Core Technologies outs Citect to Associated Press-- is this ethical?

As I posted over on Joe Weiss' blog Unfettered, Core Technologies "reported exclusively" to the Associated Press about a buffer overflow vulnerability they found in CitectSCADA. The flaw is repaired, although, once again Core insists that it was "five months" before Citect responded to their notification. They made the same charge against Wonderware a month or so ago...but they didn't ever say how they had tried to contact WW or Citect-- sending emails to "info@..." probably won't get there. My continuing problem with this is that I don't think what Core (and the other security companies that gain visibility, advertising, street cred, and whatever else they want in support of additional business) is doing is ethical. Encouraging somebody to exploit a previously unknown (and according to Core, unexploited) vulnerability in Critical Infrastructure seems to me to be a dangerous, and potentially deadly practice. That's what Core is doing-- and they are doing it to advertise their services as a security consultant. If I did that to gain more readership, I'd have people correctly questioning my ethics, you bet.  Walt
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>Do I like their ethics? No, Walt, I don't. But they're a reality. We have to remember that the Internet is an international creature now, with people who have all sorts of strange priorities that may not coincide with your interests or mine. </p> <p>There is no way we can mandate that they behave according to our value system. What they do is not illegal, and I'm not sure I want to see it become illegal. If governments routinely got in the habit of legislating such behavior, I doubt we'd get a result we'd like either. </p> <p>No, the way to deal with them is to offer an alternative. And what alternative is there? Do we have a delayed public disclosure scheme that alerts asset owners along with manufacturers some months before disclosing the hack? </p> <p>I don't know of anyone doing that, publicly, privately, or though a government agency. So if we don't have anyone doing that, how can we criticize Core Security for wanting people to take responsibility for their crappy code?</p>

    Reply

  • <p>Walt - as painful as this may feel in the short term, it's really important. Network security bugs will be there whether exposed now or later and Core Security contacted the vendor. They don't release the news to the public until a fix is released. </p> <p>I can't address Core Security's means of contacting the vendor, but I'm inclined to believe their side. As an integrator I had numerous experiences trying to report bugs to HMI vendors, who blew me off, at times going so far as denying the existence. All they have to do is say, "Thank you" and take their time to fix it. Nobody will know until the patch release.</p> <p>Manufactures and customers of such HMI software deserve to know that vulnerabilities exist. This is another reason they might consider closed control networks. SCADA packages have managed to stay out of the spotlight - this can't go on forever, they're to prime a target. This effect is likely to multiply with attack tools that let "script kiddies stand on the shoulders of giants" - like Metasploit. Companies like Core Security keep vendors and security personnel ahead of the game. They might not have been as tactful as they should, but it's the right thing to do.</p>

    Reply

RSS feed for comments on this page | RSS feed for all comments