By Ryan Naraine  |  Posted 2006-01-26 Print this article Print

: A Good Example?"> Litchfield, ironically, thinks Oracle is the exception in an industry where Microsoft, IBM and other big-name vendors have totally accepted the work of hackers to do independent code audits.

"The process is quite mature. Its not perfect, but it works," Litchfield said. "Occasionally things go wrong, but I wont say its a broken loop."

"Look at Microsoft. Every year they release between 50 and 60 security bulletins. They dont cause a blip because they have a process that works very well. Of course, you have the occasional case when someone will post a zero-day but thats not because Microsoft is not responding. Microsoft has a perfect process to handle the back-and-forth with researchers reporting a vulnerability," Litchfield added.

"Oracle loves to criticize Microsoft, but they really should be learning from Microsoft. Im sorry, thats just a fact," he said.

Black Hats Moss agreed that Microsoft, which was once a pariah in security circles, is now the standard by which others should be forced to operate.

"Microsoft is the example of how to do it. Oracle is how not to do it."

Moss has some proposals for fixing the loop. For starters, he suggests that businesses actively encourage security research through research programs. "If it can be structured and documented publicly, then everyone knows the rules. They know who to contact and they know there is a process that treats the researcher with respect."

Moss also called for a legal clarification on the status of reverse engineering for security purposes under the DMCA [Digital Millennium Copyright Act]. He said this would provide some legal stability for bug finders and discourage malicious legal attacks designed to stop researchers from publishing their findings.

"The alternative is underground research and anonymous bug postings. I dont like to advocate more and more laws, but what I do want is some clarity from the courts and direction from the law makers," Moss added.

"If you discourage and prosecute hackers who are doing free work for you, you not only antagonize them but you push them into the underground and into the wrong hands. There are already some zero-day mailing lists that only accept you if you submit a zero-day exploit of some significance. Theres a fair degree of trading already going on."

Litchfield believes Oracles customers must agitate for top-down change at the Redwood City, Calif.-based vendor. "Oracle really doesnt understand that I dont have to tell them anything. Security researchers dont have to play by their rules. We choose to act responsibly and wait for them to fix things. But, when they take 200, 300, 800 days, we just cant sit around and not say anything.

"Whos being irresponsible here?" Litchfield asks.

Thats a question thats been around for a very long time. And it just isnt going away.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel