For the last week, I've written that Dan Kaminsky undertook unprecedented action in coordinating a variety of vendors in secret over the last six months. Ari Takanen, co-founder and chief technology officer of Codenomicon, wrote to challenge that notion.
In an e-mail on Thursday, Takanen cited his work on a Simple Network Management Protocol version 1 (SNMPv1) flaw back in 2002 as an example. Like Domain Name System, SNMP is a fundamental element of the Internet.
I wrote: "There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties."
Takanen writes: "Well, actually that is not true. Our SNMP case was secret for nine months after reporting it to relevant vendors, and as far as I know it involved more than 100 vendors and other organizations (1,000+ people). We saw all possible attempts to disclose it, but even public disclosure lists appreciated the stand that CERT-US chose to take."
CERT-US released its advisory on February 12, 2002, after word of the flaw leaked.
Takanen goes on to say Codenomicon provides a commercial tool to defect the SNMPv1 flaw as part of its quality assessment process.
The funny thing is six years later, the tool still finds active systems vulnerable.
Takanen, who advocates nonpublic disclosure of security flaws, said, "This just proves that reporting individual bugs for fame and fortune does not motivate the vendors to improve their quality assurance processes."
This week, I had a chance to talk by phone with Ari Takanen, co-founder and CTO of Codenomicon. Takanen's company doesn't engage in vulnerability research but instead creates the tools by which enterprises can check their own software for vulnerabilities.
Which raises a question. On previous shows I've interviewed independent researchers who, outside of a given company, have identified and made public serious vulnerabilities. One would think an independent voice might be better than one located inside a company.
Below is a transcript of part of my interview. The entire podcast can be heard here.
Q: What do you think of the independent security researchers--I know you designed systems for enterprises to look at their own software--but what about the independents who are out there? What do you think of the disclosure process as it stands--the 90-day window that they often give or sometimes don't give?
Ari Takanen: I think the worst thing in this market is that many of the enterprises, many of the manufacturers actually, don't yet understand the value of security problems. So, for example, we've been looking at this topic for ages, ever since we started in 1996. Back then, vulnerability disclosure was one of our favorite topics. I've been writing academic articles on the topic ever since. So, one of the problems is that if people don't understand the value of a security issue, they don't really want to fix it either. If someone, even one of their customers, finds a security problem and they try to report it to the developers, those developers are so consumed by hundreds and hundreds of other issues that they need to fix. If they don't know how to prioritize those security problems it's a just a mission impossible for anyone to actually get anything fixed.
So, what happened as a result of that was this public disclosure movement which I'm not a big fan of. It meant that because no one was motivated in doing anything unless there was public pressure, people just publicly reported the problems, and created the pressure for them to actually create a fix. What is happening, at least the way I see it, is that many people already understand what is a security issue. So if you report an issue, they will fix it. Whether it needs to be public is something that people are really arguing about.
It is good for independent researchers, because the only thing they get from it is publicity. So, why not give them publicity? On the other hand, when people start to understand the value of problems as well, you get these bug hunters. It's a completely new trade, basically, where people find problems and they get paid for their service per discovery and those problems are fixed and not necessarily ever disclosed to the public again. So, its kind of like a new area of security resource: when you get paid by findings that you do instead of paid by time you used for security analysis. I'm not sure whether the actual public disclosure is a such a good idea because I don't see any benefit from that anymore. Unless you don't get someone to fix a product.
- prev
- 1
- next
