with the recent discussions, blog postings, whining, finger pointing, and characterizations that have once again sparked the never ending vulnerability disclosure debate, and earned it a lifetime achievement award as the security industry’s most useless topic, I thought I would share some time I spent with some Chinese friends during my travels through SE Asia.
What I was shown was the most active and open distribution of malware, kits, and exploits I have ever witnessed. I will refrain from the details but considering the perceived insular nature of China and the openness of the US, I can tell you from the sharing of knowledge perspective we are way behind.
I asked some questions about disclosure and was met with puzzled looks and shaking heads. It reminded me of a conversation I had with a Ukrainian programmer friend of mine. I was recalling how during my childhood and at the peak of the cold-war (at least in my era, I was not around during the Cuban missile crisis) the schools would run bombing drills – air raid sirens would bellow and we would be instructed to move quickly, but judiciously, towards the shelter of our cheaply built wooden desks. I asked my friend if they experienced similar drills in the Ukraine – same puzzled look, same head-shaking, and then laughter as he said “Wow, where the desks made of adamantium? In the Ukraine we would practice running to the nearest bomb shelter” The Ukraine was one of the major weapons manufacturing centers for the USSR, so he also told me as kids they played with hollowed out tanks and decommissioned and non-firing AK-47’s – that would of been cool – but I digress.
You didn’t have to be a nuclear physicist or a demolitions expert or even have beyond a first grade education to know that if a nuclear bomb was launched and exploded anywhere within a state or two of the school the cheap, wooden desks, with wobbly aluminum legs would have done nothing, but we went on running the drills anyway.
I am pretty sure that the “sharing” is the same in Russia, Brazil and throughout the non-english speaking world (except for France). So if most of the world has a policy of sharing security information, regardless of their political, economic, or social position and we are adamantly caught up in the “drama” of disclosure, you have to ask the question – is it working?