Slashdot Mirror
Reporting Vulnerabilities Is For The Brave
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
All things considered, it's a whole lot safer (not to mention more profitable) to notify the black hats about vulnerabilities rather than the vendors or the public.
Lacking <sarcasm> tags,
Open Source projects don't interrogate and try to prosecute you if you find a security problem and report it.
im not proposing one do this.. but it makes one think
'if im gonna get jailed anyways...might as well make some money off of it'
back in the day we didnt have no old school
Maybe there should be a site to allow anonymous reporting of vulnerabilities. This way people could do the right thing without having to worry about the repurcussions.
You could have some sort of secret key to verify that you were the original submitor, if you later wanted recognition for the report. (I imagine a PGP signature of a secret text would be sufficient to allow validation, without any chance of determining who posted until they came forward.)
Software sucks. Open Source sucks less.
well the website has already gone. One thing which I find with all this though is that you should just put it up anonymously on some often checked bbs or newsgroup or something. It is really stupid tha companies think that the danger of hacking comes from people who publically state security hole and not the people who stay very quiet and use them... some mistake?
*''I can't believe it's not a hyperlink.''
What you did was open the door litigation against Bob's Software for negligence. Bob's Software doesn't want the flaw to become public. When you stand up and point the finger at Bob's Software, they will be looking for someone to pass on the litigation fees to, so you get sued. Not only that, someone needs to be made an example of so others don't try it in the future.
Anonymous email accounts are easy to come by. Send an anonymous announcement to the Full Disclosure mailing list and be done with it. Otherwise you're risking the legal bills of fighting whatever company decides to sue you.
of course, this means that everyone else finds out about vulnerabilities first. This might not be exactly what they wanted when they make it illegal to report.
"It is a greater offense to steal men's labor, than their clothes"
Would you prefer a friendly neighbor to advise you to lock your door next time, or a thieve that would remove something without leaving traces of his break in? Either way, your door is unlocked and you probably don't know it...
But then again often you are also a user of the service.
Compare it to reporting that the outside door to your apartment that is supposed to require a key, also opens with a little tug.
The people running Web sites, or creating software for that matter, might want to consider some of the consequences of their current crack-down on vulnerability reports. Yes, vulnerability reports are bad PR. However, if this keeps up people who find vulnerabilities will have only two feasible alternatives:
I fail to see what any of your comments have to do with TFA. The author explicity does not condone hacking. Your metaphor is wrongheaded, too. Public web sites are not the equivalent of a random private house on the street. If I walk into a store to buy something, go to the checkout, and discover that if I lean against the checkout counter that cash streams out the register, does the store want me to let someone know or not? Obviously they wouldn't want me to take the money, but if they're going to arrest me for telling them that their cash registers are brokent I'm just gonna go. You're not going up to Joe Blow's house and shaking his knobs and checking the windows, knowing full well that it's his private home and you're just gonna check things out. We're talking about an open house where the owner is saying "Come on in and look around! We hope you'll buy something." If I walk around and find an open safe, I haven't broken the law. The owner invited me in. If he's going to leave an open safe around, that's his stupidity.
Hmmmm, of course the article focuses on the big evil website administrators for attacking the small defenseless students who tried to (probably) illegally break into his system. The article carefully avoids any discussion of what these students actually did to 'discover' the vulnerabilities.
I'd venture to say that most hackers 'smart' enough to hack into a website is probably smart enough to send an anonymous email reporting the hack. If the administrator ignores the emails or warnings, then the burden falls upon them.
This is similar to a crook breaking into a house and then reporting the secret stash of drugs or child porn they found. Ok, it would be nice if they could report it anonymously, but it certainly doesn't justify the initial illegal behavior. And, like most crooks, they probably break into hundreds of places before they either get caught or find stuff worth reporting (like being able to access student grades or SSN).
That said, I agree it's in the website's best interest to allow folks to anonomously post vulnerabilities. Duh.
You are lucky that she didn't claim sexual harrasment.
Is it OK for someone to walk around the neighborhood and try turning all the doorknobs? How about pushing the doors open to see if they're bolted?
Because that is EXACTLY like finding a vulnerability on a website. Once again, real life analogies serve to only confuse the issue, having little to no relevence to the subject at hand.
There are many ways to find a bugs in web applications, often just from regular use. A vulnerability is nothing more than a bug that happens to have more serious reprocutions. I've seen cases where using the back button can change the user you are logged in as, refreshing a posted form can get you funky places, and accidently entering inforrect data (like alphanumeric data into a numeric only field without proper type checking) can total bring down a system and spit out a potentially exploited environment dump.
Now that is for regular users of a system, if we are taking about someone who has no business using a web application (number 1, why would he have access to it in the first place, it should be protected with an apache auth module or isapi auth module, but I digress), the situation gets more complicated. This person presumably has no permission using the website, let alone playing with urls, submitting funky data, or generally hacking around. However, you are pretty naive if you believe nobody else is doing this. Every server I have ever run is under attack pretty much all day, every day. If someone happens to find a vulnerability, I would much prefer them tell me about rather than keep quiet. Will I treat it as a breakin, distrust the good intentions of the reporter and assume I have to wipe the machine and reinstall everything from a known good backup? Yes. But again, better to know and have a chance of fixing it than never know.
I would argue that in a perfect world, someone trying to break into any system, regardless of intentions is just making things worse. However in the real world where there are tons of bots and blackhat hackers going after systems all the time with no intention of alerting their victims of vulnerabilities, someone who finds a vulnerability and alerts the webmaster is actually making things better. Regardless of whether or not he should have been there in the first place, the end result is that you can now make your environment more secure than it was before.
Finkployd
Well, that's not so different as the situation in physical security systems. Go and tell a bank manager that they have an unsecured entry point in the air ducts, and that their alarms can be blocked by a XT42 bypass (or whatever), and the guards always have lunch at the same time leaving the screens unattended for ten minutes.
You are probably making them a big favour, but the fact remains that they will be suspicious about you, and may call the police. How do you know about those things? What are your intentions? It's quite a natural reaction. We only perceive the situation to be different because we happen to be experts not in alarms but in computers.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Learn to speak my language (Icelandic), then I am going to take you serius.
You did well to refuse... you don't want to be the only real tech guy in a such company. If you find problems even before you have a job there, imagine when working there.
"It's easy to spoof email addresses with a very simple PHP script."
It's easy to spoof email addresses with a very simple telnet client.
telnet mail.example.com 25
HELO local.domain.name
MAIL FROM: billg@microsoft.com
RCPT TO: pranked@yourdomain.com
DATA
Subject:
.
QUIT
Hell, you can usually just set an arbitrary 'from' address in your email client. I learned that trick on Netscape 3.0 in gradeschool.
For a long time, the Aviation Safety Reporting System has made it possible for people to report a dangerous situation without risking getting stomped. There's no way to tell how many lives it has saved but everyone uses it as a prime example of first-rate systems safety engineering.
I'm in the security field as an analyst. I notice vulnerabilities (or suscpetibilities) in physical security all the time. The problem.....I notice these things in areas that are not any of my business....or not even part of my company (it could be another company or even a government facility). I can't help it. I just notice it. It's how I protect what I'm charged with protecting. Always analyzing all the ways someone can screw my protection and then I do what it take to plug the holes.
What to do when I see these things at other facilities? Keep my damn mouth shut, that's what I do.
The really sad part is I also have to follow asinine rules that provide ZERO additional security (and in some cases actually make things less secure) because the regulations say to do it. I ask for waivers. But then I'm just seen as making waves. It's sad.
One way to safely pulicise the info is to live in a free country or get a friend in a free country to do it.
Engineering is the art of compromise.
"Include screen shots, printouts, whatever, if necessary. Every transaction on the internet leaves some form of trail. Walking to the nearest post-box doesn't"
You must have missed all that rucus about those "yellow dots" printed by every HP-color-printer (and probably by other manufacturers as well), identifying the machine on anything that is printed by/with it.
No trail ? Forget it. Maybe paper is nowerdays more easily tracked as an e-mail send thru an anonimizer.
A lot of posts go into how to report a flaw anonymously. But this is curing the symptom. The disease is the fact that you get to be a suspect if you report a bug - and might even be incriminated by it.
Many years ago some wise men in the air-traffic industry realized this. Often planes got into dangerous situations, but due to the risk of getting accused of being the wrongdoers and the risk of losing their jobs, no pilots would report these situations. The result was that the security of air-traffic was not improved. Sometimes these incidents caused people to get killed.
So they changed the rules. Today pilots can report all dangerous situations, without blame, even if they themselves caused the situation. Airports have such a briefing room where these reports are collected.
The reason for this is that human error in air traffic does happen. But by getting a clear picture of the situations you may be able to focus on helping them out. If pilots miss a sign on the runways, focus should not be on the pilot, but on the visibility of the sign. It doesn't really matter if you say: Pilots should look out for signs or they should get fired. Next time an unlucky pilot misses the sign... bang.
Something similar could be done with IT security. Reporting a bug if you encounter it should be with the focus on fixing the bug. Not to blame the one who found it.
Remember the focus in this case is the flaw or bug, not the one who finds it. Unfortunately the case appears to be focusing on the man rather than the real issue. We do this in our daily life. It's a part of human nature. But the bug never gets fixed... and then the really bad guy comes...
-:) Oh no - not again.
www.rednebula.com
Also remember not to lick the envelope or the stamp (if you're from a place where those aren't self-adhesive).
Also, remember to burn the clothes you were wearing - but only in a forest at least 10 miles from any residence, so the smoke is not seen.
You should also wear gloves and sunglasses while typing the actual note and wear a false moustache for at least a week afterwards,
'No rational religion claims "supernatural" exists, that's an atheist slander.' - seen on slashdot.
actually i only report problems to open source project developers. if other software/tools/sites have exploits i am sure someone with ill intention will exploit em at some point anyways... so why even bother looking for/reporting problems for non free software? I would have to pay for the next update anyways... and its the companys job to get their crap working and properly audited/tested.
:)
It helps alot more to write articales about hacked and defaced sites in my eyes. thats a plain businesscase for the company to invest less in marketing and more in auditing/software quality.
I also think that the current restriction of "freedom of speech" in that case is totally inappropriate. The following laws will probably prohibit to talk about bad politics...
What makes you think its safe?
Sure, the report is safe, but admins will try to use their logs to find the IP address of those who exploited the vulnerability before.
If you didn't take precautions when you tested the website and normally you didn't as you were not trying to crack the website, you were just checking that it is safe), if the logs are detailed enough, they will find the IP address of the one who did it and will come knocking at your door.