It never ceases to amaze me how few IT professionals — even those charged with Internet and information security — possess an adequate understanding of how computer systems actually function. While that may sound like an exaggeration, from where I'm standing, it's unfortunately the truth.
Then again, we can pretty much apply the same concept of general ignorance to any other complex system — how many people did you once help program VCRs? An even more prevalent example is motor vehicles. Most drivers could care less how their cars, trucks, vans, or SUVs actually function; they just drive them and wait for warning lights to come on.
That's why motor vehicles now include dozens of systems to make sure that they function properly and that alert the driver when they don't. But remember that most automobile manufacturers didn't choose to make their vehicles safer; rather, liability concerns forced the issue. Even then, possible manufacturing defects in motor vehicles typically don't come under investigation until a tragedy occurs.
What do motor vehicles and computer systems have in common? Both are complex, and both include the threat of potentially dangerous crashes if not operated correctly — or if some sort of manufacturing defect emerges.
It typically requires a lot more money to produce a safe product than it does to produce a product cheaply and quickly. So, despite my complaints about buggy software, crash testing isn't a viable solution for most software producers. Such intensive testing costs more than a vendor can possibly recover in sales.
Instead, the majority of software vulnerabilities come to light because of a few people in the world that possess the skills and the motivation to find these holes. How these people choose to share their findings is a different issue. Like it or not, a clandestine market for exploitable software defects does exist.
But one company hopes to make that market less attractive. With its Zero Day Initiative (ZDI), TippingPoint (a division of 3Com) hopes to create a legitimate market for responsibly reporting vulnerabilities by offering compensation for the information. But I'm not so sure that this is a good idea.
In a nutshell, ZDI wants researchers to register with the programme and submit information about previously undisclosed or "zero-day" software vulnerabilities as they find them. In return, ZDI will validate the issue and then make a monetary offer to the researcher.
A zero-day vulnerability is the most dangerous kind because no information exists about the problem until it hits. Keep in mind that it's unlikely anyone will discover such a software vulnerability by accident — someone with the right skills must be actually looking for them.
ZDI isn't a new idea, but it is a different approach. In fact, ZDI even boasts its own ZDI Referral Program and ZDI Rewards Program, complete with reward points, status levels, and bonuses.
I'm admittedly a cynic, but it's more than obvious that TippingPoint isn't doing this for the benefit of mankind; after all, it is a vendor of Internet security products. In effect, it's paying to "get the jump" on other vendors, which is the nature of capitalism. Make no mistake, software vulnerabilities are costly, especially zero-day vulnerabilities.
Finding software vulnerabilities in compiled software is an esoteric and highly specialised skill. There are perhaps a few hundred software security researchers out there who have the skills to find vulnerabilities. However, there are quite a few more hackers who have other motivations.
In addition, legitimate security researchers face the risk that companies will try to hold them liable for what they do with their findings, as a former Internet Security Systems employee discovered recently after revealing flaws in Cisco IOS . On the other hand, when it comes to finding flaws, hackers could care less about such matters.
Vulnerabilities in software are only fixable when someone actively forces the software to fail and then reports the findings to someone who can do something about it. But an open market for software vulnerabilities could create a sort of vulnerabilities "arms race." In fact, iDefense unveiled its own programme for paying for vulnerability information, dubbed the Vulnerability Contributor Program, just one day after ZDI's announcement.
However, such an "arms race" could result in larger problems. For example, consider the potential legal troubles that could arise if more people begin hunting for vulnerabilities without paying proper regard to intellectual-property rights or licence agreements.
Whether ZDI will prove to be a success is likely to depend on whether a legitimate market for vulnerability reporting can compete on a monetary level with the existing clandestine market. I hope that it will, but only time will tell.
In my opinion, a better approach would be to hold commercial software companies liable for defective products, much in the same way that motor vehicle manufacturers are. But until then, I'll continue to advocate that understanding and taking responsibility for computer security is as essential a skill as being able to turn on the computer itself.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.
