Ben discusses the monetary conflicts behind disclosure entities like CERT, NISCC and Tipping Point. Several of these acquire exploits for free and ship them off to favoured friends according to some metric which isn't clear - and may not be "fair" whatever that means. Guess who these are? The non-profit ones. In contrast, the profit seekers simply pay for exploits and sell the information to their subscribers.
So, what’s wrong with this picture? Well, my original objection to CERT and NISCC was that they obviously have to choose who gets the early announcements, and there’s no fair way to do that. Even worse, if you’re going to claim to protect criticial infrastructure, then you have to include the vendors who supply that infrastructure. Of course, these vendors then get to exploit that information commercially - it gives them an edge on their competitors. And since you don’t get to supply criticial infrastructure unless you are huge, this creates an artificial bias towards huge companies.
Shades of Sony root kits, shades of Diamond Governance. Is paying for exploit information better than the alternate? I think it is for these reasons - it is objective, and it is available on non-discriminatory grounds. If you have a need, then pay to have that need met.
However, that's not the worst of it, and this is what became clear to me last night. What's worse is that many of those subscribed to these early announcement services have an interest in using these exploits. In the case of the CERT/NISCC model it will be the military and TLAs that will be in the market for useful exploits. Of course, they will still have access in the commercial cases, perhaps even at reduced rates (never hurts to keep the government happy, right?) - but worse still, commercialisation of the exploit market gives easy access to criminals (I’m sure that some do even in the CERT/NISCC model, but it must be harder to get that than by simply forking out money).
Once again, the commercial model wins, I suspect. Why? Because we know who is getting it to some extent, as the seller will perform some level of due diligence, starting with the top customers. OTOH, the CERT-like supplier of exploits will be all tangled up in other non-objective models, and won't be easily able to figure out who's using it for nefarious purposes.
Open governance could solve this fairly easily by just revealing who is on the list and at what delay. Then, the rest of us could watch for correlations between early exploit usage and those who were told in advance. That's my call, at least; but Ben promises more comments later on this.
Posted by iang at January 16, 2006 02:55 PM | TrackBack