[Dailydave] The old speak: Wassenaar, Google, and why Spender is right

Michal Zalewski lcamtuf at coredump.cx
Sun Aug 2 00:14:24 EDT 2015

> Anyways, both sides of the disclosure fence suffer from one fatal
> flaw. A flaw that Brad Spengler AKA Spender has been incessantly
> pointing out for years and it's that bugs don't matter. Bugs are
> irrelevant. Yet our industry is fatally focused on what is essentially
> vulnerability masturbation.

To be very frank... I think you're a bit guilty of the same
oversimplification that you attribute to the 0-day crowds :-)

Containment and detection matters. So does proper system design. And
yup, every enterprise should plan for getting owned, instead of
assuming that the AV software on their workstations will be able to
stop bad guys in their tracks.

But squashing bugs matters, too - not on an individual scale, but
because all other principles aren't worth much if any attacker is
likely to have a cache of trivial 0-days for *every* single layer of
defense that you have in place. I'm sure that neither you nor Brad are
running 15-year old copies of Apache and OpenSSH, or browsing the web
with Netscape Navigator, and then putting all your faith in
containment frameworks.

Now, that aside... I don't really follow parts of your argument
against vulnerability disclosure as a concept - or more specifically,
I don't see the inherent connection to privacy worries, to government
oppression, to black hat mercenaries, or to flashy conference
showmanship. That said, I think it's hard to have a perfectly rational
discussion about such deeply-held beliefs, and I recognize that my own
views are hopelessly subjective =)

> Having said that, if you gave me a billion dollars today, what
> percentage of the Google security team could I employ tomorrow?

Here, I'd just say what I mentioned to Dave in an earlier thread:
people have strong beliefs about P0, and I think it's fine. But from
what I recall, P0 amounts to somewhere under 5% of Google's security &
privacy headcount - so projecting these beliefs onto the entire
security org just doesn't seem right.


More information about the Dailydave mailing list