unix and linux operating commands

The Looming Dangers of Security Vulnerability Sensationalism


 
Thread Tools Search this Thread
# 1  
Old 08-26-2008
The Looming Dangers of Security Vulnerability Sensationalism

I am feeling a bit "long in the tooth" today, because like many of our honorable colleagues here at the (ISC)² blog, I remember computer security before there was an (ISC)² and before there was a World-Wide-Web. Yes, there was security professionals before terms like "firewalls" became popular, believe-it-or-not.

Back in "the old days" we had to set up sniffers on both sides of a router to figure out how to set up access control lists. If we needed to change the passwords on all our network devices when someone left our "big telecom company" we launched a shell script, one that we wrote late at night drinking Mountain Dew, that logged into each network device and changed all the network device passwords.

In fact, security and computer security was just a matter-of-fact part of our days jobs and network and UNIX (and then Linux) system engineering. We found bugs and we squashed them as a routine part of our jobs. When we found vulnerabilities in global routing protocols like BGP, we contacted the vendor and they fixed the bugs, quietly. When we worked on some late night UNIX systems "glue" projects and found errors in how an OS managed shared memory, we simply let our vendor know. If we had access to the source code, we fixed it ourselves, and sent our patch to the vendor the next day via email.

So please forgive me when I tend to agree with Linus and his controversial statement, "one reason I[Linux Torvalds] refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior."

I actually flew to Amsterdam many years ago (just how many I can't recall at the moment) to attend the first Linux users conference and has the pleasure of buying a bottle of wine (and drinking it) with Linus. That was the first and last time our paths crossed. Linus is outspoken and does hold back any punches. In this security statement above he went on to say,
"In fact, all the boring normal bugs are way more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking."

Actually, that is exactly the way we viewed software bugs in "the good ole days" of UNIX/LInux system programming. We found bugs, then we squashed them. We drank a lot of Mountain Dew.

So, I am a bit puzzled by the escalating sensationalism and self-promotion that is the "new norm" for many of the so-called security professionals.

There is a looming danger of creating a hypersensational world of self-described security professionals out to make a name for themeselves by glorifying finding a bug, a hole or configuration error.

I will not names or recent news events, but I tend to agree with Linus that it is wrong to make heros out of "bug hunters" at the expense of the real code-slingers who write code every day, squashing bugs as a matter-of-fact. Let's hope they don't start calling a media event every the real code-slingers find one!

In retrospect, I recall a large big gaping hole in BGP(4) many years ago and, when configured incorrectly, an attacker could hijack entire domains of Internet traffic by poisoning the global BGP routing tables. I was "on the job" advising a client when this hijacking happened, as the client witnessed a large chunk of their IP traffic redirected to a hostile country overseas. We just tracked down the error and we fixed it. We never sensationalized it. We did not call a press conference; nor did we try to make a big name for ourselves.

After all, configuring the network, fixing bugs, writing code, communicating with vendors, was just part of our day job!

How did we evolve to a world of "security sensationalism" where finding and fixing software bugs is somehow more glorified that writing good code, a good corporate security policy or a risk management plan? What about all the good people who have found countless bugs that have been routinely quashed and never sensationalized nor leaked to the media?

Part of Linus' statement was a bit harsh and I will not repeat it here. However, the idea behind what he said was correct. There are dangers in promoting a culture of bug hunter "hero worship" and a strong argument can be made that this type of sensationalism does encourages wrong, unethical, behavior.



Image
Image

More...
Login or Register to Ask a Question

Previous Thread | Next Thread

4 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

GHOST glibc Security Vulnerability

Hello All, Just FYI please about GHOST glibc Security Vulnerability(not sure if this is posted already) which may help us to secure our systems. Following are the 2 links on same too from Redhat side. https://access.redhat.com/articles/1333353... (0 Replies)
Discussion started by: RavinderSingh13
0 Replies

2. What is on Your Mind?

The dangers of geek boredom

After having listed a bunch of items for one of my daughters; I decided to unload one of my expired license plates. When I lived in Virginia, I wrote a PERL script that crawled my server farm attempting to register the vanity plate of 'UNIX' on Virginia's DMV site. One day, it succeeded. I... (0 Replies)
Discussion started by: kduffin
0 Replies

3. Solaris

Security vulnerability on my sun solaris 9 box

We are running security scans on our machines. I am concerned with my solaris 9 box running on a 280r. got the following message. The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP... (1 Reply)
Discussion started by: BG_JrAdmin
1 Replies

4. What is on Your Mind?

IT recruiter sees staff shortages looming

This is just 2 small cuts from a article I've read. It's stats for Australia but I'm sure they shouldn't be much different over the World! Were are all safe! God bless Unix :cool: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IT recruitment firm Candle ICT is predicting a shortage... (0 Replies)
Discussion started by: woofie
0 Replies
Login or Register to Ask a Question