Earlier this year Gartner started enforcing a policy of no blogging for their analysts. It’s understandable, if backwards, stance since they make their money from the intellectual production of their analysts. Unluckily, this meant that one of my friends, Rich Mogull had to quit blogging, at least on any matters security or IT related. As most people who blog would tell you, blogging would increase the value of an analyst rather than taking away from it, but that’s not how management sees it. And since they sign the checks, they get to make the rules.
Rich is now back on the scene though! He’s left the comfy world of being a renowned security analyst and is working for himself for the foreseeable future. I’m glad to see that he’s got big things planned for his blog and, as it puts it, “other surprises”. Rich’s time as a Gartner analyst has given him a unique viewpoint on the industry and I’m very interested in seeing what he has to say about it, now that he no longer under the restrictions of the corporate overlords. He probably will have some contractual restrictions given his intimate relationship with the industry for the last seven years, but that’s nothing compared to what he had up until yesterday.
Welcome back to the world of blogging, Rich. We expect big things from you in the future! And we know there’s at least one opening at Gartner now.
Technorati Tags: security, Rich Mogull, Gartner
I’ve always been a proponent of ‘responsible disclosure’; that is, researchers give companies a reasonable amount of time to research and fix vulnerabilities and in return companies give researchers credit and treat them with respect. This is a workable system, but it takes everyone involved to act like an adult and offers no hard and fast rules for how long a reasonable amount of time is. It’s not easy, but it is workable.
There are extremes at both ends. Some companies would prefer that researchers stop mucking around in there products and get real jobs. The problem with that position is that the bad guys are going to continue to find vulnerabilities in products, because that’s where the money is. So obviously, non-disclosure isn’t going to work. At the other end of the spectrum, full disclosure, gives the bad guys too much information and doesn’t give the effected companies the time needed to come up with a defense. Another problem with this is that you can sometimes anger much of the security community, which is apparently what happened in the case of Whitedust; they shut down operations last week in response from heavy criticism and backlash from the security community.
Most situations sit somewhere between the two extremes. Security researchers are trying harder to work with the companies who produce the vulnerable software and in many cases companies are returning the favor and treating researchers with more respect. This has yet to become the rule, as David Maynor’s nearly legendary relationship with the Apple corporation shows. Apple would rather deny that the issues exist and let their PR department deal with any naysayers. Companies like Google take a slightly different tact and say that the vulnerabilities reported to them are ‘expected behaviour‘, as happened to RSnake.
It’s hard for a security researcher to continue to work with companies when the researcher is attacked or ignored. I also understand why companies react so badly sometimes; after all, no one likes having their errors pointed out to them continuously. But were to the point in the game where it’s up to companies to take the high ground, admit to their mistakes, fix them and credit the people who find the vulnerabilities. Most researchers don’t have that much to lose if a company denies that a vulnerability exists, but then patches it a couple of months later. On the other hand, every time a company does exactly that, it makes it less likely that the public is going to take the next denial at face value.
I’ve sometimes been hard on Microsoft for the security of their products. But this is one area that I’ll give them the credit they deserve and say that Microsoft has made great strides in over the last few years. They still stumble once in a while, but it’s a lot better than attacking the people who are researching you, or constantly threatening to sue anyone who exposes a vulnerability, like a certain database company who’s name starts with “O“.