Jeremiah Grossman and RSnake both laid sobering eggs in the last week, no doubt colluding to dilute… 🙂 They lament the fact that they post information on the Internet about security and vulnerabilities, but now that they are increasingly deep into the corporate professional security ranks, they aren’t able to talk quite as freely anymore when contracts and NDAs and so on are on the line. When only a handful of people know an issue, and it gets out, you know their asses would be nailed to the wall…or at least paychecks withheld.
No one with half a professional brain or experience in the actual industry is surprised by this revelation. But by posting this, they have really somewhat lost the ability to bitch about the lack of communication in the security ranks. And that’s because they’re just as much a part of the problem now as anyone. It’s even worse when you tell people you know things, but can’t expound. That incurs the ire of pretty much everyone, including those who Get It.
As Jeremiah’s post title says, this *is* the nature of things, economic and legal. Corporations have a big stake in keeping quiet about anything even remotely negative or insecure, and so do security professionals who want to keep their integrity and credibility. Likewise, both Jeremiah and RSnake gotta eat, and full disclosure, as RSnake implies, doesn’t pay the bills (or expensive cars).
While I agree that specifics on issues may be difficult to reveal, both Jeremiah and RSnake should still be free to talk about vague issues without getting anyone into trouble. Rather than some POC that has the client name hardcoded, create a copy somewhere and demonstrate with sanitized examples. I don’t think anyone is really after smearing particular companies, products, or salivating at being the first one to profit off some vulnerability in a popular site. And if that is the fear, then we have a messed up view of reality.
Yes, I Get It. I know Jeremiah and RSnake have their reasons, but at some point we’re going to need to catch up to the communication abilities of the attackers in countries without such paranoid views of disclosure and legal lashback. Sadly, there are already signs of this getting worse, as Germany and Britain have made huge steps to stifle innovation and sharing.with hamfisted attempts at control through law.
This is an opportunity for Jeremiah and maybe even moreso RSnake, to attempt and lead by eschewing such self-imposed gags. They don’t have to be whistle-blowers by any means, but they are creative, enthusiastic, and experienced enough to be able to keep disclosing innovation and ideas without endangering lives or livelihoods. They made their reps and their current standing by talking about things. To change that now is perhaps succombing to the corporate machine of things.
Despite all of this and my own commentary above, I deeply admire and respect both Jeremiah and RSnake and fully respect (and even grudgingly sympathize with) their positions. I just wanted to leverage their posts for some soapboxing.