Vulnerability Disclosure - Moving Toward the Event Horizon

If you have been reading this blog or other security new related sites, you might have picked up on a growing and disturbing new trend. Vulnerabilities are moving back underground - redshifting toward the information event horizon.

Why is this happening? Lets look at several points then will help paint scene:

1) More and More independent security researchers are getting into legal trouble

I won't sit here and defend people that break the law to show that a piece of software is vulnerable, but where is the line? What is breaking the law and what is not? Security researchers are normal people and like normal people, some are seen socially as good (whitehats) and some are seen socially as bad (blackhats).

Abraham Lincoln once said,

"Discourage litigation. Persuade your neighbors to compromise whenever you can. As a peacemaker the lawyer has superior opportunity of being a good man. There will still be business enough.”

2) It is easier to catch the bass, than the shark - The real evil people in the world are very hard to catch. They are smart, silent and very well organized.

Example 1 -

• Caught - Eric McCarty was arrested after indirectly reporting a vulnerability in a USC student database. He conducted the "attack" from his house and used minimal effort to "cloak" himself. He didn't sell the information to Russian or to a carding crew.
• Not Caught - For two weeks, some people "in Asia" who have been illegally accessing information on 200,000 people at the University of Texas. What are they doing with it? Who knows? Will they be caught? Very unlikely.

Example 2 -

• Caught - William Genovese A.K.A. illwill turned himself in for selling Windows source code for $40. Let’s remember, that the source code was already on P2P and anyone could download it at that point. He did break the law by selling it, no contest with that...but he didn't steal it. It is clear that his punishment was based on past events.
• Not Caught - The person that really stole the code. I guess Microsoft wasn't on the FD security list in 2004. Where are these guys? Microsoft isn't after the real people? It is funny how they fail to note that illwill didn't sell the code when they talk about the arrest in the press. SecurityFocus is one of the few articles that showed the other side.

3) Money moves the world - Even if independent researchers do find problems in Microsoft products, what do they get? They could just pass the vulnerability information on to a third-party and perhaps get a little money out of the deal. What is wrong with that? At least Mozilla gives something back to researchers that report security problems.

4) Big Vendors are hiding vulnerability information - Apple and Microsoft fix more vulnerabilities than are commonly known. They secretly fix security problems in patches and never tell you. But once the patches are released, the bad guys know about these unreported security issues. IDS are slow to catch these issues, because of the reverse engineering time needed to provide protection.

In the end, this all adds up to the public being exposed to less and less vulnerability information.