Picking up the Zero Day; An Everyones Guide to Unexpected Disclosures

Presented at DEF CON 15 (2007), Aug. 3, 2007, noon (50 minutes)

Security researchers around the world have been SLAPPed (strategic lawsuits against public participation) across the face by vulnerable software vendors. Bogus legal threats intended to intimidate and prevent public exposure of vulnerabilities are becoming increasingly common. If the software industry succeeds at silencing these researchers the public, governments, global industries, and end user customers are ill served and increasingly vulnerable. Successful silencing of research does not stop it, this merely drives it into private and underground economies. While private commercial exploit economies are being launched, and underground exploit economies are flourishing, the independent researchers (including small security shops) are increasingly the source of open and honest security information. Corporate security researchers often have contractual relationships with vendors preventing the public disclosure of critical security vulnerabilities. It is in this context that vulnerable software vendors attempt (often successfully) to silence hackers through bogus legal threats. While the debate regarding appropriate disclosure protocols is interesting (although seemingly unending), I'm not going to talk about it. This isn't about designing a disclosure utopia, but how to deal with disclosure as it stands today. Confrontational approaches serve no one (except perhaps aggressive attorneys increasing their billable hours), and legal threats are demonstrably counterproductive. I'm going to tell everyone what to do: vendors, customers, hackers, and the press. I'll tell vendors how to handle any disclosure with integrity and their best interests in mind; an admittedly tricky task. I'll remind customers that they have the choice in the products they purchase, and it may be wise to reward those that address security issues responsibly. I'll then give some friendly advice to hackers (no legal advice will be given). Finally I'll address the role of the press and how their reporting can ensure the public interest is served. If everyone starts playing nicely together, we'll all be better off.

Presenters:

• Dead Addict
  Dead Addict helped found DEFCON 14 years ago. He has been DEFCON staff since then, has spoken at 7 DEFCONs, the Black Hat Briefings, Rubicon, as well as invitational security conferences. Professionally his employers have included a dominant operating system manufacturer, a respected computer security think tank, an internationally recognized financial infrastructure company, a popular telecommunications hardware and infrastructure company, as well as other smaller security and software firms. He lives in a strange foreign land with a beautiful intelligent creative mischievous DEFCON speaker as well as two affectionate rats. His credentials do not ensure the value of his words; analyze and determine their usefulness for yourself.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#DA
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - Dead Addict - Picking Up the Zero Day - Video.mp4
• https://www.youtube.com/watch?v=0cfVJsJd8ls

Similar Presentations:

• DEF CON 31 (2023) / The Hackers, The Lawyers, And The Defense Fund
• THOTCON 0xB (2021) Rescheduled / The Year of the Vulnerability Disclosure Policy
• 30C3 (2013) / Disclosure DOs, Disclosure DON'Ts: Pragmatic Advice for Security Researchers