It never ceases to amaze me how few IT professionals—even those
charged with Internet and information security—possess an adequate
understanding of how computer systems actually function. While that may sound
like an exaggeration, from where I’m standing, it’s unfortunately the truth.

Then again, we can pretty much apply the same concept of general
ignorance to any other complex system—how many people did you once help program
VCRs? An even more prevalent example is motor vehicles. Most drivers could care
less how their cars, trucks, vans, or SUVs actually function; they just drive
them and wait for warning lights to come on.

That’s why motor vehicles now include dozens of systems to
make sure that they function properly and that alert the driver when they don’t.
But remember that most automobile manufacturers didn’t choose to make their
vehicles safer; rather, liability concerns forced the issue. Even then,
possible manufacturing defects in motor vehicles typically don’t come under
investigation until a tragedy occurs.

What do motor vehicles and computer systems have in common?
Both are complex, and both include the threat of potentially dangerous crashes
if not operated correctly—or if some sort of manufacturing defect emerges.

It typically requires a lot more money to produce a safe
product than it does to produce a product cheaply and quickly. So, despite my
complaints about buggy software, crash testing isn’t a viable solution for most
software producers. Such intensive testing costs more than a vendor can
possibly recover in sales.

Instead, the majority of software vulnerabilities come to
light because of a few people in the world that possess the skills and the motivation
to find these holes. How these people choose to share their findings is a
different issue. Like it or not, a clandestine market for exploitable software
defects does exist.

But one company hopes to make that market less attractive.
With its newly launched Zero Day
Initiative (ZDI), TippingPoint (a division of 3Com) hopes to create a legitimate market
for responsibly reporting vulnerabilities by offering compensation for the
information. But I’m not so sure that this is a good idea.

In a nutshell, ZDI wants researchers to register with the
program and submit information about previously undisclosed or
“zero-day” software vulnerabilities as they find them. In return, ZDI
will validate the issue and then make a monetary offer to the researcher.

A zero-day vulnerability is the most dangerous kind because
no information exists about the problem until it hits. Keep in mind that it’s
unlikely anyone will discover such a software vulnerability by accident—someone
with the right skills must be actually looking for them.

ZDI isn’t a new idea, but it is a different approach. In
fact, ZDI even boasts its own ZDI Referral Program and ZDI Rewards Program, complete
with reward points, status levels, and bonuses.

I’m admittedly a cynic, but it’s more than obvious that
TippingPoint isn’t doing this for the benefit of mankind; after all, it is a vendor of Internet security
products. In effect, it’s paying to “get the jump” on other vendors,
which is the nature of capitalism. Make no mistake, software vulnerabilities
are costly, especially zero-day vulnerabilities.

Finding software vulnerabilities in compiled software is an
esoteric and highly specialized skill. There are perhaps a few hundred software
security researchers out there who have the skills to find vulnerabilities.
However, there are quite a few more hackers who have other motivations.

In addition, legitimate security researchers face the risk
that companies will try to hold them liable for what they do with their
findings, as a former
Internet
Security Systems employee discovered recently after revealing flaws in
Cisco IOS. On the other hand, when it comes to finding flaws, hackers could
care less about such matters.

Vulnerabilities in software are only fixable when someone
actively forces the software to fail and then reports the findings to someone
who can do something about it. But an open market for software vulnerabilities could
create a sort of vulnerabilities “arms race.”  In fact, ZDI competitor iDefense unveiled its
own program for paying for vulnerability information, dubbed the Vulnerability
Contributor Program, just one day after ZDI’s announcement.

However, such an “arms race” could result in
larger problems. For example, consider the potential legal troubles that could
arise if more people begin hunting for vulnerabilities without paying proper regard
to intellectual property rights or license agreements.

Whether ZDI will prove to be a success will likely depend on
whether a legitimate market for vulnerability reporting can compete on a
monetary level with the existing clandestine market. I hope that it will, but only
time will tell.

In my opinion, a better approach would be to hold commercial
software companies liable for defective products, much in the same way that motor
vehicle manufacturers are. But until then, I’ll continue to advocate that
understanding and taking responsibility for computer security is as essential a
skill as being able to turn on the computer itself.

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.