I'm a proponent of responsible full disclosure in the whitehat tradition. Security researchers should provide exploit details confidentially to vendors and give them a chance to patch vulnerabilities and users to upgrade. If a patch is not forthcoming from a vendor to fix a vulnerability, then I support the release of enough technical details about the vulnerability to allow security researchers to independently create a patch through a process of reverse engineering. Such a patch helps users to have a higher level of security and repel exploits even if a vendor is unresponsive to fixing their own bugs.
In some cases, an extremely serious and pervasive vulnerability is discovered that affects many platforms and has many entry points for exploitation. Such vulnerabilities need to be patched as quickly as possible, and sometimes the response from researchers is faster than any possible response from a large vendor. A great example is the Windows WMF vulnerability announced in the last week of December, 2005, which affected Windows operating systems from Windows 3.0 through Windows Server 2003. Before the week was out and before Microsoft released their own fix, Ilfak Guilfanov (a security researcher) released a patch to fix the vulnerability on December 31st. This provided a huge service to the Microsoft user community.
I wish to add that the application by some entities of misguided laws (such as the DMCA) in an effort to stifle security research is unfortunate. Computer security can only be achieved (and maybe not even then), by well-tested software implementations; not through legislation. Poking holes in software is done with ease by people who care nothing for laws, and as evidence I site the never ending malware scourge - much of which now is well-organized and driven by profit. What we need is a vibrant research community to counter this trend. Full disclosure and discussion of software bugs is the only viable alternative.
What are your plans for the future? Any exciting new developments?
There are some exciting developments for the fwknop project; I'm collaborating with a few network security enthusiasts who work at Calsoft, and they are contributing open source code into fwknop. Hopefully, the fruits of these efforts will result in several new features implemented from the fwknop TODO list. Also, a contributor to fwknop, Sean Greven, has developed a Windows client UI (currently in beta testing) that can generate properly formatted SPA packets without appealing to the fwknop client. This is an important step towards more widespread adoption of the technology I think.
In my professional life, I'm working with a set of engineers to extend the features offered by the Dragon IDS. Trying to achieve multi-gigabit speeds in full IPS mode is a real challenge, and interfacing with the appropriate hardware acceleration technology to offload parts of the pattern matching operations is an interesting integration problem.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.