"... the longer something is unknown, the more dangerous it becomes."

[speaking strictly of computer security]
We are both well aware which of the following camps is larger;
1) people with the required patience and skill to write the next worm.
2) script kiddies and level-2 h4x0r's that read security lists.
The top hackers know they get a bigger name for themselves if they act like grownups upon vulnerability discovery.
It is the semi-skilled masses that would be able to leverage a well written vulnerability announcement (read: brag letter) into a worm. It is these guys that give hackers a bad name.

"I can accept arguments for responsible disclosure, but for a SHORT (1-2 week) time frame only."

What serious software vendor exists that would have both the market penetration/prevalence to be worm worthy AND be able to push out a stable update to all its customers in 2 weeks? [this is an open question to everyone]

Really, I think the only solution is to publish 'sploits as soon as you find them to the public at large, with no warning to anyone at all."

So ... lamer 14yr old's with delusions of grandeur and a grudge deserve the same 'heads up' as multi-national corporations that keep the lights on? WTF?

"That way, everyone is on the same page and no one has a chance to strangle the flow of knowledge with stupid 'Zero Day Initiatives'."

This leaves the 'bad guys' with an advantage over whitehats! The Information Security Professionals have a duty to keep their clients safe - where does this leave them? Without responsible disclosure, there would be no timely vendor patch. Without an available patch, administrators would be forced to unplug their mission critical (vulnerable) systems. This is what you are advocating?

"So ... lamer 14yr old's with delusions of grandeur and a grudge deserve the same 'heads up' as multi-national corporations that keep the lights on? WTF?"

Yes, that's what I'm getting at. Maybe people should be writing better software that can't be hacked to shit by 14 year olds. (No slag on 14 year olds intended; age is no judge of skill. Besides, I was 14 once ;)

I figure if people are shocked, scared and inconvenienced enough, they'll smarten up, get off their asses, and use or write some shit that can't be taken down so easily, or secure their networks.

Or, how about this: don't use stuff until it's ready for primetime. Just 'cos people jumped on the internet bandwagon doesn't mean it was ready to deliver on all of it's promises. We were all too quick to adopt it.

Sometimes people need to be burned so they learn to recognize fire and not play with it.

All's fair in love and war, and I don't think this is about love ;)

Note to all Admins:

Please unplug all Windows 2000 Servers running Oracle, your enterprise software is not ready for primetime.

Thanks,

Management

Simply put, there is too much riding on the internet to say that we're going to 'teach' vendors about secure software development simply by releasing 0day into the wild. Sure, back in the early days I could see this being a viable option when releasing a 0day Cisco exploit could prevent a few thousand geeks (like me) from the newgroups… it’s good to get some sun every now and then. The internet goes down – no biggie.

The internet is much more integrated into real life now. Today the internet is more then porn. Ned, for example, makes his living from www.Leftorium.com and he’s doing very well… what happens when you release that 0day mysql exploit and the Leftorium (along with thousands of other online stores) goes down for Christmas? I’ll tell you what – Rod and Todd have a crappy Christmas. These are real lives, real incomes and its all based on the internet. Ignoring the impact that your actions will have on other lives or dismissing them as ‘necessary’ based on an idealistic view of where the software development cycle is ridiculous. Those that release PoC code for a worm-able, high profile buffer overflow should face the same ridicule as virus developers. This is no longer research… it is an immature grasp at fame.

Make no mistake, I have no sympathy for vendors who ignore the findings of security researchers but I do respect the lives of said vendors’ customers – they are our customers too!

You're a fool if you depend on the internet for anything critical. Just 'cos enough people do it that it becomes critical infrastructure isn't good enough reason. When you hop on the wagon without kicking the tires, you get what's coming to you.

Of course it's real lives and real jobs. That's why I feel so strongly about it. People need their eyes opened, and sometimes the only way that happens is a kick in the balls. I'm not here to kick people in the balls, but I will prod people into action and provide support to those who will. It's better for us all in the long run.

If I may trot out some over the top hyperbole: it's better for a herd of animals if some of the slower and stupider ones get killed by wolves. It's nature dude, construction from destruction and order out of chaos. I'm just talking about removing these artifical constraints and letting pure, unadulterated knowledge set the pace.

Besides, there's no way we'll ever be able to stop the skiddies and crackers. So, let's start a fire and use up all dead stock and tinder, so we don't have anymore big, out of control forest fires later on.

I would jump for joy if someone wormified Lynn's presentation and took the net down. Try and tell me with a serious face that there wouldn't be some improvements made after that.

What you suggest doesn’t just attack the weak and stupid. What you suggest makes the most adamant system admins vulnerable. The unpatched internet facing Windows 2000 terminal server is fair game -- these people need a good kick in the balls... patch management is a no-brainer.

What you are suggesting though is that we let the customers suffer. This is highly illogical. What exactly are we teaching them? Stop using the internet? Don't run a business on the internet? These are terrible solutions.

So, what happens if someone wormifies a cisco bug? We see some routers get pwned... the media gets geek for a week or so... CNN starts talking about 'terror attacks' against the internet, Jon Stewert makes some jokes... and it all blows over in a couple weeks as techies are sent around upgrading and patching through out the night.

The problem is in QA where security should be number one. The problem is that when the infrastructure was laid out we weren’t thinking about security... hell, we weren’t even thinking about quality of service at that point... we just wanted to make it work.

You may think that walking around a dead forest throwing matches around to burn away the dead-wood is some form of Darwinism but back here on earth its called arson, it’s a crime.

Now, before all you pistol-slinging freedom fighters get on me about your rights and your free speech take a minute and relax. Put your 9mm back in your pants and think a minute…

I am _not_ refuting the importance of independent research.

I am _not_ taking away free speech

I *am* suggesting handing a loaded gun to a script kiddie is a BAD thing

I *am* suggesting we give vendors a reasonable time to patch and respond to bugs

…now if that doesn’t make sense… fine pull the trigger. (did you remember it’s still in your pants? Now *that’s* Darwinism)