The whole Dan Kaminsky DNS Thing has gotten me thinking about disclosure. I intentionally haven't blogged about it because, well, the speculation around Dan's finding has turned into something of a spectacle. And you didn't need to read yet another blog post about the sky falling.
But on the eve of Black Hat, Dan's talk is less than a week away, and I can't help feeling like we've gotten no closer to understanding the issue of disclosure than we were a year ago. So, all I'm going to say about Dan's recent "situation" is that I, for one, am impressed by the level of care and coordination that went into working with vendors to get patches. This is hard. Researchers hate it because vendors can be uncooperative, incompetent, and downright vindictive. So, thank you, Dan, for spending what must have been countless hours on conference calls and e-mail getting vendors onboard.
Now that that's out of the way, let's talk about research, disclosure, and the future. Dino Dai Zovi noted in a recent blog post that the 90's were the era of full disclosure, and that that is now over. (It's an excellent post. Go read the whole thing.) And this is evident in a number of ways. For one, ZDI and other pay-per-sploit buyers. For another, in-the-wild 0days showing up for sale from malware vendors like the MPack team.
And then there's the ongoing "debate" (read: stalemate) between researchers and vendors about protocol, grace periods, and credit.
So disclosure is a mess. But I don't think it has to stay this way, at least not in the USA. Researchers who publish - as opposed to sell - have the opportunity to become consumer advocates. By cooperating with vendors in a way that still holds them accountable, researchers can demonstrate value to the consumer public. When that becomes the prevalent sentiment, then other interesting things like grants and nonprofits make it possible for researchers to earn a living without having to also do consulting or sell their exploits to a third party.
And that's the dead horse I'm beating in the disclosure race - the consumers of IT products don't have a voice in the disclosure dialogue and desperately need one. Researchers can, if they're able to forego infighting and ego theatre, be that voice.