flow of your security and systems ops staff. For vuln researchers, it means not getting paid because they could have sold the 0-day on the open market and made some $ out of it. For product vendors, it means a hurried patch and PR process b/c the researcher didn’t follow “responsible” disclosure. And for the security vendors it’s a lost opportunity to have bought vuln information from the researcher and used that knowledge to differentiate their product from the other products on the market (why do you think they buy vuln info?).

    Basically, it disrupts everyone. Which is the point I’m trying to make. The battle we fight in data centers every day isn’t a polite one where product companies get to shame attackers by not telling them about their weaknesses. It’s not one where IT operators get advanced knowledge of the attack. It’s not one where some other researcher can suddenly get paid b/c they were doing research on the same attack method but didn’t sell it prior to the attack happening. It’s chaotic and aggressive and interrupts everything.

    It’s also a fact of life.

    So dropping 0day puts everyone in an uncomfortable situation… which in turns changes policies, procedures, and technology so that the next 0day that’s dropped doesn’t hurt as bad. I’m not saying all vuln information should be dropped out of the sky onto a mailing list/conference. However I do think that if there was as much 0day droppage as we saw 10-15 years ago, we may be a better industry overall than we are now.

    I’d like to see researchers still have some system where they can be monetarily rewarded for public disclosure, even if they didn’t sell it to the vendor or a security company. I’d like to see security companies not rely on “who knows more secrit vuln info” to differentiate themselves in the market. I’d like to see enterprises be able to deal with in-the-wild-yet-unpatched vulnerabilities better (which is ultimately a need that the product vendors would fulfill). All these are, IMO, nice characteristics to have in our community. Dropping 0day is one way in which that can be accomplished. There are others as well. But I use the 0day example as a pointy-stick with which to jab people to get them thinking 😉

    Also, to your point about not dropping 0day “sucks for the conference organizer”… that’s never really crossed my mind. We really don’t run our con for fame or profit or whatever. We run it b/c it’s the right thing to do for the community. I wish one day there’s not enough demand in the security space to support all the cons we have now… it would mean we’ve been successful in our attempts to make more secure systems.

    • Thanks for the thoughtful comment gdead. I hope you saw the “sucks of the conference organizer” as a playful jab, cause I thought I was being pretty funny.

      Thinking about it, you’re right. The worms of the early 2000s are what caused people to HAVE patching programs. Disruption wins again.
      Even “APT” isn’t being the disruptor for us because its something that happens to other companies, with military connections.

Comments are closed.