Wednesday, July 27, 2005

Nice idea in principle... but remember the law of unintended consequences...

Thank you to my friend Henry for this link.

Let's see if I understand this right:

3com will pay for advanced, exclusive, information on security vulnerabilities and then make protection for these vulnerabilities available to its paying clients while they wait for the vendors to fix the problems properly.

Now, looking at this completely naively, it initially seems like a great idea. Assuming the good guys previously spotted problems, informed the vendors and then sat on their discoveries until they were patched, potential victims were wide open to attack by any bad guys who independently discovered the same flaws and started attacking them.

3com's little scheme puts them in the position of intermediaries who can solve this specific problem: the vendors still get notified, the information on the vulnerability is still secret but now subscribing clients can get protection against the risk that a bad guy will independently spot and exploit the problem.

What could be wrong with that?

Er... well. Let's first remember what the Law of Unintended Consequences tells us. Every action almost always has more then one consequence - most of them unexpected.

So - where are the problems in this scheme?

  • We've now created a market in vulnerabilities, with this critical knowledge potentially going to the highest bidder.

  • The money to pay for the vulnerability information is earned from selling protection services. Unscrupulous vendors have an incentive to cross the line from providing protection services to running a protection racket. This is since there is nothing to stop bad guys buying the vulnerability information in this new market we've created.

Taking it a step further, I imagine other entrants (or existing players) may soon get tired of the price inflation that will surely develop and decide to team together. We'll then have a de facto cartel... the security industry would have manoeuvred themselves into a position of privileged holders of vulnerability information.

I'm instinctively pro-market so I'm having a hard time getting overly upset by this but I do have some concern that this approach will herald the demise of Full Disclosure. This controversial practice does have value in certain circumstances and the creation of a market in such information will, I suspect, dramatically reduce the number of people distributing the material for free. (Of course, the existence of the Open Source community demonstrates that financial incentices are not the be-all and end-all).

If this initiative takes off, it could be a game changer. But I don't think anybody can tell yet whether it will be for good or ill...

(Thanks to Feedster, I discover Richard Bejtlich also has thoughts on this development)

No comments: