Slashdot Mirror
Reporting Vulnerabilities Is For The Brave
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
I think a vulnerability can be reported anonymously quite safely
And you can even get paid for doing it! Remember the Zero Day Initiative that was on the news a while back? They guarantee anonymity.
That's all quite true.
At that point, anything serious that happens, say Program causes some other company to lose lots of money, puts Bob's Software as a responsible party for allowing this known flaw to exist.
And, if software were like any other tangible (and most intangible) products/services in the world, you would be correct here as well. Unfortunately it's not, so you're not. Why? Those lovely click-wrap EULA licenses explicitly and specifically disclaim all liability, including even fitness for purpose. Look at almost any EULA out there and you'll see that usually the most you could possibly recover, even if this software somehow manages to kill you, through gross negligence or otherwise, is the price you paid for it.
Of course, Bob's Software doesn't want to part with your money, so your point is still partially valid. However, I think we shouldn't overlook the fact that we're not talking about huge product liability lawsuits, and yet they're treating disclosures as if we were. Basically they're trying to have their cake (EULA dislaimers) and eat it (prevent disclosures) too.
They would, it seems, be doing fairly well at both right now.
In the article, it's talking about students noticing security issues in web applications that they are using. If you accept the physical property analogy at all, this is more "seeing that a door that should be secured was left open".
-- The act of censorship is always worse than whatever is being censored. Always.
CERIAS Weblogs Reporting Vulnerabilities is for the Brave
I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn't have access to the source code or configuration information). As luck would have it, the web site got hacked. I had to talk to a detective in the resulting police investigation. Nothing bad happened to me, but it could have, for two reasons.
The first reason is that whenever you do something "unnecessary", such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn't have? It's normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems.
A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof. This got Eric McCarty in trouble -- the proof is automatically a proof that you breached the law, and can be used to prosecute you! Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time. We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing. I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it...). Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means. If there had been an overlap in time, we could have become suspects.
The second reason that bad things could have happened to me is that I'm stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism. Why anonymously? Because student vulnerability reporters are akin to whistleblowers. They are quite vulnerable to retaliation from the administrators of web sites (especially if it's a faculty web site that is used for grading). In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem. Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don't yet either). They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions. Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities.
So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized? Thankfully, the student bravely decided to step forward and defused the situation.
As a consequence of that experience, I in
Report anonymously. :)
Through alt.2600hz
This way they will release the patch in days-weeks since your report, not months as usually
...and what if you're in the bank, and you notice that their "authorised personnel only" door with a secure code lock is catching on the carpet when staff come through it, and not clicking shut?
Point is, you don't always have to be looking to see something.
The revolution will not be televised... but it will have a page on Wikipedia
Step 1: Get AnonDSL service.
...
Step 2: Create an anonymous webmail account.
Step 3: Practical immunity to abusive lawsuits means they can't take you to court for
Step 4: Profit!
This happens because the problem is reported to the wrong person. Management knows nothing of the practicalities of security. Explain these problems to a security expert who does work for the bank or who knows those people. If you report something out of the blue to management as a nobody, you'll obviously be regarded with great suspicion.
- Michael T. Babcock (Yes, I blog)
Well, first off man I'm glad I don't work in your "shop". Obviously you and I would not get along, I can tell we have pretty conflicting ideas on things. :)
-) No I did not ask for a bonus. I don't ask for rewards, nor do I feel entitled to them. I do think it would've been nice, and I felt my actions were noble. I think that rewarding subordinates should be proactive rather than reactive. Reactive rewarding responds to greed while proactive is generous.
-) There is no concievable way my email reporting it could have been construed as a threat. The only thing threating about it may have been the prospect of having a subordinate who's very capable, which is threating to some people in leadership positions. The email was not a broadcast email, it was an email to 2 of my superiors.
-) I did not discover it by accident. I consider myself righteous to a fault. I pursued my initial recognition of a possible "fault point", and lo, found a fault. Finding the flaw was completely purposeful. I could not request a "private" meeting and say that i "discovered it by accident" as that would cheapen my discovery, i feel.
-) There's nothing confidential about a public system, so the flaw's existance was not confidential.
-) I couldn't have gotten a raise due to the unionized nature of the college I worked at. You don't get merit raises.. (another reason I left).. So I didn't ask for one.
I will give you that you're probably totally right that they didn't read my whole email before forming a reaction; that's typical of inattentive superiors, the types if administrators I have a loathing for, and the type they were.
How about a different analogy? I'm at the hospital, in the ER waiting area at 2AM waiting the mandatory 4 hours before I get to see a resident. To fight the boredom, I'm using the tethered remote to flip through the channels, and notice that on channel 85, I can see the admission clerk's monitor info! Everyone's SSNs and medical info scrolls by as it is entered. Obviously this is a mistake, and obviously it is potentially harmful to all of the patients, including me. Should I tell someone? Did I do something wrong by flipping to channel 85? Should they call in the police and have me investigated?
We apologize for the preceding message. All those responsible have been sacked.
Well, first thing that happens when you did that, was you read their terms of service in a "more" listing. Of course, it was easy to hit Ctrl-Z and drop to a shell at that point. Once in the shell, I did an "ls" of the "new" user's home directory. Lo and behold, in that directory was a file containing all the new users created that day, along with their system-assigned passwords.
Funny thing -- most users never change their passwords. I had the master list to almost 90% of the accounts on the system! It got better, though. I noticed certains patterns in the assigned passwords. E.g., the last three chars of one password where the same as the first three of some other password. I wrote a program to piece it all together.
Turns out, the "random" passwords were drawn from a 512-character string, with the beginning point randomly selected. So I busted the string up into each possible password and ran the thing through a crack program. Now I had closer to 99% of the accounts on the system!
I reported this, and suggested that perhaps the system-assigned password algorithm was weak. The admins grumbled and yelled but didn't threaten any legal actions.
I pissed them off again later, with an accidental fork bomb. I lost my account that time :-)