in Security

a few parting words on security

After four months I am leaving FSC Internet to get back into the field of software development. While security is interesting, it, like many things, is only interesting to me if I don’t have to do it full-time.

This doesn’t mean that I’ll stop weighing in on security matters. Heck no. I have a few parting thoughts as I wrap up at FSC.

Today’s Daily Dave is, as usual, pretty entertaining. It’s not quite as cohesive as past entries, since he tries to talk about a whole plethora of topics, eventually winding up at a discussion about how many security companies are being co-opted by developing “partnerships” with the very industries they are supposed to be protecting. In principle, I agree with him: from a 30,000 foot view, it would seem that any security company that’s been hired to assess vulnerabilities in a client’s products would not do anything to embarrass the client.

However, any ethical security company would still disclose security vulnerabilities to the client, and to work with them to deliver a measured advisory and response to the community. Failure to do this means the security company isn’t worth its salt.

In the specific case Dave mentions in his article, there is a glaring remote root exploit in the code for RealNetworks’ streaming media server products. He is claiming that the various security companies that RealNetworks has hired over the years to do vulnerability assessment are accomplices in this massive coverup to hide the security hole.

I don’t particularly buy this point of view. By the principle of Occam’s Razor I believe there is a simpler explanation: the security companies that RealNetworks hired are simply incompetent. In the article Dave says that the hole can be found within 10 seconds of starting up SPIKE (which I’ve mentioned here before in this journal) but there’s nothing to prove that the security firms actually tried to use this tool, or any other tool. For all we know, their "code audits" could have been a complete joke — and not necessarily just because they were working for RealNetworks. Perhaps it was just a quick smash-and-grab for them to assuage the vulture capitalists.

I have one more viewpoint to post on security issues — it’s about PGP/GnuPG and why I think digital signatures/encryption of correspondence isn’t more widely used. I’ll tidy it up and post it on Wednesday, my last day at FSC. After that, I’m on vacation to NYC for a few days before starting my new position as a software developer for the CBC.