In an analysis on the Gartner Web site this week, they said the QuickTime flaw New York hacker Dino Dai Zovie used to hijack a Mac poses a wide risk and highlights the danger of vulnerability research conducted in public.
They say public vulnerability research and hacking contests are "risky endeavors" that cut against the grain of responsible disclosure, where vendors are given an opportunity to develop patches or workarounds before public announcements are made.
"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT," they wrote. "However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."
They're not the first security experts to see the evil in public hacking demonstrations. But their position isn't winning over many security bloggers. In fact, most of the discussion in the blogosphere this week seems to favor the practice.
In the Rage 3D blog, which ran a synopsis of the Gartner position; respondents defended the necessity of such contests.
"These contests are crucial to maintaining development on fixing security exploits," one blogger wrote in the comment section. "Most often, the initial programmers made the mistake once, so they'll most likely make it again. Furthermore, independent hackers are usually the first to find the exploits, and it's certainly better to bribe them to give it up than have them use the exploits to make money in more fraudulent ways."
The most important thing is that Dai Zovie's exploit shattered the "ridiculous notion" that Apple's software is always secure, the blogger said.
Another blogger responded, "If these exploits become more [well] known to a lot of people, it forces the company to fix the issue, otherwise it will [have] gone unnoticed except by a few of the hackers using it, with free reign."
The fact that Apple fixed the QuickTime flaw so quickly shows that it pays to pressure the vendor with such public disclosures, some bloggers suggested in the Matasano Chargen blog kept by New York security consultancy Matasano Security, of which Dai Zovi is a member emeritus.
"Thanks to Dino for finding the issue and to Apple for such a quick reaction," wrote one respondent to the blog. "That's how it should be. Exploit found. Exploit fixed. Nothing exploited but a few media articles."
Blogger Jim Stroud, a self-described "searchologist" with expertise in recruitment research and competitive intelligence, addressed the question of whether these contests are more about promoting companies, researchers and products than about bettering security. From a recruiting standpoint, he said, such activities can be good for the IT security industry.
"I suppose there are some dangers involved with [hacking contests]," he wrote, "but [it's] a great way to passively recruit engineers working in security … I mean, if they can hack their way into your product, wouldn't you want them to work for you?"
He's right. It's better to find these researchers and get them working for the security of your product than against it. But I also agree with those who say researchers like Dai Zovi are already working on the good side of the fence.
A look at Dai Zovi's background shows he's been working for years to improve computer security. He has worked with @stake and the IDART Red Team at Sandia Labs. He has spoken at a number of security conferences.
Gartner may want guys like this to stop showing off security weaknesses in public, but that wouldn't make us safer. In the end, the bad guys will figure these exploits out on their own and it's better if the good guys know about it so they can defend themselves.
Gartner is right that it would be better to work with the vendor on a solution and give them time to release a fix before showing off the weakness in public. But unfortunately, vendors don't always work quickly enough to convert a researcher's findings into a fix. Sometime they need to be pushed under the public eye.
This was first published in May 2007