The most magnificent thing about Vulnerabilities and who is behind the magic

What I like the most about software vulnerabilities is how “vulnerability”, as a quality of a real object (and the computer program is real), literally appears from nothing.

The most magnificent thing about Vulnerabilities and who is behind the magic

Let’s say we have a fully updated server. We turn it off, lock it in a safe and forget about it for half a year. Six months later, we get it, turn it on. It is the same and works absolutely the same. But now it is also exposed to dozens of critical vulnerabilities that, with some (un)luck, can be exploited by any script kiddie. New important characteristic of the material object appeared from nowhere, isn’t this magnificent? ?

Who is behind this magic

Of course, this only happens because many people constantly and comprehensively study software products. But we know so little about it, that it seems almost like magic. For example,

  • Do you know how many security researchers analyze Windows or Linux kernel (hundreds, thousands, maybe more)?
  • Who pays them?
  • What is their main motivation?
  • Do they always report what they found to the software vendors?

As for the last question, it seems rather naive to think that all the researchers send their most valuable findings to the vendors even for the bounty. Especially those researchers who work for governments and criminal groups. In my opinion, publicly known vulnerabilities which cause us so much trouble with patching are only the smallest part of all existing vulnerabilities. And it’s scary to think what is going on in the main private zone, where all wunderwaffens and all rings-to-rule-them-all should be. ?

Big guys games

We mainly know how the NSA processes 0-day vulnerabilities and exploits. Many thanks to #EFF and other organizations who forced them to disclose “Vulnerabilities Equities Policy and Process for the United States Government” (2017).

Vulnerabilities Equities Policy and Process for the United States Government

There are no technical details or valuable statistics in it, only some descriptions of bureaucratic procedures, but it shows the attitude. Do you think that in other countries governments deal with vulnerabilities in more ethical way and report them to vendors immediately? I don’t think so.

And, btw, it lead to real attacks, I just mentioned couple on of them in my Telegram channel: cyber attacks on Russian Power Grid, “Yandex was hacked” article by Reuters.

Can money solve the problem with unreported vulnerabilities?

Responsible disclosure may become more attractive to independent researchers if the size of bounty will be comparable to the prices on the black market (now it’s not). But individual researchers are not the only actors.

I don’t see any good and safe solutions for this. This is too far from technologies and is mainly concerns geopolitics and violence.

Once again, it’s a big, dangerous world, you know. We see only the smallest part of all existing vulnerabilities and, unfortunately, even with them we can’t deal effectively.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.