It was a good article until Desaultel's ignorant claim that "full disclosure is a farce." His supporting arguments actually support a reasonable delay between disclosure to the software provider and to the public rather than entirely counter full disclosure. The difference between many companies' approach to handling vulnerability reports before and after full disclosure speaks for itself:
I got to experience plenty of that myself when I started. They (a) didn't care, (b) called me a liar, or (c) called me well-intentioned but too incompetent to assess the [non-existent] risk to their users/customers. This continued while Microsoft and other big names got smashed by more attacks than we could keep track of which were often easily prevented (eg buffer overflows). Eventually, many companies were forced to do something for real about their software quality thanks to all the attacks and disclosures w/ exploits as proof. Microsoft adopting SDL and mitigation practices is probably the greatest success of full disclosure given their near monopoly on desktops.
Interesting enough, he kind of contradicts his own position later. He first argues against full disclosure as purely damaging with no benefit because nobody can keep systems updated at the necessary rate. Then, he says security in his testing improved from 4 minutes to 1 hour to break thanks to awareness from all the breaches in the news that he implies are partly due to full disclosure. So, did they have zero benefit or did they plus black hats benefit via awareness? Even he can't seem to buy his own claim twice in the same article...
> Then, he says security in his testing improved from 4 minutes to 1 hour to break thanks to awareness from all the breaches in the news that he implies are partly due to full disclosure.
I think it's more a necessity given human nature and these types of people (i.e. head in sand). A known weakness of human mind is responding go immediate threats more than what data shows it even if data is clear and is a huge threat. People also react better to stories. Both full disclosure and breaches in media create the impression of immediate threat with incentives to CYA or do some real security. So, more like parents slapping their kids hands or spanking them for trying to touch a hot stove except with most kids continuing despite all the burned hands and sore asses around them.
Crazy stuff. It's why I don't worry what happens to the careless anymore as they cause their own problems. Full disclosure mainly benefits those who pay attention and try to keep a solid baseline.
IMHO the most interesting part is the charts on page 4, showing that most vulns are used soon after disclosure, but most hacks use a few relatively old vulns. In other words, you probably can't protect yourself from zero-days, but you probably don't have to.
My experience[1] in India has been kind of mixed. While many companies didn't have a proper email address where one could disclose the bugs, after disclosing the bugs some of them were very quick in fixing them. So, speaking of India, I think the IT industry is still in nascent stage where they do not think about bug bounties programme much. I hope that changes soon.
Ah, from all could see, the article
said next to nothing about how
to detect an exploitation.
Also the article concentrated on
malicious, that is, malware,
exploitations.
Also can define zero day as
any problem never seen before.
The cause might be software
flaws, hardware failures,
human system management errors,
and more, all in addition to malicious causes.
Then for any and all zero day problems,
need to detect, diagnose, and
correct.
So, start at the beginning:
How to detect?
Here issues are, what parts
of, say, a server farm to monitor, what
data to
get and use, what to do
about rates of false alarms
and missed detections,
and more.
https://www.schneier.com/essays/archives/2007/01/schneier_fu...
I got to experience plenty of that myself when I started. They (a) didn't care, (b) called me a liar, or (c) called me well-intentioned but too incompetent to assess the [non-existent] risk to their users/customers. This continued while Microsoft and other big names got smashed by more attacks than we could keep track of which were often easily prevented (eg buffer overflows). Eventually, many companies were forced to do something for real about their software quality thanks to all the attacks and disclosures w/ exploits as proof. Microsoft adopting SDL and mitigation practices is probably the greatest success of full disclosure given their near monopoly on desktops.
Interesting enough, he kind of contradicts his own position later. He first argues against full disclosure as purely damaging with no benefit because nobody can keep systems updated at the necessary rate. Then, he says security in his testing improved from 4 minutes to 1 hour to break thanks to awareness from all the breaches in the news that he implies are partly due to full disclosure. So, did they have zero benefit or did they plus black hats benefit via awareness? Even he can't seem to buy his own claim twice in the same article...