David LeBlanc wrote:
> Academia
(and I can speak from experience on this one, as my name can
> properly be followed by B.S.A.E, M.S.A.E, Ph.D) is easily one of
the most
Allow me to finish this sentence to suit my own needs!
Academia is easily one of the most experienced in dealing with
these
sorts of issues. We should borrow heavily
from them if it helps.
Academia fairly well recognizes that people can and
do work on the same things in parallel. Thus the race to be first is a
little less childish, and it is accepted that two or more researchers might
publish on the same topics closely together. One facet commonly found in
actual scientific research, as opposed to the advisory nonsense, is that of
follow-up work. It is very rare to see an academic paper which doesn't
contain suggestions for future research.
[FWIW: A Budget Of A Trisection from the Springer-Verlag
library makes a
great read on the subject of
non-credentialed mathematical crack-pots.
It may shed
some light on the noise we see in mailing lists.]
Got a
pointer?
============= TANGENTIAL COMMENTARY BEGINS HERE
================
For those debating the relative merits of security
advisories,
I offer up the following snippets from an
article recently
written by Al Berg and published by
ICSA in Information
Security Magazine.
"When you buy a vulnerability scanner, you are buying
expertise...
Hence, before choosing a
vulnerability-scanning product, you should
take a
careful look at the team supporting it... A good indicator of
the technical savvy of a vendor's team is the number and quality
of
papers, advisories and tools it has
authored."
One could challenge Mr. Berg's assertion by citing a chicken
and
egg paradox. To whit, has Mr. Berg merely
bought into the marketing
hype of vendor advisories
hook, line and sinker? Or, are advisories,
the
quality of the research team and the quality of the tools
directly related? It's an interesting question but it is
totally
missing the point.
He's bought in, hook, line and sinker. I can
tell you from experience that there is little intersection. The business
of writing security checks has little to nothing to do with writing
advisories. I've written a very large number of checks, and my checks
are typically robust. I've written very few advisories, as I feel like
my time was better spent doing something that provides value to customers - a
better product does this, advisories provide less value. Also, some of
the people who come up with the most advisories do not write particularly
robust code, nor do they often substantially contribute to others writing more
robust checks. In fact, if you look, you find that many advisories never get
turned into checks at all. I will grant you that some security expertise is
needed to write checks, but what is far more important are good programmers
who can take a methodical approach to writing robust code that avoids false
positives and negatives. In fact, the ability to write a solid check often
depends not on an understanding of the actual exploit, but on an ability to
test accurately for behavioral differences between patched and unpatched
versions of a software. The advisory or actual exploit is just the start - it
is quite common to have an exploit that can determine if a vulnerable system
is present, but also claims that several unrelated systems are vulnerable -
these false positives have to be dealt with. There may be some correlation, as
a company that is well-funded enough to support an advisory team is often well
funded enough to support professional programmers and testers, but it is
largely coincidental, not causal. There are also so many vulnerabilities
reported that a security auditing tool is doing well to keep up
with incoming issues, much less spend resources creating new ones.
Bottom line is that the typical hacker writes really
low-quality code. High quality code is what you want in a security
tool.
Whether or not they have real technical merit, security
advisories
are an established feature in the
marketplace. To deny this is
to ignore market
realities. Until that reality changes, they have
value.
Yes, and associating drinking cheap American
beer with getting hit on by supermodels seems to sell more beer. It's
about the same thing. Marketing is about creating a
fantasy.
