Bill’s Security Blog

Here’s a few quotes from an interesting article I found on eSecurity Planet.

“Gartner analyst Rich Mogull, one of the authors of the report, said that doing vulnerability research in public comes with ‘high risk.’”

“‘TippingPoint cannot abdicate responsibility here. And if they do participate in this kind of contest, they need to understand that they’re going to undergo criticism from industry experts like myself,’ he said.”

The focus of the article is not about the ethics of selling vulnerabilities, but on whether or not we should hold public contests to discover them.

The argument is that these contests generally reveal zero day vulnerabilities.

Industry expert!?  I think this guy Mogull is clueless.

First, he uses his weight as a big-man at Gartner to threaten retaliation for holding these types of contests.

Second, he does not have even a basic understanding of human nature.

Highly public, highly visible contests like this are good because:

1. They educate potential novices on the art of discovery.
2. Basic human nature is to work for good rather than evil.
3. Combining 1 and 2 should lead the non-dimwitted to conclude that we will end up with more “security researchers” than haxorz.
4. The public nature of the contest is an indicator to vendors that they better get their heads out of their butts when it comes to developing secure software.

I, personally, would rather see a vulnerability discovered in a public forum than in some rogue attacker group that will use the discovery for nefarious purposes…

Just my $.02

Bill Gross

From May 30th on SearchSecurity:

The search engine giant announced this week it has acquired Mountain View, Calif.-based security firm GreenBorder Technologies Inc., which specializes in sandbox technology to defend email and Web users from malware.

I’m not sure what to think here.

Since Google appears to be making headway in the client tools arena, it might be good that it wants to protect users from malware.

But the “I’m an investor” side of me makes me think, “deworsification” - a term I believe is attributed to Peter Lynch.

The idea is that many large companies start out really smart, with a focus on one really good idea or product.

Once that starts doing well, the company gets a little bigger, and they start to diversify.  In most cases, this is bad both for the company and for its investors… Hence, the diversification is really deworsification…

As an investor in Google, I’d be worried unless Google comes out with a really solid, highly visible, easy to understand vision for where they are going.

This vision is something Microsoft has mastered, but I’ll never own Microsoft stock again.  I should leave emotions out of it, but I feel like buying stock in Microsoft is condoning their horrible business practices…

Bill Gross