Re: Paper announcement: Is finding security holes a good idea?
> Bugtraq readers might be interested in this paper:
>
> Is finding security holes a good idea?
>
> Eric Rescorla
> RTFM, Inc. <http://www.rtfm.com/>
>
> The paper can be downloaded from:
> http://www.rtfm.com/bugrate.pdf
> http://www.rtfm.com/bugrate.ps
This is a very interesting read. However there is one main problem:
It doesn't matter if finding security holes or not is a "good idea" or cost
effective since there are a number of groups for which finding bugs is a
vested interest:
1) "Blackhats" and their sponsors - you want to break into a system, you
need to either find a system with known issues that are unaddressed or find
new issues to exploit. Seeing as how Blackhats are now sometimes in the
employ of spammers and other groups for which the discovery and exploitation
of security flaws directly allows them to make money we have a powerful
group with money and a vested interest in finding flaws and exploiting them.
2) "Penetration testers" and their sponsors - you want to break into a
system, you need to either find a system with known issues that are
unaddressed or find new issues to exploit. Seeing as how Penetration testers
are often hired by companies in order to run assessments for which the
discovery and exploitation of security flaws directly allows them to make
money we have a powerful group with money and a vested interest in finding
flaws and exploiting them.
3) "Security vendors" and their sponsors - you want to sell a third party
product that prevents exploitation of buffer overflows for example there
needs to be a serious and identifiable problem with buffer overflows being
exploited in products and systems people want to secure. Same goes for
firewalls, viruses, etc. Imagine if people stopped writing viruses and
stopped spreading them. Significant amounts of money would be saved in
corporate IT budgets (typically anywhere from $10 to $100 per user for the
software alone).
So with these three large groups (and numerous other classes of people and
organizations with a vested interest in finding flaws) it doesn't matter or
not whether it's a good idea. The simple fact of the matter is that it will
continue.
Kurt Seifried, kurt@xxxxxxxxxxxx
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/