Slashdot Mirror
Reporting Vulnerabilities Is For The Brave
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
I think a vulnerability can be reported anonymously quite safely (for a good deal of people anyway). Try the following:
1) Get a laptop with wireless.
2) Boot with knoppix, change mac adress.
3) Walk around until you find unsecured AP.
4) Post said vuln everywhere (including
-wmf
All things considered, it's a whole lot safer (not to mention more profitable) to notify the black hats about vulnerabilities rather than the vendors or the public.
Lacking <sarcasm> tags,
Just wait for the Slashdot dupe before reporting. That will have given the software authors at least six to eight hours headstart!
I jest, I jest!
Open Source projects don't interrogate and try to prosecute you if you find a security problem and report it.
im not proposing one do this.. but it makes one think
'if im gonna get jailed anyways...might as well make some money off of it'
back in the day we didnt have no old school
Reporting vulnerabilities is for the brave,
Hollow First Posts are for Anonymous Cowards.
Maybe there should be a site to allow anonymous reporting of vulnerabilities. This way people could do the right thing without having to worry about the repurcussions.
You could have some sort of secret key to verify that you were the original submitor, if you later wanted recognition for the report. (I imagine a PGP signature of a secret text would be sufficient to allow validation, without any chance of determining who posted until they came forward.)
Software sucks. Open Source sucks less.
well the website has already gone. One thing which I find with all this though is that you should just put it up anonymously on some often checked bbs or newsgroup or something. It is really stupid tha companies think that the danger of hacking comes from people who publically state security hole and not the people who stay very quiet and use them... some mistake?
*''I can't believe it's not a hyperlink.''
wired and usatoday should be applauded for having the courage to report on the vulnerabilities being exploited by our over-zealous govt. now lemme go RTFA.
What you did was open the door litigation against Bob's Software for negligence. Bob's Software doesn't want the flaw to become public. When you stand up and point the finger at Bob's Software, they will be looking for someone to pass on the litigation fees to, so you get sued. Not only that, someone needs to be made an example of so others don't try it in the future.
Anonymous email accounts are easy to come by. Send an anonymous announcement to the Full Disclosure mailing list and be done with it. Otherwise you're risking the legal bills of fighting whatever company decides to sue you.
Coincidentally the quote on the bottom of the page when this was posted:
I stick my neck out for nobody. -- Humphrey Bogart, "Casablanca"
Ah well, at least we'll always have Paris.
You can't talk about Wikipedia's flaws on Wikipedia
Use one of the myriad anonymous methods of reporting.
This separates those with a legitimate concern for making the information public, from those who want compensation or other credit for making the report. It also ensures immunity from persecution or prosecution.
There is no credibility issue, since any report of this nature must be independently verifiable anyway.
So there, the problem is solved, except for those whose only purpose of revealing information is in order to receive something in return, and to hell with them.
-fb Everything not expressly forbidden is now mandatory.
of course, this means that everyone else finds out about vulnerabilities first. This might not be exactly what they wanted when they make it illegal to report.
"It is a greater offense to steal men's labor, than their clothes"
This raises a good point. There are many circumstances that exist where "doing the right thing" has potentially negative consequences.
* Picking up a hitchhiker
* Peporting evidence of theft from a company (retaliation, backlash if employee is exanerated)
There's more than my limited mind can produce.
I think a vulnerability can be reported anonymously quite safely
And you can even get paid for doing it! Remember the Zero Day Initiative that was on the news a while back? They guarantee anonymity.
Mirror on mirrordot: http://mirrordot.org/stories/eb978ff67fb8dafc478d4 9996caeaeb0/index.html
Hey Tony, this guy doesn't wanna keep his mouth shut, you want I should whack 'em ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Hope not, 'cause right now it's... hold on, there's someone knocking on my door...
This space intentionally left (almost) blank.
No really. Why should that be OK? Is it OK for someone to walk around the neighborhood and try turning all the doorknobs? How about pushing the doors open to see if they're bolted? Should they take a picture from inside and send it to the homeowner as proof that someone could get in? Should you be suprised when someone tries to prosecute such a person? Sorry for the analogy, let's just try to answer the first question about hacking without authorization - why do people think that's OK?
That's all quite true.
At that point, anything serious that happens, say Program causes some other company to lose lots of money, puts Bob's Software as a responsible party for allowing this known flaw to exist.
And, if software were like any other tangible (and most intangible) products/services in the world, you would be correct here as well. Unfortunately it's not, so you're not. Why? Those lovely click-wrap EULA licenses explicitly and specifically disclaim all liability, including even fitness for purpose. Look at almost any EULA out there and you'll see that usually the most you could possibly recover, even if this software somehow manages to kill you, through gross negligence or otherwise, is the price you paid for it.
Of course, Bob's Software doesn't want to part with your money, so your point is still partially valid. However, I think we shouldn't overlook the fact that we're not talking about huge product liability lawsuits, and yet they're treating disclosures as if we were. Basically they're trying to have their cake (EULA dislaimers) and eat it (prevent disclosures) too.
They would, it seems, be doing fairly well at both right now.
"where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem."
Been there, done that. Got arrested, got lucky, found not gulty for all but one charge, but lost three computers becose the cort did figure out it was wrong of me to use a pwd (I did test the flaw, big mistake), even if it was on a public C: drive for everyone to see and in a clear text file. I am never going to report a bug in a computer system in a school, company or somewhere else agen. Don't care what the type of the flaw is or who it is, it is there own problem, they can handle there own infestation.
You shouldn't go to jail for doing a good deed.
There are "Good Samaritan" laws that protect you from being sued if you give first aid to someone in distress. http://en.wikipedia.org/wiki/Good_Samaritan_law How about a similar law for other kinds of good deeds. There are also whistleblower laws but they are a bit iffier. http://en.wikipedia.org/wiki/Whistleblower
George W. said he was going to fix all the litigation we are suffering from but as far as I can tell, he hasn't done a thing.
Reporting a vulnerability should be a social duty not a crime.
This story is true...
It's easy to spoof email addresses with a very simple PHP script.
I decided one day to trick one of my collegues. I sent him an email 'from' one of our very attractive collegues (in a fairly distant department so I thought it safe at the time) complimenting him on his physique and machismo. I used her real email address as the 'spoof' address, which being the dumbass he is, he replied to. In a manner that would not be considered acceptable in a work enviroment lets say...
Well, I got in trouble for this. (Everyone where I work already knew I was the only one capable of something like this... [lame] So that same afternoon I was called into my bosses office. He was quite frank, and also remember that I value my job here, he said "That email... You had something to do with it didn't you?"
I said that I was the cause of that little incident by way of one of my scripts. I said I was sorry it went as far as it did, and my boss accepted that.
After that my boss said, "Do you have any other things you wish to report?" I decided that I'd come clean with everything I'd found out about the work network. I told them that using the citrux system, I could remotely control anyone on the networks PC. I told them I could spoof emails from anyone... Which resulted in my company rejecting email authorisation for crediting invoices full stop.
OK, through a prank I caused my company a bit of upset... But I, in turn, improved systems indirectly. And all this because I exposed one weakness, and upon my bosses asking me about it - I told all. As I'm sure any loyal employee would do. Through exposing a weakness in my company, I concentrated effort on plugging those holes.
In Soviet Russia, the vulerable reports you... oh wait.
ELOI, ELOI, LAMA SABACHTHANI!?
The people running Web sites, or creating software for that matter, might want to consider some of the consequences of their current crack-down on vulnerability reports. Yes, vulnerability reports are bad PR. However, if this keeps up people who find vulnerabilities will have only two feasible alternatives:
Step 2: Profit $$$
I have two times found and two times reported vulnerabilities I have found in public web based systems.
Let me tell you, it was not easy. Here's the story of the first time because it's the most interesting.
I worked for a community college in its' tech department. Alot of my time was devoted to answering phones and helping faculty with problems, which did leave me idle alot. (high availability requires high idle time as a concequence). As a tinkrer, my idle time is never spent truly idle, but pursuing things that don't require 100% attention.
The community college I worked for had many different systems, and as such had many many translation layers between them. One of these transition layers was a transition from a "Portal" type website to another website that handled student information. (class registration, transcripts, billing, paying, you know all that important personal stuff).
Anyway, I found a flaw in one of the scripts used to authenticate a user session to the second web service. The flaw was that the moron who coded it decided that creating a script that accepted 1 variable (the username) was enough security to authenticate a login.
by closely observing the scripts actions through my web browser, i noticed there were 2 very quick redirects. Focusing my efforts there (and logging my URL requests), i found the call to the script that required only the username.
So, basically, at that point I had access to anyones student account that I had the username for.
I documented it very well in a long email, and demonstrated the flaw to my coworkers. I thought I would be a real hero for finding it; I mean afterall, if I had found it who knows who else might have? surely, disaster averted!
But... my idealism in the situation was met hard with reality. My inexperience led me to not take into account factors I should have.
After reporting the vulnerability, a minor investigation was launched which I was the subject of. I felt more like a crminal than a saint. After demonstrating how I could login to their accounts, my coworkers were suspicious as were my superiors. The thought pattern seemed to go like "Well shit if he can do that, what else has he done? Why was he even poking around there in the first place?".
While never actually accused of any wrong doing, they weren't nearly as impressed with my find as i thought they would be. I was looking for a pat on the back, maybe a bonus, but instead my superiors were troubled and nervous. I'm not sure if I was right in feeling this way, but I never felt quite fully trusted there again after that one.
The other thing I didn't think about was how the existance of the error then impeached the person who wrote it. rightfully so, because it was a FOOLISH error, but the guy who wrote it was a guy who had been employed there far longer than I, and of course having me find it and dismantle it presented quite an embarassment to him.
I ended up leaving the job there 6 months later for a variety of reasons, but reporting the vulnerability was one of the 2 or 3 core reasons that I left. I don't regret it all and would do it the same way again, but going through it taught me alot about how to NOT be someones boss (should I ever become one in the future), and not react in the accusatory manner like my superiors did.
The biggest security threat is Al-Qaeda Headquarters.
I hope this helps.
ex-Patriotically,
Kilgore Trout, M.D.
I had worked for the Cuyahoga Falls School District in IT. I had noticed that on NeoNet's (Our Internet Provider) FTP server that anonymous was able to download, upload, and delete any file on the server. I reported this in October 2000 to NeoNet, they did nothing about it. In March of 2001 I was laid-off due to financial issues in the school district. Weeks later, the schools web site was replaced with a porn site using the anonymous login. They immediately assumed it was me. Luckily they were able to track it down to a student at the school. They then immediately fixed the FTP problem.
--
Free Linux Shells!
NicoNet 2000
CERIAS Weblogs Reporting Vulnerabilities is for the Brave
I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn't have access to the source code or configuration information). As luck would have it, the web site got hacked. I had to talk to a detective in the resulting police investigation. Nothing bad happened to me, but it could have, for two reasons.
The first reason is that whenever you do something "unnecessary", such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn't have? It's normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems.
A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof. This got Eric McCarty in trouble -- the proof is automatically a proof that you breached the law, and can be used to prosecute you! Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time. We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing. I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it...). Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means. If there had been an overlap in time, we could have become suspects.
The second reason that bad things could have happened to me is that I'm stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism. Why anonymously? Because student vulnerability reporters are akin to whistleblowers. They are quite vulnerable to retaliation from the administrators of web sites (especially if it's a faculty web site that is used for grading). In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem. Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don't yet either). They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions. Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities.
So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized? Thankfully, the student bravely decided to step forward and defused the situation.
As a consequence of that experience, I in
When vulnerabilities are outlawed, only outlaws will use vulnerabilities.
The crappy thing is that it doesn't actually have anything to do with security. Really, it's just that they don't want the public to hear about security flaws in their products, as it's might impact sales.
Hmmmm, of course the article focuses on the big evil website administrators for attacking the small defenseless students who tried to (probably) illegally break into his system. The article carefully avoids any discussion of what these students actually did to 'discover' the vulnerabilities.
I'd venture to say that most hackers 'smart' enough to hack into a website is probably smart enough to send an anonymous email reporting the hack. If the administrator ignores the emails or warnings, then the burden falls upon them.
This is similar to a crook breaking into a house and then reporting the secret stash of drugs or child porn they found. Ok, it would be nice if they could report it anonymously, but it certainly doesn't justify the initial illegal behavior. And, like most crooks, they probably break into hundreds of places before they either get caught or find stuff worth reporting (like being able to access student grades or SSN).
That said, I agree it's in the website's best interest to allow folks to anonomously post vulnerabilities. Duh.
whenever you do something "unnecessary", such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to?
The truth is the police would like to suspect you, and knowing it is not probable they also know they are just there to look important knowing nothing will ever be done.
I wish someone would say it as it is, buyer beware - hey business, you bought a security defective product that is not fit for uncontrolled access.
Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?
The student to was certainly brave as he ran the same risks as you did. Vendors think scaring off support people will get their systems secure when they are not. Hint, this is like sticking your head in the sand.
I let a vendor know 3 years ago about a wide hole big enough for an aircraft carrier. Still isn't fixed. The last time I found one this big, the vendor ignored it and a year or two later some big worm got a nice run.
One question I need answered is:
And I liable if I don't report it and disseminate the information? Obviously the vendors and authorities would rather think I am criminal if I disclose it. Sort of screwed either way.
From the old childhood fairy tale: anyone who dares tell the Emperor he's actually naked will get their head chopped off.
I remember someone explaining that it's perfectly legal to walk up to a house and walk through an open door, so long as you leave when you're asked to. It's not trespassing until you refuse to leave when they ask. It's not breaking and entering if the door was wide open.
Don't thank God, thank a doctor!
You know the statement. And it's twice as true with vulnerabilities.
It IS already very hard for security companies to get 0day exploits at their hands. Making it illegal to report vulnerabilities is about the DUMBEST thing to do. It means that the info only circulates in the cycles that want to exploit them.
Now, that SURELY raises security. About as much as the snooping of governments raises freedom.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"If reporting a security bug to one of your employers is a problem", because they refuse to do anything about it, thereby screwing over your clients or customers, and you *also* happen to be a stockholder,a situation that gives you a ton more legal standing, then well, well, well, don't talk to said clueless bossman again, instead get thee a lawyer and be prepared to become a much larger shareholder than you were previously. Just don't sell even one share or tell anyone else about it, else you will screw up yourself. Management is required to pursue due diligence and protect the good name and profitablility of the corp, you are required to not trade on insider information, hence why you need a lawyer to resolve the situation amicably..most likely you will win handsomely. maybe even get to fire the boss!
I recently figured out a fairly anonymous method of reporting vulnerabilities for a cost of only $0.39. Send SASE for details.
Intron: the portion of DNA which expresses nothing useful.
Well, that's not so different as the situation in physical security systems. Go and tell a bank manager that they have an unsecured entry point in the air ducts, and that their alarms can be blocked by a XT42 bypass (or whatever), and the guards always have lunch at the same time leaving the screens unattended for ten minutes.
You are probably making them a big favour, but the fact remains that they will be suspicious about you, and may call the police. How do you know about those things? What are your intentions? It's quite a natural reaction. We only perceive the situation to be different because we happen to be experts not in alarms but in computers.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
After many other security and OS-related jobs, I was tasked to do an analysis of the primary secured communications system for the DoD during the 1960's and 70's. I wrote a report (top-secret) in which I uncovered many simple software vulnerabilities. Immediately after submission of the report, all of my media and any hard-copies were removed and classified so that I could no longer reference them. A friend told me that at least one of the simpler exploits still existed many years after being uncoverd. Security through obscurity. Or intimidation. Excuse me while I take my laptop full of millions of personnel records through the checkpoints...
Report anonymously. :)
Through alt.2600hz
This way they will release the patch in days-weeks since your report, not months as usually
An MMO I play, Nexus TK, had a serious bug revolving around event wins.
Specifically, I was able to give myself an unlimited number of Elixir War victories. Now, an Elixir War is an event held maybe twice a day, if that, in which players are split into two teams, play a sort of paintball/freezetag game, and at the end of three rounds, the event hosts summon an NPC near the winning team's base. Clicking him gives the player a choice of prizes, and selecting a prize gives the player a victory and teleports them back home.
The prizes are just dye potions, which change the color of your clothing. The reason you go is to get a victory mark, of which you need 15 to get your Sam San spells. So, this is something players would be jumping all over.
Let me just say: It was a ridiculously easy bug to find and exploit, and ridiculously easy to explain to other Nexus players, but would be several pages to attempt to explain to someone not familiar with the game.
Immediately after receiving my free win, I reported the bug directly to an Archon (GM) who was on at the time. It was obvious I could've gotten as many as I wanted, until the free-for-all ended, and it was equally obvious that I hadn't, because I only had 4 wins out of some 15 attempts.
Well, I got my free win -- that was it. I don't remember getting any additional compensation, and what's more, I was told to keep it to myself. No pat on the back, no reward, just a good laugh with the friends I trusted enough to explain this to.
To this day, I wonder if they've fixed it. It's entirely possible that they haven't, because to exploit it, you need two things: Your home server must be down (I live in a house, other people live in towns...), and you must win some sort of event. You may then collect the prize an infinite number of times, until they shut down the game server.
Would I report it again? Hell yes, I think people should earn their wins, and I think I earned my one free win by finding the vulnerability. But that's the only incentive I have. As many others have said, reporting a vulnerability only leads to cold suspicion, no congratulations.
I'm not bitter, really, I'm leaving that game for entirely unrelated reasons. But, this attitude needs to change. Even some recognition would be nice. And if you wonder where we're poking, and what else we could be doing, remember that anyone in the company could be doing the same thing, but those of us who choose to advertize our technical skill and actually report the vulnerabilities are probably at least being honest about it.
Don't thank God, thank a doctor!
In other words, no good deed goes unpunished. It's so sad that attempting to help people can put you at risk.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
I wouldn't take his advice about deleting any evidence you found the vulnerability.
The problem is; you could have stumbled onto a honeypot. Or, the system could be vulnerable, but they could be logging your IP anyway (they're only half-incompetent).
Deleting evidence is a sure-fire way to get indicted for obstruction of justice, lying to investigators, etc.
I'm not sure what the right answer here is - but it's not "covering your tracks" because you can't always cover ALL of your tracks, and covering some of them just makes you look guilty.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
...Basically, I was job hunting and a friend directed me to a website of his company who was hiring. Now, instead of typing "www.company.com" i typed in "company.com". Boom, I'm presented with a database login. Hmm, I thought this was maybe for the job search, and didnt see a register button, so I just hit login. I was then presented with what I THOUGHT was a fake database...kind of like the example php websites you can "login" to to get a taste for the app. I wasn't 100% sure, but eventually decided to try running a sql command...I changed all the company descriptions (it was a hiring agency) to "Change your admin password!" I then realized (late I know), that this was a REAL database after more poking around and finding real names/phone #'s/emails. I found the head of the company's email and politely told her there is a SERIOUS hole in her system. She (VERY) quickly responded with her phone number that I already knew and asked me to call. So, being the good citizen that I was, I called. Ha! She immediately asked my personal information which I was hesitant to give, and resorted to only giving my first name. Then she connected me with the "IT guy" if you could call him that, and I explained what I had did and how I did it. Throughout this whole conversation I was very nervous and got the feeling that I was being criminalized. After the whole ordeal was over (luckily they had backups), she offered me the job that I was initially seeking, but I politely refused stating I didn't feel comfortable working for a company that was as insecure as hers.
When you report vulnerabilities for commercial products, you're basically giving the company free consulting time. Why would you do that?
Identify, report, and fix vulnerabilities in open source software; open source projects won't sue you for it, and you get to benefit from your reports without having to pay for them again.
(The same goes for any other bug report, actually.)
Let's not complicate things unduly. Stroll to the nearest internet cafe, send an anonymous mail and pay with cash. If it makes you feel better you can even wear a mustache and a dodgy hat.
Step 1: Get AnonDSL service.
...
Step 2: Create an anonymous webmail account.
Step 3: Practical immunity to abusive lawsuits means they can't take you to court for
Step 4: Profit!
somewhat lucky he didn't get multiple lawsuits dumped on him
So what are the odds of the exact same story happening in some other companies resulting in legal action and being blacklisted?
Ypu have been watch "Desparate Housewives" too many times.
Then giggle insanely to yourself when it does. Better than letting them shoot the messenger. Fucking vindictive fucktards.
They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
Post vulnerabilies on as many IRC channels as you can. Post vulnerabilites on slashdot comments. Post them on jihad websites. Post them on college bulletin boards.
In short, post them as anonymously as possible. Don't go through the fucking "right" channels, because they are looking to retain their share-holders confidence. Which is why you heave a god damn shitbomb into their office and let them sort that son of a bitch out. Eventually, people will start taking security fucking seriously. They will start asking about NetBSD, hooking up hardware firewalls, and thinking twice before shopping at Best Buy. And the you won't be sitting in jail because you reported a 0-day exploit to M$/Apple/Redhat/Berkeley/FuckingSCOX.
Run an end-around. Works for football, works for World War II submarines, and it works for reporting vulnerabilites.
#1 Wear Latex gloves
#2 Print out vulnerability on plain paper
#3 Snail mail, don`t sign, make up return address
#4 Let chips fall where they may.
In 1988, on the first BBS I ever called, I found a vulnerability one day. It was a configuration error that allowed any user to elevate themselves to sysop status. Thinking I was being helpful, I reported it to the sysop. The next call, I was shocked to find myself locked out. Eventually the co-sysop persuaded the sysop to let me back on, but I was "on probation".
/var/spool/mail/ were set readable and writable by the "mail" group. Also, "pine" was setgid mail. I could start pine, Compose a new message, and then ^R anybody's inbox right into it. One of the sysadmins had three megs of messages in his inbox, and some of them included credit card numbers. But like I say, I'd learned my lesson; I reported nothing. (Don't worry, that ISP later got assimilated by a bigger one, and that particular email system is long gone.)
So of course I learned my lesson, and I never reported any vulnerability to anyone, ever again. Found them, though.
Here's my favorite: On my first ISP (shell account), files in
Share and Enjoy: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
I can't remember the origin of that saying, but it seems rather appropriate.
But making sure that the printer you use doesn't sell you out...
This sort of thing really is getting out of hand.
More info can be found here : http://www.eff.org/Privacy/printers/docucolor/
Slashdot: news for Apple. Stuff that Apple.
I can't help but think that with the risk of negative consequences from informing someone incompetent, selfish, or insecure of a vulnerability that there needs to be some sort of safe harbor provision in laws in the case of reporting a vulnerability.
For example: If you stumble upon (or more proactively find) a vulnerability, if you send details of the vulnerability, the actions you took to find it, the exact steps you took whilst exploiting it; and you only performed reasonably minimal actions whilst in the exploited state to confirm that the vulnerability was real, then informing the target of the vulnerability with this information renders you immune from prosecution.
Would this work?
For a long time, the Aviation Safety Reporting System has made it possible for people to report a dangerous situation without risking getting stomped. There's no way to tell how many lives it has saved but everyone uses it as a prime example of first-rate systems safety engineering.
How about a site specially made just for anonymously reporting vulnerabilities in software. How difficult would it be? How difficult is it to guarantee anonymity this way?
Such a site would make it easy to expose vulnerabilities, but it would also have to be capable of weathering DOS attacks from those that are less than scrupulous.
Non sequitur: Your facts are uncoordinated.
I once reported a little insecurity in my high school's network. It was just an ftp host that allowed anyone to logon without a username or password, which was setup by the network admin's assistant. I revealed it's existence by uploading a bit of porn to the directory and mailing a floppy disk with a couple of files I downloaded from it. The ftp was password protected within a week.
what sig?
If the company in question is likely to sue or prosecute or persecute you for revealing the fact that the emperor has no clothes, then let them stew. I'm sure that someone with less honorable intentions will come along and find it just as easily, and then you can sit by and chuckle as their website/customer database/company is destroyed by a very small shell script.
Of course, this isn't the moral thing to do - to let a company die when you could have helped, but it's not what they want.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
I'm in the security field as an analyst. I notice vulnerabilities (or suscpetibilities) in physical security all the time. The problem.....I notice these things in areas that are not any of my business....or not even part of my company (it could be another company or even a government facility). I can't help it. I just notice it. It's how I protect what I'm charged with protecting. Always analyzing all the ways someone can screw my protection and then I do what it take to plug the holes.
What to do when I see these things at other facilities? Keep my damn mouth shut, that's what I do.
The really sad part is I also have to follow asinine rules that provide ZERO additional security (and in some cases actually make things less secure) because the regulations say to do it. I ask for waivers. But then I'm just seen as making waves. It's sad.
If your information is in their system and it is vulnerable - sue the bastards.
I don't have a laser printer. I have a cheepo Lexmark ink printer. Do these have them?
Uhm, not like I'm thinking of reporting a flaw or anything like that. Not me! Nosirree! Not me.
qz
I've worked and done research in the security field for a while now, and I've definetly noticed a trend in the underground when it comes to exploits. More and more, exploits are being kept private, with exploits and vulnerability information not being publicised for a variety of reasons, some of which this article touches on.
I've had almost no issues reporting vulnerabilities. It's considered good practice to follow a guideline for reporting, such as: http://www.wiretrip.net/rfp/policy.html
Hosting and Domain name coupons
One way to safely pulicise the info is to live in a free country or get a friend in a free country to do it.
Engineering is the art of compromise.
Tehila, an Israeli government unit dedicated to putting the gov. interaction with the public online, filed a criminal complaint against Avi Mizrachi for performing a vulnerability scan against the Mosad public site.
:-)
The bottom line is that the judge, in a surprisingly sane verdict, stated that if there was no intention to do damage, and damage was, indeed, not done, then the act was legal. There was some discussion of whether such acts should be universally allowed, and a statement (though I doubt it's an actual precedance) that automatically relying on the administrators to secure their own sites is not a wise thing to do.
I can tell you that the local professional media was up in arms after this was published
Shachar
If you work for a security company, feel free to report stuff to your company.
;).
But otherwise maybe we should just stop all that cooperative crap. Just post stuff immediately on Bugtraq or whatever list you want. Or a wiki or even slashdot
People should just get used to making and restoring from backups.
If any bank's etc records can be so easily and irrecoverably destroyed maybe they should just go under.
After a few enough high-profile cases, I figure people would start taking security a bit more seriously, or being a lot more welcoming to people reporting problems directly to them _first_.
It's called the anonymous coward button on /.
I'll start:
There are NUMEROUS security bugs I'd like to report in a common program used by millions called "Windows XP".
Attackers can not only take over your hardware and use your machine as a "zombie" to attack other machines, but can also get private data, destroy personal information, potentially frame you for online crime, and even create DOS attacks on third party computers.
I hope MS doesn't kill me now that you all know!
Common users are recommended to uprgade to Ubuntu Linux as soon as possible, unless you are a gamer, and then Cedega may work better for you.
Anonymous Coward
A lot of posts go into how to report a flaw anonymously. But this is curing the symptom. The disease is the fact that you get to be a suspect if you report a bug - and might even be incriminated by it.
Many years ago some wise men in the air-traffic industry realized this. Often planes got into dangerous situations, but due to the risk of getting accused of being the wrongdoers and the risk of losing their jobs, no pilots would report these situations. The result was that the security of air-traffic was not improved. Sometimes these incidents caused people to get killed.
So they changed the rules. Today pilots can report all dangerous situations, without blame, even if they themselves caused the situation. Airports have such a briefing room where these reports are collected.
The reason for this is that human error in air traffic does happen. But by getting a clear picture of the situations you may be able to focus on helping them out. If pilots miss a sign on the runways, focus should not be on the pilot, but on the visibility of the sign. It doesn't really matter if you say: Pilots should look out for signs or they should get fired. Next time an unlucky pilot misses the sign... bang.
Something similar could be done with IT security. Reporting a bug if you encounter it should be with the focus on fixing the bug. Not to blame the one who found it.
Remember the focus in this case is the flaw or bug, not the one who finds it. Unfortunately the case appears to be focusing on the man rather than the real issue. We do this in our daily life. It's a part of human nature. But the bug never gets fixed... and then the really bad guy comes...
-:) Oh no - not again.
www.rednebula.com
actually i only report problems to open source project developers. if other software/tools/sites have exploits i am sure someone with ill intention will exploit em at some point anyways... so why even bother looking for/reporting problems for non free software? I would have to pay for the next update anyways... and its the companys job to get their crap working and properly audited/tested.
:)
It helps alot more to write articales about hacked and defaced sites in my eyes. thats a plain businesscase for the company to invest less in marketing and more in auditing/software quality.
I also think that the current restriction of "freedom of speech" in that case is totally inappropriate. The following laws will probably prohibit to talk about bad politics...
This little trick can be used to great effect in simulating the compromising of someone's account in an Unix system: Just send that someone an e-mail as if coming from that person's account - they'll go nuts trying to figure out who has their password.
By the way, the little trick from the parent poster can be done on any e-mail server that supports the SMTP (standard internet e-mail) protocol. Thus you can telnet to port 25 of that e-mail server instead of port 25 of mail.example.com
Reporting vulnerabilities is the right thing to do. Period. Its not for the brave, its for those who know what is right and what is wrong.
Please don't bend to the media pressure to keep these things secret, unreported or silent. This is what is causing our mess with the current administration, where "leakers" are associated with "whistleblowers". Don't me misled, these people are patriots, and they're doing exactly what they should be doing.. exposing the flaws in the system so they can be addressed and improved.
Doing the right thing for the common good, is NEVER wrong. Keep reporting them, keep the fixes coming, keep improving the situation for all.
I am reminded of a famous quote here: When one pours water into the harbor, all boats rise at once .
I once found an issue on a university network.
It turned out that for a number of the windows labs, available to all students, you were always logged in as administrator. When I reported this issue (along with a list of actions I could perform that would be cause damage to the University or its students), I got the brush off. At the time I considered exploiting this to demonstrate the problem. I'm glad I didn't.
This is a few years ago but it was interesting that there was a total disregard for any security concerns with that particlular section of IT support.
meh
Granted, its a nice gesture to report a vulnerability to a site owner. This seems like an excessive amount of effort to do it.
If someone leaves their headlights on and you can just yell, "hey, your lights are on", thats great.
But, if they left their keys in the car and you have to put on a disguise and pay a kid $5 to go tell them, thats just freakin excessive.
We are in a sad state now that its "dangerous" for someone to simply be a good citizen.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
I've found a bunch of IT vulnerabilities, starting with a VAX in 1986 that had .motd's permissions 777. That's not critical, but it did mean that I could remove typos from the .motd if I wanted. Then because I didn't feel like getting heat for 'why were you poking around there, anyway?' I told a friend, who told another friend, who misused the knowledge by rewriting the .motd entirely and got in trouble for it. Several more critical experiences since then, same solution: let someone else know, someone you know will tell people that'll misuse it. While someone might look around for where the knowledge started, they'll only be upset at the people who actually took advantage of it.
Nostalgia's not what it used to be.
Well, first thing that happens when you did that, was you read their terms of service in a "more" listing. Of course, it was easy to hit Ctrl-Z and drop to a shell at that point. Once in the shell, I did an "ls" of the "new" user's home directory. Lo and behold, in that directory was a file containing all the new users created that day, along with their system-assigned passwords.
Funny thing -- most users never change their passwords. I had the master list to almost 90% of the accounts on the system! It got better, though. I noticed certains patterns in the assigned passwords. E.g., the last three chars of one password where the same as the first three of some other password. I wrote a program to piece it all together.
Turns out, the "random" passwords were drawn from a 512-character string, with the beginning point randomly selected. So I busted the string up into each possible password and ran the thing through a crack program. Now I had closer to 99% of the accounts on the system!
I reported this, and suggested that perhaps the system-assigned password algorithm was weak. The admins grumbled and yelled but didn't threaten any legal actions.
I pissed them off again later, with an accidental fork bomb. I lost my account that time :-)