Announcement

Collapse
No announcement yet.

Verizon dubs sec researchers 'narcissistic vulnerability pimps'

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Verizon dubs sec researchers 'narcissistic vulnerability pimps'

    http://www.theregister.co.uk/2010/04...ability_pimps/

    Verizon dubs sec researchers 'narcissistic vulnerability pimps'

    By Dan Goodin in San Francisco
    The Register
    23rd April 2010

    Updated - In an official blog post, an employee in Verizon's Risk Intelligence unit has taken aim at researchers who disclose security flaws, calling them "Narcissistic vulnerability pimps" and comparing them to criminals.

    "Have you ever heard of a terrorist referred to as a 'demolition engineer?'" the unnamed author of the rant asked, one presumes rhetorically. "How about a thief as a 'locksmith?' No? Well, that's because most fields don't share the InfoSec industry's ridiculous yet long-standing inability to distinguish the good guys from the bad guys."

    The post goes on to propose that a person who discloses security flaws henceforth be labeled a "narcissistic vulnerability pimp," which the writer defines as "One who - solely for the purpose of self-glorification and self-gratification - harms business and society by irresponsibly disclosing information that makes things less secure."

    Besides befuddling all the men in leopard fur coats and feather-laced hats, this comparison is problematic for other reasons. As the recent Pwn2Own contest made abundantly clear, software makers can't be counted on to secure their products, at least not on their own. Security researchers armed with real-world vulnerabilities provide an important check on internal security teams and give them a powerful incentive to be thorough in finding bugs and swift in fixing them.

    [...]
    The risk manager's head is so far up is ass on this one, I don't know quite where to begin, and it amazed me that Verizon allowed this to be published as an official statement. The update on the article says the co-author went on to say that "full disclosure was never a good idea, even in cases ... where the company delays a fix for a vulnerability that endangers millions of users."
    Last edited by Thorn; April 26, 2010, 05:32.
    Thorn
    "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird
    Tags: None
  • #2
    Re: Verizon dubs sec researchers 'narcissistic vulnerability pimps'

    I'm rather speechless. This is just unilaterally wrong straight across the board. Security experts should horde information about exploits so the real criminals can ... what exactly? Not get the information? They already have it. They know about it before the statement is out there. You can check any black-hat forum, they knew about the Adobe exploits at-least weeks before the exploit was announced. This is asinine. I hope they retract this.

    Comment

    • #3
      Re: Verizon dubs sec researchers 'narcissistic vulnerability pimps'

      I'm part way there, I already have the hat!
      Never drink anything larger than your head!





      Comment

      • #4
        Re: Verizon dubs sec researchers 'narcissistic vulnerability pimps'

        Verizon forgot a category for those who - solely for the purpose of profit - harm consumers/society by irresponsibly writing crappy code and hiding behind security by obscurity.
        "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

        Comment

        • #5
          Re: Verizon dubs sec researchers 'narcissistic vulnerability pimps'

          So, what you are saying is they would have a great product if people would stop looking too closely and if they did, only share information about the product if it is favorable to the company.

          I think Toyota wants to be able to apply this to their cars, too. [Sarcasm]Non-Toyota engineers and mechanics need to stop talking about it and stop investigating it and let responsible industries that never crunch numbers to decide that litigation fees would be less costly than fixing a problem, decide to do the right thing. [/Sarcasm]

          Also, according to the proposal in the article above, this just in, Ralph Nader was a, "narcissistic vulnerability pimp," when he wrote, "Unsafe at Any Speed." No. Probably not.

          Oh, but then we counter it with the engineers working at NASA that wrote the paper questioning space shuttle solid rocket booster O-ring security risk for failure. Maybe they were the, "narcissistic vulnerability pimps". No. Probably not.

          Ah! I have it! They came up with their generalization after having seen Geraldo Rivera as an embedded reporter in Iraq reporting his location to the "enemy" by drawing in the sand on camera. Yeah. Now it makes sense. Reduce your sample set to one, and make your "random" selection for that set of one carefully, and 100% of the people (in the "randomly" chosen sample set) that disclose vulnerabilities might actually be, "narcissistic vulnerability pimps."

          I now feel the need to point out that you all are pointing out weaknesses in the argument proposing that people that disclose weaknesses and vulnerabilities are actually pointing out a weakness. Crap. I guess that means you are all, "narcissistic vulnerability pimps." You all better come up with good pimp names. I think, "A Pimp Named Slickback," is taken. Don't forget to buy a jewel encrusted cane, a multi-colored cape, and awfully large, super-sized sunglasses.

          Comment

          • #6
            Re: Verizon dubs sec researchers 'narcissistic vulnerability pimps'

            Originally posted by TheCotMan View Post
            I now feel the need to point out that you all are pointing out weaknesses in the argument proposing that people that disclose weaknesses and vulnerabilities are actually pointing out a weakness. Crap. I guess that means you are all, "narcissistic vulnerability pimps." You all better come up with good pimp names. I think, "A Pimp Named Slickback," is taken. Don't forget to buy a jewel encrusted cane, a multi-colored cape, and awfully large, super-sized sunglasses.
            Shucks, will we have to give up our beloved white/black hats for long-feathered fedoras?

            Comment

            • #7
              Re: Verizon dubs sec researchers 'narcissistic vulnerability pimps'

              I propose new contest for this years Defcon. Best 'narcissistic vulnerability pimp' costume.
              A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

              Comment

              • #8
                Re: Verizon dubs sec researchers 'narcissistic vulnerability pimps'

                I know that using "narcissistic vulnerability pimps" is supposed to be "ha-ha funny", but since the entire crux of the article is redefining "security researcher" how do they expect anyone to take the post seriously?

                Also, I take issue both with the analogies and the words themselves:

                1) Both analogies are "bad" people trying to make their job sound better by calling themselves something else (terrorist="demolition engineer", and thief="locksmith"). I know that there are certainly legal issues with disclosure, but (please convince me if I'm wrong), disclosure in and of itself is not a criminal act (yes, I know, there are many facets and different types of disclosure...). So, IMO, the analogies fail.

                2) The analogy notwithstanding, using the word "terrorist" in the first sentence of the entire post pretty much removes all potential credibility by poisoning the post with hugely negative connotations (whether or not such was intended).
                "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                Comment

                Previous template Next
                Working...
                X