There's a major battle over vulnerability and exploit disclosure occurring between Thomas Ptacek and Pete Lindstrom. I've linked the first post in each side of the debate. I don't know which one should be Godzilla or Mechagodzilla, but I liked the photo at left.
I think each side makes some valid points. I agree with Tom that vulnerability disclosure has resulted in elimination of many security problems. I agree with Pete that, in some sense, nothing has really improved, as victims are still being compromised. In the end I would lean more towards Tom; clueful people have a better chance of defending their networks, and at least knowing what is happening if their preventative measures fail. Remember that ten years ago their was no Snort, no Ethereal, no Nessus. Fifteen years ago there was no Argus, and no FreeBSD! Would you believe that Tcpdump is over eighteen years old though?
Tom does make an excellent point regarding cryptanalysis: why is it ok to analyze and break crypto algorithms, but supposedly not security software? Could it be that the people who really need strong crypto, like .gov and .mil types, know that bad guys are always trying to break the good guys' crypto?
If we are to believe Pete, we would not recognize this fact. Because Pete doesn't have first-hand knowledge of the sorts of research that occurs "in the shadows," he is quick to poke fun at people like Adam Shostack who say "We've always known that there's lots of exploit code for unannounced vulnerabilities out there." Pete and friends, there are people who have developed techniques months, and in some cases, years, before they appear in mailing lists or Black Hat talks.
With regard to discussions on specific new vulnerabilities and exploits, all I can tell you is "those who say don't know, and those who know can't say."
0 komentar:
Posting Komentar