Slashdot Mirror
Why Responsible Vulnerability Disclosure Is Painful and Inefficient
A recent rant up at Attrition.org highlights problems with the responsible disclosure of security issues. While some vendors are happy to do their own research and patch reported problems, others drag their feet and make unreasonable demands on a researcher's time and effort, making anonymous public disclosure an ever-more-tempting option. Quoting:
"After a couple hours of poking, I found a huge unauthenticated confidentiality hole. Once the euphoria wore off, I realized I had a big problem on my hands. I had to tell my employer's app owners and we had to assess risk and make a decision on what to do about it. After some quick meetings with stakeholders, we decided to severely limit access to the thing while we worked with the vendor. The vendor refused to acknowledge it was a security issue. Odd, considering most everyone who sees the issue unmistakably agrees that it is not acceptable. Now I'm forced to play hardball, yet nobody wants to fully-disclose and destroy relations with this vendor, whose software is somewhat relied on. Meanwhile, I know there are hundreds of institutions, small and large, using this software who have no idea that it has flawed security and who would probably not find the risk acceptable. What can I do? Nothing. Oh well, sucks to be them. ... I've had a vendor tell me to put a webapp firewall in front of their software. Did they offer to pay for it? No. That would be like Toyota telling its customers to buy ejector seats (unsubsidized ejector seats, that is) to resolve the accelerator problem in their vehicles. I've had other vendors demand I spend time helping them understand the issue, basically consulting for free for them. Have you ever knocked on a neighbor's door to tell them they left their headlights on? Did they then require you to cook them dinner? Exactly..."
that there is an exploit that allows a user to bump their post up to first.
FTA:
I've even been accused of being a spy for a company's competition (true... ask Jericho)...
ME: "Hi, you left your headlights on."
NEIGHBOR: "WHO SENT YOU? DID MY EX-WIFE SEND YOU? ARE YOU SLEEPING WITH HER?"
WTF? Seriously?
---
Compare how companies badly deal with vuln disclosure compared to how game companies deal with cheats and exploits. Well, MOST game companies...
To the net. Current dominant dog eat dog capitalist corporate culture makes corporations suppress and hush hush stuff rather than sparing the effort to fix.
Read radical news here
Leak a working exploit anonymously. If a vendor isn't concerned with the security of their users, let them pay the price.
Use hushmail and full disclosure mailinglist to report stuff like this.
There's no sense wasting time, do it anonymously, use tor.
Also while you do it, be sure to post personal information about other full disclosure users so that your email is removed from the official archives.
None of those problems listed seem to be with responsible disclosure. It's your job to responsibly disclose. And you should protect their secret for a while. After that, it's not really your problem if they won't or can't act.
I agree there are also issues here with relying on code that you now know has security issues. But those aren't anything to do with responsible disclosure either. If you posted it to the internet you'd still have issues relying on them. Same as if you didn't tell anyone.
Look at it this way, when you tell a vendor what's wrong and try to help them fix it, you're really doing it to help yourself. Your doing it because you believe it will be less work than changing your entire system to not rely on their code.
As an aside, I don't get a big rush when I find a problem in someone else's code. Maybe I'm just old and jaded now, but I'm just trying to get everything to work well, finding that someone else didn't do their job doesn't usually make my situation any better (as you indicate here), so I don't relish it.
http://lkml.org/lkml/2005/8/20/95
IMO, RD is supposed to entail a good-faith effort to notify the vendor and delay public disclosure for a reasonable amount of time (i.e. not dragging their feet) while they push a patch. If you notify the vendor, preferably including a test case, and they refuse to acknowledge that it is a security issue or suggest ridiculous fixes, that's the end of your RD duties. Ethically speaking, you are in the clear. RD requires you to give them a chance to fix the problem before publicizing it, nothing more.
Now, vendor/rube relations are another matter entirely that are distinct from your duty of responsible disclosure. I don't envy being in the situation where you fear their wrath for disclosure but want to do the right thing.
No. That would be like Toyota telling its customers to buy ejector seats (unsubsidized ejector seats, that is) to resolve the accelerator problem in their vehicles.
Where can I sign the petition to make that happen?? O_O
Qxe4
"I've had other vendors demand I spend time helping them understand the issue, basically consulting for free for them. Have you ever knocked on a neighbor's door to tell them they left their headlights on? Did they then require you to cook them dinner? Exactly..."
You say it happens, they can't reproduce it. Thus, you have to help them understand what it is you're doing. It's not unusual for people to think they've found a bug when they in fact have not.
And they do get away with it.
:) ). Or they replace it with something totally different.
;)...
Maybe things are different now with more hackers looking for holes, but back then you could find bugs, disclose them responsibly and privately, have the vendor/site still not fix them for years, and nobody notices - not even the hackers.
They eventually might fix it in some future release (not even the next major release
So nobody's hurt. At least that I knew of, which is the other problem: who knows right? Maybe a hacker did find it and was very discreet. Ignorance is bliss or not
It's just like leaving your car unlocked somewhere with the key in the ignition. In certain areas it's a sure thing that the car will be gone the next day, but not everywhere.
For the more obscure areas, if you do disclose it publicly, the risks to the users go up more than if you had kept it quiet.
In the long term maybe the users would be better off using something else, but who is to say the other stuff isn't as crappy? It's not like everyone has so much time to try to exploit everything. Even the security researchers don't look at "everything".
The vendor refused to acknowledge it was a security issue.
Then it's either a feature or a regular old non-security-related bug, and I don't see the problem with announcing it to everybody. Right?
-- 77IM
Student: Is it true that the foundation of the universe is paradox?
Master: Well, yes and no.
Sue them, take them to court where bad publicity, will scare the hell out them into settling.
As long as they view it as a technical issue, they are not interested. If they view it as a sales/marketing nightmare they will come to the table in a hurry. As for further cooperation, they will suck it up because other customers will see how they react as to how they will treat the company.
Like spousal abuse, as long as a bad working relationship can be hidden they will get away with it other individuals/companies. They only way to address the issue is to make their dirty laundry public.
I had this kind of problem about 15 years ago. It was a real pain. My problem was that I wasn't able to publish my findings as the vendor made pretty clear he'd sue me over that. So I reviewed my requirements on software and found a solution I haven't heard of before - Open Source. Since then I use Open Source and though it has some minor drawbacks I don't regret this step.
cb
The shareholder meeting. Simply note that you reported bug # XXXX some months ago, and it has not been acted on. You wouldn't mention it except that it's a security vulnerability that, if disclosed, would tank the share price for the company. So in that light, when will this vulnerability be addressed? Let everyone else take it from there.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
Simple answer:
Responsible Disclosure should be limited to vendors that publicly pledge (or, preferably, contractually agree to via their licensing terms) to Responsibly Fix issues that are disclosed to them. If a company doesn't abide by their own Responsibly Fix policy, it should be disclosed so that others realize that it's null and void.
Help save the critically endangered Blue Iguana
I don't see a problem with this. The vendor has replied that it doesn't consider this to be a security issue, so surely a public notification isn't going to hurt anyone, right? Right? Oh, your customers are cancelling? I thought it wasn't an issue? What can I say, silly me.
[FUCK BETA]
It's hard getting the attention of some vendors. I see vulnerabilities in a slightly different context - hacked web sites hosting phishing pages. We distribute a list of major domains being exploited by active phishing scams. This is obtained by processing PhishTank data, and we do this because we want to reduce the collateral damage from a tough blacklist system. At any given time, there are about 30 to 80 domains on the list.
Some sites get themselves off the list quickly. By now, most of the better free hosting services and short-URL services are automatically checking PhishTank and the APWG blacklist to see when they've been hit. Today, if you run a service where anybody can put up a page that could be used for phishing (i.e. it's not full of your own headers and banners), you need automation to deal with attacks. I've been in contact with the abuse guy at "t35.com", which is a free hosting service. They've recently been hit by a flood of phishing attacks, with several hundred new reports in PhishTank per day. The attacks were coming in faster than the abuse guy could clean them out. They're now gaining on the problem, but haven't squashed it yet. Take-away lesson: automate this.
The ones near the top of the list have been there for a while. Note the dates, which are the date that the oldest phishing report still online and active appeared in PhishTank. Some just need help. Typically, these are small organizations like churches and nonprofits that have had a break-in and were partially taken over by a phishing site. I send them the Anti-Phishing Working Group's "What To Do if your Site Has Been Hacked". Sometimes I give them a phone call. They deserve sympathy.
Then there are the hard cases. These are sites with no visible contact address, or a clueless abuse department. At the moment, Google Sites and Google Spreadsheets are being used for phishing. Google is new to the free hosting business, and the phishers have discovered some tricks that Google can't yet handle. While Google puts a "report abuse" link on their site pages, it's possible to set up a file for downloading on Google Sites, and an HTML page can be served that way, without Google's abuse checking. There's also an exploit of Google Spreadsheets. That one is an example of Habbo Hotel phishing. We've reported these to Google several times, but they haven't been fixed yet.
We've been seeing a new type of attack recently - a phishing operation breaks into a shared hosting server and plants phishing pages on multiple domains on a single server. One of these hit one of the mysterious "*.websitewelcome.com" servers, which has "cloaked domain registration" and no useful default web page. These seem to be associated with "ThePlanet.com", but whether ThePlanet operates them, is providing wholesale hosting, is providing colocation, or is just the upstream connectivity provider is not clear.
Hiding the contact information of a hosting provider is legally unwise. The hosting provider may lose the "safe harbor" protection of the the DMCA. The "safe harbor" provision for "Information Residing on Systems or Networks At Direction of Users" only applies if "the service provider has designated an agent to receive notifications of claimed infringement... by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information: the name, address, phone number, and electronic mail address of the agent." So when the RIAA or the MPAA come calling, a likely event for a hosting service, they get
My point is the situation often isn't as grave as many security researchers like to think.
;).
;).
Yes there is a hole. But there are zillions of holes. If the hacker wants in, they've probably already got in via some PHP exploit or some malware infected PC.
If you've found an exploit in IE or firefox or Windows or OSX or ssh, sure go kick up a big fuss. Or just wait till the next pwn2own competition
Whereas if you've found an exploit in some ADSL modem router made by some Korean company, and they're not fixing it after you've reported it. Big deal. Hardly any of the routers will still be working 3 years from now. How many of you got pwned because of those infamous bugs that were present for years without anyone knowing? How many hackers would make a lot of $$$$ from exploiting some non-"vastly deployed" software in your company, and get away with it? Would they be better off concentrating on building windows botnets?
If it's a problem with some vendor supplied app that your company uses, disclose the problem to the bosses. If the vendor doesn't want to fix it, and you're not the boss, it's between the boss and the vendor. You provide info and advice. Of course you don't play down the risks - that's not your job - that's the vendor's job
It's the year 2005. You know that Toyota cars have a programming bug that causes cars to accelerate, and ignore any other inputs (ignores the brakes or switching gear to neutral). What do you do?
It's the year 1970. You know that Ford cars have a design flaw that makes them the gas tank explode in an accident. What do you do?
In the 1970 instance, a book author wrote a tell-all called "Unsafe At Any Speed" which revealed Ford's design flaw. In the 2005 case, I'd simply post what I discovered to Toyota-oriented websites and also call the U.S. Government Product Safety Commission. Otherwise Ford/Toyota would never have fixed the problems with their cars.
I'd also report this software bug, since the vendor seems inclinded to pretend it does not exist. Better to be a whistle-blower and save lives than wait until damage is done. You can't resurrect corpses, but you can warn people while they're still alive, so they can act to protect themselves.
IMHO.
Please don't mod me down just 'cause you disagree.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
This is not a programming problem any more. Much as we all hate lawyers, this is one case where they are useful. VERY useful. You put him on notice, it's not your problem any more. He puts the vendors lawyer on ACTUAL notice (which has a specific legal meaning). He might even need to tell the other lawyer that he's going to have to report this issue in the next required SEC filing. IMO, if you already have the thing deployed, which it seems may be the case from your post, your FIRST stop should have been the attorney.
Your thinking of the the Ford Pinto which was prone to fires and explosions when hit in rear end collisions. It was first produced in 1971. Unsafe at any Speed was written by Ralph Nader in 1965 about the American Auto industries reluctance to fix safety problems. The car it talked about (among other things) was the Chevrolet Corvair.
Send the vendor an email:
Thank you for clarifying that this is not a security issue. I can now safely post information about this non-security issue into public websites and ask for workarounds from helpful hackers. This would not be possible for security related bugs as those are best be kept secret for a few weeks, so that the vendor can provide and distribute a fix for it.
The sad thing is that by doing the right thing and attempting to report this responsibly, the articles author has now set himself up to be scapegoated. If the exploit is leaked now, whether he does it or not, the vendor will blame him for it and focus as much on destroying his career as on fixing the problem. This is the reason many security professionals decided long ago *not* to report these things "responsibly" but simply to leak them anonymously in every case. Doing this forces the vendor to deal with the vulnerability without making the reporter vulnerable.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
the reason companies don't like people disclosing their security holes is not only do they have to release a fix, they also have to slip in a new hole and make sure most of their botnet successfully migrates to it. since there is a gradual uptake of patches and people tend to drag their feet installing a given patch botnet performance can be severely impacted reducing the marketability of it's services.
"Have you ever knocked on a neighbor's door to tell them they left their headlights on? Did they then require you to cook them dinner? Exactly..."
And after dinner, did they then require you to take them to a movie, a concert, some clubs and a night of passionate...
Excuse me, I'm just going to go check all the car headlights in my street. Be right back.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
As somebody else pointed out ... the least you owe to your employer is to (attempt to) lock down your own system before you tell the world where the hole is.
Free Software: Like love, it grows best when given away.
What can you morally do otherwise but blow the whistle?
You could sell it, responsibly.
If you sell the exploit to something like the Zero Day Initiative or iDefense you won't have to deal with the vendor, they will. And they are far more experienced at that as well. That way you'll get rid of your current problem, the issue is dealt with properly and you might even earn a few bucks in the process.