As a database administrator and programmer, I'd have to say this:
You send the vendor one copy of your bug report, and you send the other copy to CERT. You open a service request to fix the problem, and you let the vendor know you consider it severe.
If this doesn't work, you try to come up with a workaround yourself. If you can come up with a workaround, you publish it. But you don't publish an exploit! You publish enough information on the problem that a fellow admin will be able to verify that it IS a problem, without giving him enough to roll his own exploit.
Maybe you talk to some of your developers, see if they can't help you put together a fix.
Maybe you talk to some of your friends from the local database or server user group.
You work the problem, you fix the problem, and you publish the fix.
THAT is how it's done.
Again, you should never, ever, EVER publish enough information to create a working exploit. Some of these people actually publish sample exploit code!!! So if an exploit wasn't in the wild before, it sure would be afterwards!
In response to your analogy, NO, I wouldn't tell the whole world about it. I'd figure out a way to FIX it, like finding a local shop that can replace the keyless entry system, and THEN, I'd tell everybody how to go to the shop and fix their systems. I'd give them SOME information, for instance telling them about how it's possible to steal a car with equipment available to thieves, but I would NOT tell them enough to let them go get a transmitter of their OWN.
Reason being: the object is to SOLVE the problem, not magnify it by letting every angsty teenager in your town get ahold of their own transmitter, after which all hell would break loose.
What's really happening here is, things are easier to break than to fix. So a bunch of guys can figure out 30 snarky ways of breaking something, slap together a website, and try to get some attention by attempting to publicly humiliate whatever vendor has pissed them off most recently. They don't think for an instant about what's going to happen when script kiddies start using the ACTUAL EXPLOIT CODE they publish to attack every website under the sun. Or maybe they do -- but that only makes it worse.
The PhP site you just linked to is an excellent example of how NOT to do things. They post actual test exploits. How lovely. So some guy in Wichita has a website that runs PhP, and his ISP hasn't updated quickly enough, and he's hacked by some schmuck script kiddie who's bored -- all through no fault of his own or even his ISP's.
This is NOT good citizenship at work.
Here's my favorite analogy of the fundamental dynamic here:
Leon the ghetto gun dealer: "Hey, man, I'm just trying to show all you guys how important it is to wear a bulletproof vest! Nobody believed me, so I started selling these here Saturday Night Specials. Cheap, too. It ain't MY fault if some guy decides to rape and kill some downtown lady with a gun I sold him! Sheeeit, she should've bought herself a bulletproof vest, it's her own damn fault."
The problem with your point of view is that you aren't hurting the VENDOR, you're hurting his CUSTOMERS who have done you (and the world) no harm.
The vendor isn't the primary entity harmed because he's already got his license fee from each customer. Also, it's not the vendor that will be attacked by script kiddies, it'll be his customers, who, again, have done you no harm.
The most you'll do to the vendor is give him a little bad P.R. Vendors don't care. They just hire a P.R. firm to "manage spin". The people who actually pay the vendor his fees (the suits, usually) ALSO won't care because they'll sympathize with the vendor. They'll view the situation, mostly correctly, as a bunch of snot-nosed kids waving middle fingers in the face of a staid, middle-aged establishment.
Putting up a "month of X bugs" is a dick move, man. All you accomplish is creating a huge clusterfuck for a whole bunch of people who never did you any harm, and that makes you no better than a vandal. Here's a tip: if you're showing people how to break something INSTEAD OF telling people how to prevent them from doing so, you're not on the side of the victim.
Guys like this are just another set of enablers, like (here's MY analogy) a ghetto gun-dealer who sells to muggers and rapists, and who justifies it by saying "I didn't tell him to go rape that woman! And it's her own fault for not having a bulletproof vest. My gun sales will show people that they NEED bulletproof vests, so I'm doing a service."
I'm not buying it. I'll say it again:
The PROPER thing to do is send one copy of the vulns to the vendor and another copy to CERT, which will disclose the existence of the issue responsibly and suggest a workaround.
Your suit analogy doesn't work, by the way.
As a sysadmin, I can take every precaution available to me, I can take every vendor-mandated step... Despite all that, all it takes is for some idiot to whip up a "month of bugs" and blammo, I'm hosed. All because some annoying little bastard wants to attention-whore out his new "security site".
So, I disagree -- most vehemently -- with your views.
This is not the only "month of X bugs" that has happened.
The others were ALL about one or another software package.
I'm saying the general principle is wrong. If you find bugs you should disclose them responsibly. One copy goes to the vendor (or the site owner) and one copy goes to CERT. You don't show the whole world the details of the bug, plus a sample exploit! That's just stooooopid.
Maybe I'm old and crusty, and just not "with it" but being an Oracle DBA and occasional Java developer... I really, really don't like the idea of posting "month of X bugs" sites.
The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.
The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for the whole world to see, which sets every idiot script kiddie out there on an easter-egg hunt to find vulns.
What's really screwed up about it is this: Let's say Joe Hacker decides to "out" some vendor and spends a month attention-whoring. That vendor may or may not get the bugs fixed before legions of script-kiddies figure out how to use them. MEANWHILE, every sysadmin out there is completely fucked, waiting for the vendor to catch up to the Scavenger Hunt that Joe Hacker decided to kick off with his stunt.
It's not cool, it's not funny, and I wish these assholes would just knock it off.
Dilbertization is INEVITABLE in any hierarchial organization. There's nothing whatsoever you can do about it.
It's causes are ultimately all within human nature. Starting with the technologists themselves, they're all in competition with one another. Each wants to be recognized as the alpha geek. Furthermore, some are lazy and some are energetic. the lazy ones hate the energetic ones because they make them look bad. The energetic ones hate the lazy ones because they're not carrying their weight. Finally, the TALENTED technologists are repulsed by the thought of being promoted into management, but the inept ones love the idea, as do the closet fascists.
The professional managers, middle-managers, "project managers" (ha!) and other undead minions of all standard IT organizations are just as dysfunctional. Secretaries are sullen, convinced that everyone thinks they're stupid (in some cases, this is astute on their part). Project managers, like the fawning little lap-dogs they are, tell management whatever they want to hear, often totally fucking over their staff by agreeing to ridiculous deadlines that cannot be met. Middle managers often know nothing whatsoever about technology and run their areas according to whatever management theory is currently in vogue. Worse, they often rate employees by how well they schmooze, not how well they code. Nepotism is rampant. Other minions, like managers selected to represent users in design meetings, often are in way over their heads and only want to cover their asses and contribute enough to meetings to LOOK as though they've got things under control.
If you work in a private company, you can be fired at any time for any reason, and often your fate is totally arbitrary. Knowing this, you MUST always keep your eyes open for new jobs; companies are like women, they never want available developers, because they think there must be something wrong with them (so they stick to poaching from other companies). If you think you're going to be fired, you have to start interviewing right away before you lose that "I'm still employed" cachet. And you have to know who is a "special friend" of which bigshot so you don't accidentally step on the toes of so-and-so's asshole cousin and prematurely end your career.
If you work in civil service, you can't be fired easily but this means that you always end up with at least a few totally useless idiots in your department. They KNOW they can't be fired, so they just sit around like barnacles, slowing the whole boat down. At most, the part of the staff that'll actually be able to DO anything will be 25-50% (and they'll be bitter and snarky about it -- can you blame them?). The rest are all deadwood. The same is true for management! You see these ridiculous men in their fifties, already mentally a senior citizen, just waiting to retire at 55. They DREAM of a "25/55" deal and talk about it with anyone they can pidgeonhole. Finally, because the deadwood just wants to be left alone to play some stupid downloaded Windows game (which probably was a trojan) they'll pretend they're really busy to the boss and you won't be able to get ANYONE to agree to let you build anything, even if it would make the whole department more efficient.
The whole system is completely, hopelessly, irrepairably FUBAR. It's a clusterfuck of legendary proportions. The only way to survive within it is to make yourself invisible and get your work done as efficiently as you can, while not getting drawn into any politics, never suggesting anything, and never volunteering for anything.
Slashdot Mirror
As a database administrator and programmer, I'd have to say this:
You send the vendor one copy of your bug report, and you send the other copy to CERT. You open a service request to fix the problem, and you let the vendor know you consider it severe.
If this doesn't work, you try to come up with a workaround yourself. If you can come up with a workaround, you publish it. But you don't publish an exploit! You publish enough information on the problem that a fellow admin will be able to verify that it IS a problem, without giving him enough to roll his own exploit.
Maybe you talk to some of your developers, see if they can't help you put together a fix.
Maybe you talk to some of your friends from the local database or server user group.
You work the problem, you fix the problem, and you publish the fix.
THAT is how it's done.
Again, you should never, ever, EVER publish enough information to create a working exploit. Some of these people actually publish sample exploit code!!! So if an exploit wasn't in the wild before, it sure would be afterwards!
It's just not the way things ought to be done.
OOOOHHHH, I SEEEEEE.
All us guys trying to lock down our systems and help our fellow systems administrators do the same are just CO-CONSPIRATORS, are we?
I bet I've got a pair of shoes older than you.
Listen, KID, all us adults out here in the real world have JOBS TO DO. Systems to protect. Data to safeguard.
And we are NOT AMUSED by a bunch of attention-whores who think it's amusing to pick on some random company for shits and grins.
You want to make the world a better place?
WORK THE FUCKING PROBLEM. Send a fix or workaround to CERT and the vendor.
Don't be an asshole!
NO.
The best way to solve it is to SOLVE it.
Come up with a fix and share THAT with the world. Don't just tell everybody how to break systems affected by the glitch.
Unless your real goal is to help script kiddies exploit systems, you should never EVER release an exploit.
This is common sense.
It's so true... The human race just LOVES to get its Shadenfreude on.
In response to your analogy, NO, I wouldn't tell the whole world about it. I'd figure out a way to FIX it, like finding a local shop that can replace the keyless entry system, and THEN, I'd tell everybody how to go to the shop and fix their systems. I'd give them SOME information, for instance telling them about how it's possible to steal a car with equipment available to thieves, but I would NOT tell them enough to let them go get a transmitter of their OWN.
Reason being: the object is to SOLVE the problem, not magnify it by letting every angsty teenager in your town get ahold of their own transmitter, after which all hell would break loose.
Look, I couldn't care less about MySpace. I don't use or read the site.
My problem is that these "month of X bugs" are coming out for lots of vendors and platforms that in turn serve a WHOLE lot of companies and websites.
This trend is a rotten, rotten idea.
You don't get people to wear bulletproof vests by giving free Saturday Night Specials to every degenerate who wants one.
The whole practice stinks.
Uh huh. SURE they did.
What's really happening here is, things are easier to break than to fix. So a bunch of guys can figure out 30 snarky ways of breaking something, slap together a website, and try to get some attention by attempting to publicly humiliate whatever vendor has pissed them off most recently. They don't think for an instant about what's going to happen when script kiddies start using the ACTUAL EXPLOIT CODE they publish to attack every website under the sun. Or maybe they do -- but that only makes it worse.
The PhP site you just linked to is an excellent example of how NOT to do things. They post actual test exploits. How lovely. So some guy in Wichita has a website that runs PhP, and his ISP hasn't updated quickly enough, and he's hacked by some schmuck script kiddie who's bored -- all through no fault of his own or even his ISP's.
This is NOT good citizenship at work.
Here's my favorite analogy of the fundamental dynamic here:
Leon the ghetto gun dealer: "Hey, man, I'm just trying to show all you guys how important it is to wear a bulletproof vest! Nobody believed me, so I started selling these here Saturday Night Specials. Cheap, too. It ain't MY fault if some guy decides to rape and kill some downtown lady with a gun I sold him! Sheeeit, she should've bought herself a bulletproof vest, it's her own damn fault."
I think that's a good rebuttal of your point.
The problem with your point of view is that you aren't hurting the VENDOR, you're hurting his CUSTOMERS who have done you (and the world) no harm.
The vendor isn't the primary entity harmed because he's already got his license fee from each customer. Also, it's not the vendor that will be attacked by script kiddies, it'll be his customers, who, again, have done you no harm.
The most you'll do to the vendor is give him a little bad P.R. Vendors don't care. They just hire a P.R. firm to "manage spin". The people who actually pay the vendor his fees (the suits, usually) ALSO won't care because they'll sympathize with the vendor. They'll view the situation, mostly correctly, as a bunch of snot-nosed kids waving middle fingers in the face of a staid, middle-aged establishment.
Putting up a "month of X bugs" is a dick move, man. All you accomplish is creating a huge clusterfuck for a whole bunch of people who never did you any harm, and that makes you no better than a vandal. Here's a tip: if you're showing people how to break something INSTEAD OF telling people how to prevent them from doing so, you're not on the side of the victim.
Guys like this are just another set of enablers, like (here's MY analogy) a ghetto gun-dealer who sells to muggers and rapists, and who justifies it by saying "I didn't tell him to go rape that woman! And it's her own fault for not having a bulletproof vest. My gun sales will show people that they NEED bulletproof vests, so I'm doing a service."
I'm not buying it. I'll say it again:
The PROPER thing to do is send one copy of the vulns to the vendor and another copy to CERT, which will disclose the existence of the issue responsibly and suggest a workaround.
Your suit analogy doesn't work, by the way.
As a sysadmin, I can take every precaution available to me, I can take every vendor-mandated step... Despite all that, all it takes is for some idiot to whip up a "month of bugs" and blammo, I'm hosed. All because some annoying little bastard wants to attention-whore out his new "security site".
So, I disagree -- most vehemently -- with your views.
But you forget.
This is not the only "month of X bugs" that has happened.
The others were ALL about one or another software package.
I'm saying the general principle is wrong. If you find bugs you should disclose them responsibly. One copy goes to the vendor (or the site owner) and one copy goes to CERT. You don't show the whole world the details of the bug, plus a sample exploit! That's just stooooopid.
It has been long established that it is simply NOT POSSIBLE to write software without bugs.
The best that any developer can hope for is to find the bugs quickly and remove them.
Stunts like this only serve to attack a development project without doing anything productive to help fix it.
Your own comment shows that you think the same way: "These guys are idiots, switch to someone else".
They're not idiots. They're just the guys who happened to be arbitrarily chosen for public attack.
And it IS perfectly arbitrary.
Don't try to turn attention-whoring into some noble quest. It's not and never will be.
Maybe I'm old and crusty, and just not "with it" but being an Oracle DBA and occasional Java developer... I really, really don't like the idea of posting "month of X bugs" sites.
The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.
The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for the whole world to see, which sets every idiot script kiddie out there on an easter-egg hunt to find vulns.
What's really screwed up about it is this: Let's say Joe Hacker decides to "out" some vendor and spends a month attention-whoring. That vendor may or may not get the bugs fixed before legions of script-kiddies figure out how to use them. MEANWHILE, every sysadmin out there is completely fucked, waiting for the vendor to catch up to the Scavenger Hunt that Joe Hacker decided to kick off with his stunt.
It's not cool, it's not funny, and I wish these assholes would just knock it off.
They should grow up already.
Dilbertization is INEVITABLE in any hierarchial organization. There's nothing whatsoever you can do about it.
It's causes are ultimately all within human nature. Starting with the technologists themselves, they're all in competition with one another. Each wants to be recognized as the alpha geek. Furthermore, some are lazy and some are energetic. the lazy ones hate the energetic ones because they make them look bad. The energetic ones hate the lazy ones because they're not carrying their weight. Finally, the TALENTED technologists are repulsed by the thought of being promoted into management, but the inept ones love the idea, as do the closet fascists.
The professional managers, middle-managers, "project managers" (ha!) and other undead minions of all standard IT organizations are just as dysfunctional. Secretaries are sullen, convinced that everyone thinks they're stupid (in some cases, this is astute on their part). Project managers, like the fawning little lap-dogs they are, tell management whatever they want to hear, often totally fucking over their staff by agreeing to ridiculous deadlines that cannot be met. Middle managers often know nothing whatsoever about technology and run their areas according to whatever management theory is currently in vogue. Worse, they often rate employees by how well they schmooze, not how well they code. Nepotism is rampant. Other minions, like managers selected to represent users in design meetings, often are in way over their heads and only want to cover their asses and contribute enough to meetings to LOOK as though they've got things under control.
If you work in a private company, you can be fired at any time for any reason, and often your fate is totally arbitrary. Knowing this, you MUST always keep your eyes open for new jobs; companies are like women, they never want available developers, because they think there must be something wrong with them (so they stick to poaching from other companies). If you think you're going to be fired, you have to start interviewing right away before you lose that "I'm still employed" cachet. And you have to know who is a "special friend" of which bigshot so you don't accidentally step on the toes of so-and-so's asshole cousin and prematurely end your career.
If you work in civil service, you can't be fired easily but this means that you always end up with at least a few totally useless idiots in your department. They KNOW they can't be fired, so they just sit around like barnacles, slowing the whole boat down. At most, the part of the staff that'll actually be able to DO anything will be 25-50% (and they'll be bitter and snarky about it -- can you blame them?). The rest are all deadwood. The same is true for management! You see these ridiculous men in their fifties, already mentally a senior citizen, just waiting to retire at 55. They DREAM of a "25/55" deal and talk about it with anyone they can pidgeonhole. Finally, because the deadwood just wants to be left alone to play some stupid downloaded Windows game (which probably was a trojan) they'll pretend they're really busy to the boss and you won't be able to get ANYONE to agree to let you build anything, even if it would make the whole department more efficient.
The whole system is completely, hopelessly, irrepairably FUBAR. It's a clusterfuck of legendary proportions. The only way to survive within it is to make yourself invisible and get your work done as efficiently as you can, while not getting drawn into any politics, never suggesting anything, and never volunteering for anything.