Slashdot Mirror
Firm To Release Database, Web Server 0-Days
krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."
Firm To Drop Database, Web Server 0-Days
The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:
Fed-up security firm to release Database & Web Server vulnerabilities publicly
Look at how much more information is conveyed in that second title. A work of beauty, it is.
coding is life
FTFA:
At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret
Hasn't this been proven to be true - and legal?
In all honesty, if they've contacted the vendor and the vendor hasn't patched it in a month or two, I think its completely ethical and practical to release the vulnerabilities. After all, there could be a few other small firms who have discovered the vulnerability and are exploiting it. Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it. I prefer security over new features.
The alternative to irresponsible disclosure is for the vulnerability to be used maliciously for an unknown period of time. Which of those is preferable?
Here's a quote from TFA...
Legerov said. For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.
Yes, because it coerces vendors to fix vulns and therefore improves ecosystem health.
If the internet ecosystem were not under steady attack, it would be weak and much more vulnerable.
What does not kill it makes it stronger.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
To clarify the summary, this guy isn't saying that he's not going to wait for companies to fix exploits before he releases them; he's saying he's not going to tell the companies at all. That, in my opinion, is very irresponsible. If you contact them and say you're going to release the information in 90 days regardless of their progress on a patch, fine, but to not warn them because of a few vendors who don't do their job is harmful to everyone.
Responsible Disclosure is like "pro choice" or "pro life". It is a deliberately positive term for purely demagogic reasons. You can't be for irresponsible disclosure, just like you can't be against choice or against life.
The protocol for publishing information about exploitable software bugs is an intensely debated topic and the choices affect multi-billion dollar businesses where it hurts them most: The bottom line. Do not for a second believe that anyone in this game argues for the sake of rational discourse alone.
This is like punishment.
The irresponsible party in this case, is the software vendor. If the vendor can't clean up their act, and at least work on fixing 0-day exploits, then public disclosure/humiliation is probably a good way to get at least some vendor to sit up, take note and do the right thing the next time around.
This sounds like a good case for establishing a procedure.
1. Contact vendor about exploit, with an expiry date.
2. Release information about exploit once date has expired, irrespective of whether bug is fixed, and the fix deployed.
Is there perhaps a clearing house for such things?
Some firm draws up a press release that they're going to drop the bomb on every piece of software they could get their hands on that is used everywhere in the world for one thing or another.
Right, what are they selling again?
"I use a Mac because I'm just better than you are."
Yes, because "responsible" goes both ways. They're being responsible by notifying the vendor before going public. If the vendor is not fixing the issue, it's time to go public.
As far as I'm concerned a public release is still a responsible one. At least in that case everyone knows about it.
Irresponsible is selling unknown vulnerabilities to private parties that will use them for their own gain. The vendor's customer's get screwed and the vendor has no idea that it's even happening.
"Pay attention to us, we'll disclose everything up front before everyone else! BTW, here's our products and services."
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
Or is the English language dying a painful death on /. as time passes. The past day's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.
Seriously, it took me three passes at reading this article headline to understand what the hell it meant. Maybe that's part of the entertainment value that I'm missing???
That is what is generally called "responsible disclosure". The point here however is that vendors allegedly twiddle thumbs as long as the exploit isn't released, so any time you give the vendor before you release the information is time wasted, unnecessarily leaving admins of vulnerable systems in the dark.
The term "responsible disclosure" is newspeak for "keep your mouth shut". The alternative to 'responsible disclosure' is that the vulnerabilties continue to exist for sometimes years, with wild exploits happening perhaps unknown for long periods of time.
I think it's okay to notify the company and give them time to fix the bug, but time on the order of years is completely unreasonable. On the Internet, a year is a very, very long time.
My blog
I welcome this.
In ancient ages past, we put up with "It's a theoretical attack, no one could actually execute it"...
to "group X has released a THEORETICAL working example of an attack to the public, so we fix it six months after revealing it to us"...
to "Here is how you fail... here is how to make you fail... FAIL!!!"
'responsible disclosure' is just wearing the nice guy badge...
You're the only one wearing the nice guy badge.
I'd rather see "Oh CRAP! This thing in Word is broken!" "Oh CRAP! This thing in Excell is broken!" "Oh CRAP! I went to look at a brittany spears vid and now can't move my mouse! Why is my DSL light blinking a lot?"
And then see it fixed in a day or two (at most), rather than a month or two (if we're lucky).
God forbid vendors actually start testing their software *before* it's in the field.
Care about electronic freedom? Consider donating to the EFF!
This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk. When you screw up in the auto industry, the company faces the massive expense of a product recall. That helps to keep you honest with your engineering quality.
I personally think 30 days is a reasonable notification period. Not pleasant for the vendor to have to respond that briskly, but this isn't about being pleasant. If the vendor wants pleasant, they should invest more competence in the original product. This isn't easy, and might move a few pointy-haired managers out of the executive suite.
Probably a more viable compromise is eight weeks. This adds a thin margin for the possibility that key zero-day SWAT staff are booked off, that multiple issues are raised concurrently, or that a product has a stupendously long build cycle.
I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks, period, perhaps with the odd extension on a track record of good behaviour.
I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.
Speaking of which, that whole TCO thing really bends my biscuits. It's just loaded with sly neglect of not entirely apparent costs, of which the year-long critical vulnerability update is one of the more egregious.
During that time, your pants are down if anyone less ethical discovers the same flaw. It never happens that two scientists make the same discovery in the same year and end up in priority dispute, according to the industry of socialized risk.
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.
It's most likely a case of resource management and insufficient resources available. Businesses exist to make money. Features make money, bugs cost money. So, given NNN amount of money, do you:
A) Fix the bugs that people are experiencing problems with RIGHT NOW with exploits in the wild, or
B) Fix the bugs that are "theoretical" and MAY be exploited at some point in the future if somebody else finds it?
Now, the clueful would note that the set of B includes the set of A, but for those who are living close to the edge, A is where the attention goes, and that's why you see announcements like this one.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Agreed - inform the vendor with all the details. Same day, publicly announce that the vulnerability has been discovered, but with no details. At a specified date (60-90 days later) make full details public.
Sounds so simple, doesn't it?
This guy should rename his name to Bobby Tables at the same time. Imagine the number of newspapers that would try to do a press release, but couldn't.
The alternative to responsible disclosure is irresponsible disclosure. Is that really better?
The alternative to "responsible disclosure" is "full disclosure".
"Irresponsible" is only disclosing 0-day exploits to black hats.
The world isn't black and white.
Just because someone frames the issue as "X or Y" doesn't mean that "or" isn't an option.
[Fuck Beta]
o0t!
They were most likely allocating those resources to what they perceived as bigger bugs. These security researchers want *their* bugs to have top priority, because it allows them to make a name for themselves. They're no Robin Hoods.
Yea, if only software vendors could take a page out of Larry Singh's book and have an immaculate record of having never given code to anyone else that contained even the smallest bug.
I hate printers.
It seems only slightly less irresponsible to publicly disclose exploits without making companies aware of them than it is for companies to disregard known security flaws in their own products.
RFPolicy struck me as the best compromise, but maybe there's room for a third-party service to hold exploit information in escrow for a defined period of time then release it. If a company knew that they had a couple of months to fix a problem at the outset, and that nothing was going to stop publication, that could provide additional encouragement to address the problem.
At the expense, of course, of being a really crappy way to treat companies who ARE proactive about their security issues, especially as a security researcher doesn't always necessarily have the full picture of what's necessary to fix the problem in cases where it's intertwined with required software features. That's probably the most significant aspect of RFPolicy -- the dialogue and collaboration between security researcher and software developer to determine the scope of the problem and the potential solutions.
...usually. Sometimes pro-life can mean they want you to "choose life".
Although that's not the way it usually goes since the noisiest part of
the "pro life" crowd are fundie nutbags want to meddle in everyone's
lives.
A Pirate and a Puritan look the same on a balance sheet.
Pro-life is typically used to mean "ANTI-abortion" and not "Pro-choice for you if you want it, more power to ya, but no fucking way you're aborting MY baby".
What does not kill it makes it stronger.
Tell "what does not kill me makes me stronger" to a brain-damaged man in a wheelchair. If there were no attacks, vulns would be little problem. As it is, your AV takes up a good chunk of your computer's resources and the botnets still send tons of spam.
Free Martian Whores!
Let's not go there. The point is that calling it "responsible disclosure" makes arguing against it much harder than, for example, calling it "delayed disclosure" would.
While I don't blame them for releasing two year old vulnerabilities, they're going too far by not giving firms ANY TIME to fix vulnerabilities. Give them six months and then release them, but give them time. This does as great a disservice to users as those firms do by not fixing the vulnerabilities.
The third option: "Dear developers of [insert product name], I've found an security issue in [insert product name]. Details are attached. I give you 14 days before releasing this information publicly."
.sig: No such file or directory
Shouldn't it be, "firm to SELECT 'Database', 'Web Server' FROM 0-Days;"?
Ask me about repetitive DNA
And pro-choice could be reasonable renamed pro-baby death. Why quibble over the semantics like a bunch of droolers? It's not like anyone changes their mind anyway, it's all masturbation.
For the record, I am in favor of mandatory abortions.
tl;dr: Of course I prefer the company fixing the bug, but in case they fail at that, I at least want to know of it and be on the same level as the crackers.
You got something wrong: The position of the crackers is that it’s the companies who act irresponsibly, e.g. by doing nothing when they should close the bugs, or by suing those who found some hole. Which I agree with. I’d go so far as to offer a prize to anyone who can demonstrate an exploit for my software. With that prize always being worth enough to stop interest in pursuing other ways to take advantage of them. If someone is really good, he might even get a permanent post.
The only reason I can imagine, why someone would do something else, is because he still is a “3 year old” who can not handle any critique and has to become aggressive or repressive against anything that suggests he is not god.
In other words: Typical upper-level PHB behavior.
And under those circumstances, the responsible thing to do, is to at least protect the clients, by telling them about the risks of doing business with that company and of using that software.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Yes, but it's unrealistic to expect that if researchers didn't publish attacks, there wouldn't be any.
Somebody found the hole. It can't be that they're the only person on the planet who could possibly figure it out. Eventually somebody else will find it too, or maybe already has. If that person happens to have something malicious in mind, they won't publically disclose it. They'll exploit it for their own gain, or sell the information to people who will do that.
If nobody disclosed vulnerabilities for the public's benefit, they'd never get disclosed until somebody got hit with them. First somebody would perform a successful attack, and a postmortem examination would eventually result in figuring out what happened. But doing things this way means at least one victim is 100% guaranteed, and nobody can prepare for it in advance.
Basically what this is about is choice. The companies in question have been notified of the security flaws in their product. They have as of yet fixed said flaws. They have instead prioritized other projects above fixing the bugs. The choice was given to the companies in question. The choice is now being removed due to their inaction.
I will take irresponsible disclosure any day over people not fixing known bugs. This is forcing their hand and that is why they don't like it.
All in all, tough shit for the companies involved.
In an ideal world security flaws would be fixed when they are discovered. I think we can all agree this is not an ideal world.
IMAGE VERIFICATION IS EVIL!
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.
The problem I have with this is that they have grown annoyed with a few specific vendors not doing anything about the vulnerabilities, and have decided instead to widely expose many vulnerabilities from vendors they have not ever even talked to. If you're not even going to try to talk to any vendors at all, even vendors whom with you've never spoken to at any point in the past, I would consider that quite irresponsible.
It's most likely a case of resource management and insufficient resources available. Businesses exist to make money.
And as long as we keep putting up with shoddy software, they'll continue to sell it to us. Bugs cost money, as you said, so I would think they might put a few more resources to getting rid of the bugs before they shovel it out the door.
Free Martian Whores!
Features != Bugs
Just because marketing puts a higher priority on new features than it does fixing bugs doesn't mean that that is a better allocation of developer resources.
Of course, even if the bug is in the wild, if they're sure it's not exploitable, they can ignore it to continue working on new features. All they're really risking in that case is their reputation.
*sigh* back to work...
I am in favor of mandatory masturbation (to prevent the need for abortions.)
If more firms paid bounties for bugs found (as long as responsible disclosure is followed), you'd probably see a whole lot more security researchers content to follow responsible disclosure guidelines. There's no guarantee that they'll keep that all a secret in any case, but to get the cash, you've got to sign a legal form with your company's information or be registered as a valid security analysis firm. One of the biggest issues with these security analysis firms is that there's no way to tell most of the time if it's just a bunch of criminals hiding out under a corporate umbrella, or if they're bonafide security professionals. And no jokes about them being one and the same...there's a huge difference, I've known (and in the case of those pros, I've worked with them) guys from both sides. If a security firm refuses to be registered or refuses bounties, you know there's something fishy about them and it's time to contact local authorities.
Then again, there's the big problem with many of the bugs that outside security firms reporting being already known and in a work backlog. The realities of the industry is that capital isn't unlimited, time isn't unlimited, and sometimes, important stuff doesn't get done because you just don't have enough qualified developers to throw at the problem. Two years is fairly excessive for a security hole to sit around, but if a security firm is releasing exploits that it discovered and reported 6 months prior just because it "didn't see enough getting done", that's not being passionate about security, that's an attempt to commit extortion.
Comment removed based on user account deletion
But also tends to include the "Pro-choice, but please choose life!" crowd.
I'm in the camp that says if you find a vuln, give them X days to fix it, then disclose it to the public.
Free Martian Whores!
Whoa! You forgot C) Add more features to make product appear better in checklist comparisons. That trumps fixing little ol' bugs!
I thought it was 'what doesn't kill me cripples me for life'...
In God we trust, all others require data.
FTFY.
Analogies don't equal equalities, they are merely somewhat analogous.
You are asserting that the exploit is '"theoretical" (why the quotes?) and might be used in the future without any evidence that this is even the most common case much less the only case. The problem with an undisclosed vulnerability is that unsuspecting users believe they have more security than in fact they do. They expect, at very least, to be informed when a vulnerability is discovered. While this may be an unrealistic expectation in the current market place, customers should be able make informed decisions and thus operate in the market as their roll demands.
Businesses exist to make money. Features make money, bugs cost money.
Which wouldn't be a problem, because avoiding and fixing bugs would then avoid loss of money.
The problem is that features make the vendor money, while bugs cost the customer money.
Outside the software world, warranty and liability regulations solved that problem.
Assorted stuff I do sometimes: Lemuria.org
But... if these were vulnerabilities that this firm has known about for products which have been released for some time now, plus they've been sitting on this information for a while, how exactly are they 0-day exploits?
Demanding constant attention will only lead to attention.
Responsible Disclosure is like "pro choice" or "pro life". It is a deliberately positive term for purely demagogic reasons. You can't be for irresponsible disclosure, just like you can't be against choice or against life.
I sometimes wonder if anything would have been different if, before the Iraq invasion, the sides were commonly known as the "pro-peace" and "anti-peace" positions.
This requires an awful lot of patience and a fair degree of bookkeeping on the part of the submitter. And you're assuming that the organization on the other end of the bug report is actually learning from past mistakes in a cause-and-effect kind of way. "Hey! His report-to-release times are getting shorter! Maybe we should adjust!" In an organization of any size, this will be unnoticed even when pointed out plainly.
The more I think about it, the more receptive I get to this fellow's approach. Maybe after a while of "irresponsible disclosure" vendors will pay attention and he can fall back to giving advance notice.
Get off my lawn.
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.
I'd feed better if, rather than lumping all the vendors together and 0-day disclosing vulnerabilities found in any of them, Intevydis tracked which vendors failed to respond and continued to give the others warning.
Maybe a 3-strikes policy. Or (for vendors with large products and lots of opportunities for bugs) a percentage of slow/no vs. fast fixes.
And the newbies should be assumed responsive until proven otherwise.
Seems to me that would put even more pressure on companies to be responsive, by giving the responsive among their competitors two additional advantages:
- time to fix the bug, and
- customer perception that the unresponsive vendor might be subject to sudden attacks due to disclosed vulnerabilities when the responsive vendor would both get warnings and have a track record of fixing before disclosure.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This doesn't sound like either responsible or irresponsible disclosure. It sounds like plain old extortion. Notice he does not say he provided the vendor with the vulnerability info, just that he contacted the vendor. Calling a vendor and saying 'you have a vulnerability, pay me x and I will tell you what it is, don't pay and I'll tell everyone else' is not 'being responsible', it is extortion. Given that he must now resort to a blanket 'from now on I'll just release it' threat he must be getting pretty desperate. Frankly, I have no trouble believing that IBM/Tivoli and Sun/Mysql would not bat an eye at an extortion attempt, but I find it hard to believe they would not fix an actual vulnerability if it was reported as such.
Clearly the balance of incentives has been wildly off for some time now. Researchers finding possibly big-cost vulnerabilities and reporting them to vendors/middlemen have found that the responses to their discoveries have been slow. Additionally, the payouts for these researchers has been relatively low.
They've been slow because companies have very little incentive to actually fix these bugs, provided that the rate of exploitation of these bugs is sufficiently low.
The incentives for a company using commercial software are stacked heavily against disclosure (do they discover the intrusion? angry customers upon disclosure? etc.), and software vendors are rarely motivated by costs that are, probabilistically, very low. Only once companies are hit by the overwhelming stigma of wide-spread exploits, and the long tail of consumer distrust, do they take greater care in the future.
Companies these days get the sense that they can dodge 180 days of exposure for the price of a used Honda Accord, but the reality is that knowledge of the bug may not be a significant contributor to the risk of exploitation. If one honest researcher has found a vulnerability, can we be confident that no malicious researchers have? Hell, every little wanna-be hacker and future programmer among us used to have floppies and notebooks of vulnerabilities, some collected, some personally discovered. The vulnerability is the source of risk. Put the blame back on the companies that have failed to fix them. More accurately, shift the incentives . With huge shake-ups like mass disclosures, the effect on all companies could be a shift toward more attention being paid to security. To me, it seems like a net win.
FTFY.
FTFY.
Legerov said. For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches
It's most likely a case of resource management and insufficient resources available.
One word can solve the difference between responsible reporting and 0-day motivation:
embargo
The reporting security group still goes through responsible reporting methodology, but add proposed date the details will be reported more fully to the public.
I work for an enterprise-level network device manufacturer, and anyone in that line of work knows damn well that remote vulnerabilities are the harbinger of death if they're not addressed in a timely fashion. Yet, motivation to assign resources to fix it still relies (in part) on whether there is a public exploit or not. So it's with that background that I can say that embargoes work.
We don't know the details, but apparently Intevydis didn't give embargo dates along with their reported vulnerabilities. Now they see what kind of motivation that produces, and so they've set a pseudo-embargo: any time between Jan. 11th and Feb. 1st.
This signature intentionally left unblank.
Perhaps this is yet another reason to use only free (libre) software: you do not have to rely on a greedy businessman to decide that a bug is worth fixing. Of course, this means that "responsible disclosure" flies out the window, since you cannot go around keeping bugs secret if you want random people to fix them, but give the content of TFA...
Palm trees and 8
But how do you know if it's being exploited in the wild or not? Vendors are unlikely to know, security researchers and the anti-virus companies might. The best exploits are written so the end-user doesn't notice anything bad has happened.
And even if it's not, is it wise to wait until AFTER, say, some business notices that their computer/web site gets hacked because of the exploit, stealing a million credit card numbers before the vendor bothers to fix the bug?
Maybe this kind of thing will result in more problems for purchasers in the near term, which may result in more pressure for vendors to produce higher quality software in the longer term? HAHAHA, I made myself laugh at that...
Sleep your way to a whiter smile...date a dentist!
I live in the US - they'd just get a gag order slapped on me. Better to just publish the exploit and metaphorically napalm their village
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Except he did not contact the vendors. He said in the past he has contacted some and they didn't fix it, so now he has given up on all vendors and does not disclose the information at all for any vendors.
I work for one of the affected projects and can tell you that we did not get contacted by them via any of our normal, well publicized methods (email, phone calls, etc...).
I agree that if a vendor does not reply then it is totally okay to disclose it to force their hand. However, disclosing it immediately to the public and giving the vendor no chance to fix it (even a few days) is wrong imo.
It is statistically highly improbable (impossible) to release any relatively complex application without bugs. Testing in a controlled environment, even highly rigorous testing, is still testing in a controlled env. Once you release the software the use cases and use environments multiply like rabbits with Viagra.
Or is my sarcasm meter buggy?
I still cannot find the droids I am looking for...
Exactly. The GP is seeing the world in black-and-white, where reality has many gradations in between.
Naive responsible disclosure: give it to the vendors. They do nothing. The bad guys figure it out. Everyone loses.
Irresponsible disclosure: hand out a zero-day to the bad guys. Everyone loses.
Effective responsible disclosure: disclose it to the vendors along with the promise to disclose it publicly on a scheduled date.
It should be noted that the third way is how CERT does things, and is the only way that the end users stand a chance of not getting screwed. It is important to make it clear that the vulnerability will be released to the public on that date no matter what. It is also important to make this date no more than two months in the future. Make the time frame too short and you're accused of creating a zero-day exploit. Make it too long and they won't bother looking at it until a week before, then they'll tell you that they can't fix it in time, and they'll accuse you of creating a zero-day exploit. There's a middle range in which it's close enough to scare the pants off of the manager types but far enough out that the fix can actually happen.
Most importantly, though, if the vendor doesn't fix it, you must disclose it anyway. Otherwise you lose all credibility, and vendors will simply put off fixing the problem because they'll assume that you will keep backing down.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Which is followed by a letter from the firm's legal department ordering you to keep quiet or be sued for far more than you can afford to pay a lawyer to defend you.
If you're a zombie and you know it, bite your friend!
That's really not fair either.
Many bugs that are security related are a result of interactions that people simply didn't think of as possible. While bug free code is desirable, and possible, would you be willing to pay 10 times more for a "provable" product? 100 times more?
Look at the space shuttle code. Provable software with an average of something like 2 man years per line of code on average? Is that realistic for consumer or even pro commercial software?
On the flip side I abhor this type of disclosure as well. I think 0 days should be forwarded to the vendor and given at least 90 days before release. Hell set a timer on it, even say the following timeline would be ok(ish):
discover exploit: notify vendor
notification + 1 week: notify world of nonspecific vuln in product
notification + 1 month: notify world of type of vulnerability
notification + 2 months: notify world of specific vuln
notification + 3 months: notify world with exploit code.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Obviously you only write code with 0 bugs in it. Every software release from everywhere has bugs in it, it's life. This actually turned out to be a component that we use and not our code directly.
I didn't get fired or in trouble for this. However, it does impact users of our software that rely on our software and want a patch to this bug before every single script kiddie out there is now using this exploit in their l33t hax0r toolbox. I'm sure we'll have a fix out for it shortly, but it still doesn't help our users to be punished for something a vendor they aren't even using did at some point to make these people annoyed.
Exactly. We need to get laws passed that will make software vendors as liable for damages caused by shoddy merchandise as any other vendor is. They don't care because they don't have to.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Yes, we all wish that the computer world was free from attacks. That would be a great world. But since we live in this world, the environmental metaphor is apt.
Surely the beta stage is the time for 'responsible disclosure'? Once it's publicly released, then you're not likely to be the only person aware of the vuln. Why should you act responsibly on behalf of the guys who are taking your money for the privelige? If it's fit for sale, it's fit for purpose.
Responsible Disclosure [...] is a deliberately positive term for purely demagogic reasons.
Which is why I advocate calling it "Limited disclosure". That's a value-neutral term that fairly accurately describes it---and about as precisely as you can be in only two words.
Or call that other thing "Effective disclosure" if you feel a need to play the game of rhetoric.
You know there is one more choice.
What if they disclosed them responsibility, and the vendors responsibility evaluated them and came to the conclusion they are no threat. That would be irrelevant disclosure.
Living in Chile
Which is followed by a letter from the firm's legal department ordering you to keep quiet or be sued for far more than you can afford to pay a lawyer to defend you.
Then Mr. Legorov responds with something that says, basically, "sod off" in russian and gets on with his life.
Unless your project is a free software tool that is not backed (and sold) by a company, the company selling your project could have bought this CANVAS tool the are talking about, I read it's about $10k - so it's still a lot cheaper then paying someone to find the bugs. Why do you expect that the security researchers give you an advantage for free when they can sell it? Just look at it from the other side, they could sell the information on the black market instead of disclosing it.
comments from TFA:
I think, they are right on spot.
People running the software pull it out of production until there is a fix? Or they mitigate the problem the day the world learns of the exploit?
How is that extortion? That's extortion in the same way that selling an idea to someone or their competitors is extortion. Buy my idea that gives 200 MPG or i'll sell it or give it away for free to X.
Even better, you should increase or decrease the expiry date based on past history/reputation of the company: response time, severity of bug, number of vulnerabilities. If the company is Donald Knuth, i guess you could start with a default expiry date of 10 years.
See if companies respond classical conditioning. The "bad" companies would eventually get 0-day notification anyway.
We do have access to it now, thanks. However, it doesn't allow us to get a fix out prior to the disclosure. I have no problem with him selling a scanner for the exploit, I am totally fine with him using that to his monetary advantage.
Keep in mind it is his customers (assuming they are not black hat) he is hurting as well, as the ones that want to scan for the exploit most likely would like to fix the exploit rather than just totally disable the product.
That's reason to disclose that there is a flaw, not to disclose what the flaw is. And if you can tell administrators a way to mitigate the problem without revealing the specifics of the problem, then there's no harm in disclosing that information immediately. Handing out the details of the flaw, however, does not benefit anyone unless the product is open source and you provide a patch. Even then, it's better to go through an established process like CERT to get the fix out to vendors so that on the day the fix goes into the public repository, the vendors can already have patched builds available.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Maybe his remarks are just missing something in translation.
Bullshit! I say. Cut the crap You are either Pro-Life or Pro-Death.
Not true. I can be staunchly against abortion, but entirely of favor of people who grow up to be boolean douchebags being retroactively removed from the gene pool.
Keep in mind it is his customers (assuming they are not black hat) he is hurting as well, as the ones that want to scan for the exploit most likely would like to fix the exploit rather than just totally disable the product.
Somehow I suspect that they will not release all information they have, only "old" enough information. I would be quite surprised if those who use this CANVAS package for some time didn't get the time to fix the vulnerabilities of there own software. Another story is if they find vulnerabilities in software they use but can not change themselves. Probably they reported the problem at least in general terms to the vendor, but he didn't act and now faces full disclosure.
Perhaps they are trying to force a new behavior pattern where the vendors actually vet their own software for secuirty flaws before they release it. In today's climate, a big vendor can let the security firms do the hard testing and then sit back and fix whatever they care to fix. In the potential future, every vendor may be forced to release software that is nearly security-hole free and scale the features back.
Bug free code is nearly impossible and way too expensive. Code that has nearly zero buffer overflows and no stupid defaults or wide open side doors is do-able. The vendor will fix their feature set because the customers will force them too. All this does is create the same pressure from the security angle.
Besides, most security bugs are fixed only after there is an exploit in the wild. The practice won't change anything except the time table.
"These security researchers want *their* bugs to have top priority"
Only two choices:
1) They are right: "their" bugs are top priority and publishing them will demonstrate (and the vendors will learn about them for free).
2) They are wrong: "their" bugs are not so top priority; they'll publish them and the affected vendors will follow bussiness as usual fixing their top priority first, then those from the security firm (and they'll find about them for free).
All in all both the vendors and the market will end up with a net gain. Let's not forget that resposibility for buggy software *must* be on the side of those producing buggy software, not on those that ring the bell, or else Woodward and Bernstein would be the guilty side on the Watergate scandal, not Nixon.
"If there were no attacks, vulns would be little problem"
There are attacks *because* there are vulnerabilities.
"As it is, your AV takes up a good chunk of your computer's resources and the botnets still send tons of spam."
May it be because shoddy software vendors are still unwilling to do something *real* about it?
And to make waters muddier ... how about throwing this in the mix ... to whom is the 'responsible' part of responsible disclosure? If I paid for software (.e.g IBM DB2 and other commercial vendors are on the list), the company needs to be responsible and disclose the issue to me if it was disclosed to them (... IMO). How many vendors do that when a security researcher/firm 'responsibly' discloses a vulnerability/exploit to them (with or without embargo date)?
There's more than one angle for responsibility in the debate.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
You tell 'em Legerov. You have absolutely no obligation to work with vendors or projects. If they don't help you fix bugs, they should expect to hear from you in the comment at the top of your PoC.
One thing to keep in mind: all that was necessary to reverse engineer the DNS flaw was Dan Kaminski's mentioning that it existed - within a week several researchers had figured it out.
I don't totally disagree with you but there ARE times when just the knowledge that a flaw exists (or a rough idea of where the flaw exists is sufficient to allow others to figure the flaw out).
Yeah, so we can go back to the early 1990s, when the vulnerabilities existed, US-CERT knew of them, a few hackers know of them, the system admins don't and the software devs do nothing to patch them
In an ideal world, image verification wouldn't be needed...
# cat
Damn, my RAM is full of cats. MEOW!!
Luckily, most people don't count in binary, so for the rest of us we have 10 choices. Like if you are pro-death (0) you don't even impregnate women b/c you hate life so much. You have to like life enough to create it.
True, and worse, this is one of those fundamental flaws ("big bugs") that I mentioned previously, which cannot realistically be fixed in a short time, merely hacked around. The DNS protocol is brain damaged beyond all repair, and all the source port randomization in the world doesn't really change that; it just protects us until the next order of magnitude increase in network speeds, and then we're back where we started again.
That said, one of the reasons the Kaminsky bug was so quickly rediscovered by other researchers was that the fundamental underlying flaw was well understood, IIRC. That's pretty rare as far a security holes go. Usually when there's an underlying flaw that big, it gets fixed or the protocol flops like a lead balloon (were it anything but DNS, that is).
Either way, though, this demonstrated that CERT is an effective way to get things fixed, which I think proves my original point: real security researchers work through CERT or equivalent groups to get vulnerabilities fixed and disclosed in a responsible manner. People who don't are just attention whores. :-)
Check out my sci-fi/humor trilogy at PatriotsBooks.
That analogy doesn't really work. Giving away or even selling that "200MPG idea" won't cause harm to the vendor and/or the vendors clients except perhaps from a profitability standpoint if they happened to be selling their own idea that was lesser in quality. Demanding money or else you'll publicly release vulnerabilities that can cause damage to a vendors' image and/or their clientele is a pretty good definition of extortion if you ask me.
The responsible disclosure. The one where only a couple people in the world (if any) know how to exploit it before the patch. Instead of the irresponsible one where every script kiddie knows how to exploit it before the patch. You'd think that would be common sense.
The thing is... software vendors AREN'T patching their software upon "responsible disclosure." And then they even go so far as to file gag orders when security researchers threaten to disclose the vulnerability at a public forum or what have you. Krebson is fed up with it and they're just going to skip the responsible disclosure part and go straight to the public presentation in hopes that the vendors will get their acts together and actually start patching these holes if they want to keep their customers.
WTF has happened? I remember when reasonable disclosure ment that the vendor was notified
and given 3 days to release a patch. AND that public was notified right away with no details.
Now some people speak about "responsible" (whatever that means) disclosure of 90(sic!) days!
Are you all gone mad collectivly?
> Effective responsible disclosure: disclose it to the vendors along with the promise to disclose it publicly on a scheduled date.
In a perfect world maybe, but in this world you get a court order with a gag and a fat legal bill as a thank you. I can perfectly understand why the guy is fed up.
However, I would prefer him to differentiate a bit. Surely not all companies out there are that evil? Microsoft for example is known to take ages to fix the bug (I think 11 years is the record), but they tend to bribe you rather than drag you to court.
I work for one of the affected projects and can tell you that we did not get contacted by them via any of our normal, well publicized methods (email, phone calls, etc...).
I once tried to contact a vendor about trivial bug. I have spent in total about a day on a phone (e-mails went unanswered for weeks) being switched between different people who had no clue what to do with me. In the end the task went to the secretary who was supposed to pass them my technical e-mail about the problem. Never heard back on the matter from any of them.
The point I'm trying to make, it is extremely hard and often is impossible for a techie from one company to reach a techie of another company. (Unless of course the two know each other in some other way.)
That is one of the advantages of open source projects that they use open forums and often have open bug tracking systems. Communicating a problem to most OSS project in my experience is magnitudes easier.
P.S. I hear that sometimes contacting marketing directly can be more fruitful. But there are the pathological cases of marketdroids not accepting existence of problems in their products. Or more commonly marketing outsourced to a 3rd party in which case it is just as good as contacting company directly.
All hope abandon ye who enter here.
I believe he/she meant that you are probably not against the concept of choice and you are not against the concept of life or right to life either. Then being able to choose to end a life becomes quite the paradox now, doesn't it? It then turns into a philosophical/religious discussion of where we deem the limit/definition of life to be.
It is statistically highly improbable (impossible) to release any relatively complex application without bugs.
QA is not a feature. QA is a process. Any software except helloworld.c has bugs. The question is how company deals with the problems after deployment.
Modus operandi of many business is to go into "Sold!" state after deal is sealed: customer paid money already, so we don't care anymore.
Once you release the software the use cases and use environments multiply like rabbits with Viagra.
Not really.
I have seen statistics about testing which was showing that software without any testing (or only developer unit test only) had magnitudes more bugs compared to software which had undergone a test with very low coverage (10-25%).
What it says, is whether company pays attention to quality or not. Many do not. Then bugs do the "multiply" thing.
P.S. Also I have seen pathological cases where companies intentionally test cases which are rare/nonexistent in real world - because they refused to support as official features what customers usually do with the product. On a book it looks cool: software is tested/etc. But in the end customers are still treated like alpha testers.
All hope abandon ye who enter here.
"Pay me money or I'll tell the world things you'd rather I didn't" is definitely either blackmail or extortion, depending on the details and local laws.
It's official. Most of you are morons.
Better for them to do this, then to fight to get the vendors to do nothing about it, as these apparently have been not only around for awhile, but also several times given to the vendors as bugs needing fixing, and never gotten any changes from the vendors, so I think it is about tmie, even though you created the software, it does not really belong to you anymore, it belongs to the ones using it, and if they are not being told about these issues, then how are they to know they are in danger?
Another approach might be that of the general winners in the iterated Prisoner's Dilemma game contests. The simplest stable winning strategy has turned out to be what is called "tit for tat", in which you're a nice guy and cooperate the first time you face a new opponent; thereafter, you do to them what they did to you the last time. In the long run, crowds of players using this strategy tend to collect all of the game's rewards.
With the current topic, you'd express it as giving a company advanced notice the first time you find a security issue with a product, and only make a public release after talking to them (or trying to) for a few months. If they respond reasonably, you do the same thing next time. If they ignore you, then the next time you release your find without notifying them (and maybe send them a note explaining why you did that).
One useful thing about this strategy is that you only need to remember the most recent incident for each company. It is interesting that in the periodic contests pitting strategies against each other, the general winner is a strategy with a fairly low memory requirement.
Of course, IANAGT (I Am Not A Game Theorist), and I can't tell you whether this result actually applies in the security-bug scenario. Maybe there are some game theorists here who can tell us.
The main complexity is the need to recognize previous opponents. This might be tricky, since it's really not the company that responds or doesn't. It's actually (groups of) specific people working for that company. From the outside, it can be difficult to learn who actually decides how to handle a bug report, and you could easily end up "punishing" a group who were trying to cooperate but were ordered by a superior to ignore you.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
How does damage to a vendor's image hurt them other than from a profitability standpoint?
It's typical in the business world to only offer exclusivity for something, if the person will pay a lot more for something. If they don't want to pay for exclusivity then they get the cheaper offer available to everyone.
If it is definite like you say, i'm sure he'll be promptly arrested like everyone else that tries to sell an exclusive right.
I live in the US - they'd just get a gag order slapped on me. Better to just publish the exploit and metaphorically napalm their village.
Well, the US is special in the western world that its legal System is really FUBAR. Combined with the ususal arrogange US citizens have as a group about their cultural superiority (typically without even knowing the alternatives), this seems unlikely to change.
You can still use an anonymous way. Or maybe a clearing-house could help for this particular defect in the US legal system?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I am currently in the midst of a "responsible disclosure" nightmare, involving NDAs, the FBI, SEC and an online investment bank. For as much work, no pay and no recognition this "responsible" behavior is getting me, I don't know what is worth it.
Also, any advice on responsible disclosure in online financial situations would be appreciated.
Thanks.
-- I was raised on the command line, bitch
best just to pull the trigger and let the software company suck it. That way, I don't get a legal sanction.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"