ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

Do 'irresponsible' security researchers help or hinder?

Published: 26 Jan 2005 16:20 GMT

"The general consensus in the developer community is that one would like to help the open source projects than to torpedo them," said Laura Koetzle, vice president and research director of Forrester Research and the author of the report. "Whereas the temptation with a large faceless company is to disclose early and hurt them."

The dispute over disclosure goes to the heart of an old question: Is it responsible to give details of a threat, if the warning puts even more people in danger?

Those concerns drove a discussion on the mailing list for the kernel of Linux last week. A suggestion that a contact point be created to focus on security issues in the kernel, or core of the open source operating system, immediately blossomed into a debate about whether that list should be private or public.

In addition, the debate centred on the question of whether the vendor-centric security list, Vendor-Sec, takes too much time to fix important flaws.

"It should be very clear that no entity... can require silence or ask anything more than 'Let's find the right solution,'" Linus Torvalds, the original creator of Linux, said in the discussion. "Otherwise, it just becomes politics."

In general, though, the open source world, which has to deal with public development models, has largely learned to embrace security researchers.

"If we get a report from the outside, it is up to the one who finds the vulnerability to decide what happens to it," said Roman Drahtmueller, head of security for SuSE Linux, Novell's version of the operating system.

Microsoft, however, would rather work in secrecy with flaw finders to help prepare a fix. With the public spotlight on its security glitches and with hundreds of millions of users relying on its products, the software giant is very systematic in its approach to patching.

"It is best for customers, because we have a chance to provide updates before a large segment of the black hat community gets to make use of the vulnerability," said Microsoft's Kean.

Flaw finders who do not play by the rules don't get credit in Microsoft's security bulletins and are rebuked in press releases, among other sanctions.

"Microsoft is concerned that this new vulnerability in [product name] was not disclosed responsibly to Microsoft, potentially putting computer users at risk," the software maker has typically written in emailed statements about vulnerability disclosures.

Despite the efforts of Microsoft and others, many researchers still don't feel that the companies take their findings seriously. While some security software sellers have lauded Apple for its response to vulnerability discoveries, an independent researcher gave the company a thumb's down.

"It's really been like pulling teeth dealing with them over the years," said the researcher, who asked not to be identified. "I know a lot of folks that have found vulnerabilities in their stuff that pretty much refuse to deal with them."

Even if security researchers play ball with software makers and hold off on making vulnerabilities public, that might only engender a false sense of security, said flaw finder Aitel. He said that a small, but significant, number of malicious programmers could discover such security holes independently and abuse them.

"We don't feel that we are finding things that are unknown to everyone else," he said. "I am not special because I can run a debugger. Others can find -- and use -- these flaws."