And You Will Know me by the Trail of Bits… (no more free bugs)

http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/

This sums up the direction I have been heading in for some time now with regards to vulnerability disclosure. After ten years of handling vulnerability disclosure for various companies and OSVDB, I am fed up with the process. It always involves an incredible amount of time and effort hand-holding the vendor, explaining concepts they should readily understand, ensuring them that you mean no harm and submitting to their procedures and timelines, all to be ‘responsible’.

At all levels of the vulnerability discovery and disclosure process, there is value. Many people in our industry are seemingly stuck in the 1990’s mindset regarding vulnerability value. The methodology for discovering vulnerabilities has value, as new methods fuel white papers that drive advertising to niche companies. Customized tools allow for easier discovery and more reliable exploitation of vulnerabilities that give value to the tool maker as well as the companies that use them to perform commercial work. While a vulnerability is being disclosed, it has value for companies that sell such information or provide defensive technology that can look for the resulting exploits. Even after disclosure they become a form of advertising to companies and resume fodder for individuals.

The views of folks like Ross Thomas from Sophos are silly. If a researcher spends the time to discover, research and document a vulnerability, of course it is theirs to do as they please. Vendors need to come up with a reason why responsible disclosure really benefits everyone, not just ‘their customers’. Of course it benefits their customers, but it also benefits their bottom line, which is the vendor’s verification of vulnerability value (channel Hugo Weaving as you say that line).

Advertisements

Is that the best you can do?

Invariably, when I mention my Guinea Pigs to people, one of the most common and consistent reactions is to tell me that people eat them in South America. ZOMG REALLY? THANKS INFO. Oh wait, that isn’t the response they wanted. ZOMG REALLY?! POOR PIGS IM SO SHOCKED AND DISGUSTED! There, does that work for you? Make you happy?

Please, for the love of whatever you consider holy, consider that I have read more about the uses of Guinea Pigs in South American cultures than you have. Cooking a gpig and eating it is part of their culture. Guinea Pigs also have a much higher protein value and are considerably better to eat than many of the meats Americans partake in.

While you are HAR HAR HORFING all over yourself in glee as you tell me this totally barbaric tale of edible Cavies, why not evolve and tell me how they are also rubbed on the body of sick people, killed, cut open and used as a form of diagnosis to determine what ails the person. Some South American cultures believe that the Guinea Pig’s organs will turn black where the person’s sickness is. Maybe you should tell me about all the creative ways they have to kill a Guinea Pig; cutting them open, snapping their neck, smacking them against a wall, stepping on them.

Really folks, it doesn’t shock me. I’ve read more about it than you have. I’ve seen more pictures of it all and I could probably find a cart in New York city that sells freshly cooked Guinea Pig meat faster than you can.

There is a huge difference between using an animal that is a local resource for sustenance, economy and healing, and using them as frequently mistreated and abused pets in rural America. I rescue Guinea Pigs from cruel fat stupid Americans; I have no illusion of changing 5,000 years of South American culture and history.

Until the next time you bring up this mindless crap, remember that some cultures eat cats, dogs, snakes and all the other beloved pets Americans love to keep.