Andrews Apologetics

With a bit of a vacation and some surgery, I am back in the “blogging” saddle again!

A few weeks back I was in Baltimore Maryland and was given the opportunity to be an MC, panel host, and speaker at the World Summit for Intrusion Prevention (WSIP) conference (http://unatekconference.com/boardIntrusion2007.php).  Interestingly enough, this conference is a diamond in the rough as the coordinators were learning the ropes, however the speakers throughout the conference were pretty interesting.  

I have noticed that there was an interesting discussion between a few speakers (as a sidebar) on the topic of “Bounty programs: Paying for vulnerability discoveries”.

 My take is a practical approach.

1) Bounty programs are inherently a poor tack to take.  This rewards or masks, or even legitimizes the “grey”  to “Black” hatters. 

2) If there was a vulnerability, work with the manufacturer to disclose it.  YES it takes more time.  YES sometimes it is more aggravating.  BUT… it does help shield this found nugget from the masses, and dare I say, the forces of evil.

3) We know your smart for finding them, but come on, to post a “bug a day for a month”, or other such stuff is detrimental to helping the masses (if you truly care),  and is nothing more than grand standing.  Get a real job.  (You know, be one of the good guys for once).  These folks rather brag about an exploit, than rather fix a vulnerability.  Think about that and let that set in a bit….I’ll wait.   Welcome back. It is a matter of intent and ethics.  nuff said.

So what is the solution?  Nobody seems to come up with one, just criticism….so here is a possible solution.    Manufacturers should create some sort of “safe harbour”, or submittal area where people who find bugs, can demonstrate the vulnerability.  If demonstrating the exploitable nature of the vulnerability, then manufacturers would put that on the top of the list for fixes.  Lets face it, nothing is perfect, and code has a jumble of bugs we have not found yet. 

 In short, this was, and is, and in my humble opinion, will be a point of contention for years to come.  Manufacturers should fast track their processes to incorporate these vulnerability finds and acknowledge legitimate finders of it.  These should be treated as real and exploitable, and also should be remedied in an expeditious fashion. 

Yup… He’s back!

…you make a smarter idiot. ”

I don’t mean any disrespect, but we all fall into this – even I do!  Case in point: We rely more and more on “wizards” to configure things, however, what DO they do exactly? 

How about the common sense approach?  An interesting article in an SC magazine mailer where encryption was provided for laptops and desktop computers at a retailer, and a compromise of sensitive information was discovered.  Why?  Because the employee did not bother to USE the encryption technology and TURN IT ON! 

 So, we can make things idiot-proof by providing all this fun technology, but we can create smater idiots – in this case, not training them properly, and explaining the polocies and processes that are necessary.  Enforcement is the next thing that needs to get better…. but that is another windmill to till at.

 I said it before, and will repeat it until everyone gets it:  ” It is a balance between People, Process, and Technology.  If we compromise the balance, we will suffer failure and exposure from that area.”

 Now where did I put my armor and lance?