Why does it seem like there isn't really much ethics in security research?

I often see security researchers discover a new technique that can be used for breaking into computers or evading detection and the goal is supposedly to force white hats to fix the problem that didn't exist until the researcher created it.  A vulnerability is a known weakness, and if black hats aren't using it then developing tools and techniques that black hats can use, even if you provide a fix is just making the defense more complicated.  It's one more attack we have to look out for. 

I don't think we'll ever see a black hat like a carder discover a new technique law enforcement could use to catch them and then make it public in an effort to force other black hats to fix the problem.

If there is already evidence of the technique being used in the wild then yeah I'm all for creating awareness and fixing it, but a lot of times it's a new technique that even the researchers may say they don't think is occurring in the wild.


It's not about whether I know about the vulnerability, it's about no one at all knowing about the vulnerability.  If no one knows about the vulnerability then there is no one to exploit it.  There very well may be a technique to turn lead into gold discovered someday, but at the moment we aren't vulnerable to that because no one is doing it because no one even knows how.

Being proactive is important in almost everything, but I don't think it's appropriate when it comes to security researchers developing new tools and techniques that are going to be used against us.  They're fixing a problem that didn't exist until they discovered it.  Even if they offer some solutions for mitigating the attack (sometimes they don't even do that), it's still just mitigating it.  It's making the defense more complicated because it's yet another thing we have to defend against.

I think security researschers should focus on researching attacks that are currently being used in the wild and help find ways to defend computers rather than create new ways to attack computers.  If you're in a war you don't want to develop new weapons that are only going to be used against you just for the sake of being proactive incase the other country might of created the weapons on their own.



You can never prove a negative, but they can research it... they should be good at it.  Google, network with other security researchers, analyze comunication, infiltrate hacker chat rooms, reverse engineer malware, honeypots, Web Server Log Project, etc.

Going to side with Dynamik and Ziggy, if they are not doing the research and letting us know, then we are at a disadvantage when it comes to defending.  There is a big debate about Full Disclosure and when it is appropriate.  If the vendors won't fix the issue, then we are left to use what tools we can to better protect against the vulnerability. 

hmmm all of a sudden I am getting a vision of a white-hat paraphrasing Jack Nicholson from a Few Good Men 

might go something like this...

put together in a rush, CISSP because ISC2 would consider exploit development and sharing it with the public against their COE, but there is debate on that as well.

I will agree that providing fixes along with what is broken provides significant value, but raising awareness that something is broken may help someone else devise a solution on the back of the breaker's research or help organizations avoid unnecessarily insecure implementations of the flawed technology in upcoming projects. If I don't know something is possible (like anti-forensics) I will make flawed assumptions about what is happening on my network. What if I did not know about the latest cool antiforensic technique and I made a rapid judgement based on faulty information that cost some poor shlub his job, or sent him to jail? I just might be able to compensate for these failures if I have enough information to understand how the attack is carried out or at least be able to educate management so we don't jump to conclusions. Maybe that malware evasion technique could be detected in other ways not previously thought of, maybe I could write a Snort signature to detect it. But if as a security researcher I don't know about the evasion technique, how would I even know where to start my research or even understand it was necessary? Burying your head in the sand does not further our collective knowledge. Understanding of real world techniques does. This whole thread comes off like a huge troll. I am truly astounded, do we really need to have this discussion in 2012?

</rant>

Do you seriously think that whitehat security researchers are leading the curve here? There may be pockets of genius that generate additional risk due to teaching blackhats techniques they did not know about, but by and large we are playing catchup. The bad guys have enormous resources to deploy here, far more than we can hope to match. Just because we don't know about that cool new antiforensic technique does not mean that it is not being utilized already. It just means we are blind to its usage. It's not like the bad guys share all their tips and tricks in some secret club. They are monetizing these attacks and just like any corporate IP, it's often a trade secret. Sometimes you see them bundled in exploit packs and sold to other criminal groups, but the really juicy stuff is kept closely guarded from what I've seen. What you are suggesting is highly dangerous and would be a huge step backwards in the progress we have been fighting for years with regards to information sharing.

No, I don't think security researchers are leading the curve, I think they sometimes do research that benefits blackhats more than whitehats.

I'm aware that there are tools and techniques out there blackhats are using we don't know about.  That's why part of security research should be threat intelligence.

Information sharing is great.  The problem is if the information like anti-forensics consists of problems without any solutions then I don't think the "research" has helped us.  It's helped the bad guys.

No movie paraphrasing this time...


Key phrase is reactive.  We are already at a disadvantage since many corporations do not want to invest in Information Security until a problem is discovered.  By that time the issue could have been present for months without being detected.  Typically in a targeted attack, the tools used are brand new exploits and malware.  They are customized for that victim network and will very rarely appear elsewhere.  They may utilize a similar vulnerability but the signature is so different that AV products will not detect it and IPS signatures may not see the traffic since it designed to look like normal chatter.

We need the researchers to find these things in the hopes we can start becoming more proactive.  There have been some 0Days released that had been around for years.  So the question would be, how long has the vendor known about it and how long have the blackhats known about it and used it?  Should the researchers also figure how to prevent these attacks?  Sure, but honestly, that should be for the software vendor to determine since the researcher may not have access to the source code to figure out how to fix the issue.  Many pen testers and vulnerabilty assessors will inform the clients how to better protect against the issues they find during the test.  Some fixes involve reconfiguring the devices and software and some involve patching.  Some exploits cannot be protected against but you can prevent an attacker from getting to the point where they can use the exploit.

As for the tools, there has been talk by many government bodies about making  the use of "hacking tools" illegal in the hopes that it would deter hackers from performing their attacks.  So what that would do is take the tools out of the hands of the good guys and the bad guys will continue to use them and develop them.  Remember we have to abide by laws of our countries, that is what separates us from the blackhats. 

The Superman would never kill Lex Luther but Lex would attempt numerous times to kill Superman (up until all the What-ifs and such - I miss comics sometimes).  That is what separated the hero from the villian.  He could end Lex anytime he wanted but then he would be no better than Lex.  Same goes for Blackhats vs Whitehats, we could easily start developing and deploying malware against the blackhats of our own free will but if we are not working under the orders of the military or law enforcement, then we become vigilantes and our creations could end up working against us.  We are trying to keep the malware and exploits down, not increase them.