I've been watching the brouhaha over the article in WSJ for most of a month now, with some bemusement. Essentially, 95% of the 'informed opinion' in the infosec blogosphere has been along the following lines:
- The WSJ is irresponsible to have published this piece;
- The journalist is even more irresponsible to have penned it;
- It is outrageous!! Something Must Be Done!! Prepare the noose!!
What I haven't seen anyone cover in depth as yet is the concern that information security controls on the corporate desktop are so pathetic that an editorial piece in WSJ can blow them wide open. Que? Aren't the bloggers completely missing the point?
I've never bought the argument of 'security by obscurity' which they seem to be arguing for. We in the infosec profession should be redoubling our efforts to design and apply sound desktop security controls, not bleating at the journalist who says "The King has no clothes". As to those 'infosec pros' who are baying for her blood, shame on you. Shooting the messenger won't alter the fact that desktop security stinks.
Isn't this just the same argument as with full disclosure of security vulnerabilities? Most of the profession are outraged that someone would even consider posting an exploit in a public forum, let alone doing so without giving the relevant party time to analyse it, create and test a fix, and then wait N months for everyone to implement the patch. Hackers, meanwhile, argue very convincingly that if they do not at least disclose exploits "responsibly", they will never be fixed because vendors are far too busy adding new bells and whistles. They say that crackers, the criminal underground and 'terrists' will eventually discover the self-same vulnerabilities and exploit them for criminal purposes and the world as we know it will come to a sticky end. Both points of view have merit but the real issue is that FAR TOO MUCH SOFTWARE HAS BLATANT BUGS THAT CREATE SECURITY VULNERABILITIES BECAUSE SECURITY IS NOT A DEVELOPMENT OR SALES IMPERATIVE. In that context, the full/responsible disclosure argument is simply irrelevant bickering.
I'm looking forward to the WSJ's forthcoming editorials blowing open web security, multifactor authentication, database security and all those other oxymorons so beloved of the 'infosec profession'.
Go ahead, shoot me if you like.