Register to Bit9: Would you like failsauce with that?

I just came across the Register article pointing out the inanities of Bit9′s new vulnerable application list. Now, I’m not going to pig-pile on Bit9 here. I think the Register’s already done as much slamming it, everything it stands for, and the horse it rode in on, as needs doing.

But I do have a few unanswered questions. Not wanting to pre-judge Bit9 based solely on the content in the Register (they’re usually right on the money but “trust no one” as Mulder would say), I went off and viewed the Bit9 report to find out what they actually said. And the thing I can’t figure out is what the significance of an application being on the list is. To save you the effort of reading it, the apps on the list are (in order):

- Firefox
- Adobe Acrobat Reader
- VMWare Player
- Sun JRE
- Apple iTunes, Quicktime, and Safari
- Norton AV
- Citrix
- Aurigma, Lycos
- Skype
- Yahoo Assistant
- MSN Messenger

Paraphrased, the criteria for inclusion in the list are:

- most people can run the app (items #1 and #3)
- it’s popular (item #2)
- it’s had a critical bug (item #4)
- it has security-related configuration settings that the user can monkey around with (items #5 and #6)

So, here’s the thing. Based on the criteria, it seems to me that they picked a reasonable set of apps. I’d ask why Citrix and Lycos, and not say, the Google toolbar? But whatever… maybe the recent Google toolbar bugs weren’t critical enough. I agree that this is a set of popular apps that have security bugs. I agree also that unless you lock down the environment, users get to download them, control the security settings, and maybe even not patch them. So… what next?

I think the issue here is that the Bit9 set themselves up by being (deliberately?) vague about what the list is supposed to prove. It could be one of two things:

1) a “top n” of “dangerous” apps
2) proof-points that there are security issues in apps people download

The Register assumed they meant it as #1 (which is implied by the title, “The Most Vulnerable Applications”). If this is true, I would say the Register is right to mock it. But if they really meant #2, I would ask first why they chose to call their paper what they did. Based on the title, I’m thinking #1. Based on the content, I’d say #2.

If it’s really #2 that they were trying to say, the paper basically reads as follows: “Security’s a huge problem. Here’s a list of popular apps that have security bugs. That being the case, you should buy our product.” But the part that’s missing (in my opinion) is, “Security’s a huge problem. Here’s a list of popular apps that have security bugs. Here’s why this matters to you. That being the case, you should buy our product.”

Anyway, I think at the end of the day that The Register was harsh – maybe overly so based on what Bit9 actually (may have) meant, but I’m also not sure that Bit9 expressed their message as well as they could have. I’m totally on board with Bit9 telling me why I should buy their product – and if they have data points to back it up, so much the better. But if you’re going to do that, spoon-feed me the connection between the message and the data points so that the list doesn’t look like FUD. People hate that… and some people are more caustic about it than others.