Thoughts about “Offensive Security Research”

René Pfeiffer/ February 11, 2012/ Discussion, Security

Ever since information relevant for security was published, there have been discussions about how to handle this information. Many remember the full/no/responsible disclosure battles that frequently erupt. There is a new term on stage. Its name is „offensive security research“. The word „offensive“ apparently refers to the intent to attack IT systems. „Security“ marks the connection, and „research” covers anyone being too curious. This is nothing new, this is just the old discussion about disclosure in camouflage. So there should be nothing to worry about, right? Let’s look at statements from Adobe’s security chief Brad Arkin. At a security analyst summit Mr. Arkin claimed that his goal is not to find and fix every security bug. Instead his strategy is to „drive up the cost of writing exploits“ he explained. According to his keynote

Read More

Talk: Alerting, Reminding, Reminding, Reminding and Releasing Vulnerability

René Pfeiffer/ October 5, 2011/ Conference

Some of you have first-hand experience with the discussions around full disclosure. Enumerating Bugtraq moderated by Aleph One, SecurityFocus and the full-disclosure mailing list is a heavily condensed view of the problem. The term full disclosure actually originates from the problems locksmiths had with weaknesses of locks. The discussion is over a hundred years old and opinion is still divided on the matter, not only among the Internet security community. So if full disclosure and its cryptographic cousin, the Kerckhoffs’s principle, was „discovered“ in the 19th century why are we still arguing about it? Thomas Mackenzie will talk about how to deal with exposing vulnerabilities in his talk at DeepSec 2011. When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and

Read More