Violent Crime, CSI and Vulnerability Disclosure
Posted by Gunter Ollmann on January 14, 2007 at 7:35 PM EST.

It would seem that the Internet isn’t the only place in which criminals can learn from the good-guy disclosures and develop more successful ways to conduct their crime.  With the increased popularity of crime sleuthing shows such as CSI: Crime Scene Investigation and Cold Case on TV, violent criminals are learning the art of obfuscation and how to cover their tracks.

Referred to as the “CSI effect”, crime experts have identified increases in violent criminal cases in which suspects burn or tamper with evidence, and clean the crime scene of any traceable evidence based upon what they learned from TV criminal forensics shows.

Now, the thing is, are people calling out for these TV programs to be taken off air because it’s making it “easier” to get away with a violent crime?  Unless I’ve missed something, I haven’t heard of any efforts to ban this kind of TV show.  Quite apart from making for interesting viewing, they are educational as well – and educational in a way that (despite all the ‘tricks’ the criminals use) it’s pretty clear that you’d have to be dumb to think you can get away with the crime in the end.

So, while the CSI effect may make it more difficult in some cases to solve a particularly nasty crime, they also make would-be criminals think about their future actions and probably do a fair bit to reduce the probability of a violent crime.

However, when it comes to Internet security, we often see the opposite.  Take for instance when someone publishes a paper about a new class of vulnerability and explains how it can be exploited. 

Typically the first thing we observe are emails from the detractors telling us how irresponsible the disclosure was and how the Internet is going to melt into a small ball of black gooey tar and that we’ll all be sorry for not listening in the first place...  which in turn gives the paper a lot of attention, which makes everyone read it, and people begin to put their newfound knowledge to use.

While I’m certainly not a fan of disclosing exploit code or a paint-by-numbers path to creating an exploit – in general, disclosures about how a new security flaw can be leveraged in to an attack tend to benefit the security community.  Granted there is often initial pain (especially the originally affected vendor), the industry itself learns and, as other vendors identify how the flaw could potentially affect them, future releases of their products are preemptively protected.

So, while cyber criminals may learn from disclosures how to conduct a new crime or make an existing vector more successful, the software industry as a whole generally benefits more. 
    Copyright 2001-2007 © Gunter Ollmann