|
Dailydave
mailing list archives
Hyenas of the Security Industry
From: Brad Spengler <spender () grsecurity net>
Date: Fri, 18 Jun 2010 00:01:19 +0200
By now, most on this list and elsewhere have read from various news
sources the "controversy" regarding Tavis Ormandy's recent
full-disclosure of a vulnerability in older versions of Microsoft
Windows. The advisory was posted here:
http://seclists.org/fulldisclosure/2010/Jun/205
from Tavis' personal email account on his own personal time, and as
mentioned in his advisory, represented no agency or person but himself.
It was disgusting to see not only the resulting press but also the
response (or more accurately, the lack thereof) from the security
community (if such a thing exists anymore).
So since most researchers in the security community have had their
spines and sense of justice/fairness contractually removed by their
respective employers, I'd like to comment on some of these topics. The
purpose of my mail is to call out (by name) the individuals,
"journalists", and companies that manufactured the controversy for their
own benefit.
The only thing Tavis did wrong was assume his readership understood the
details of his situation as well as he did. The clarity regarding what
happened during the five days between private and public disclosure
wasn't there, leading to rampant speculation and inaccuracies that
continued even after Tavis corrected them. How many vulnerabilities
Tavis has "responsibly" reported to Microsoft isn't known by most
because such reports aren't often newsworthy.
The only carrot-on-a-stick Microsoft used to be able to offer to
independent researchers was recognition within their advisories. I
don't find this to be any significant motivator at all. Red Hat has the
same policy as well, but unfortunately for the vendors that adopt this
policy it doesn't affect public recognition. Though Microsoft won't
acknowledge the author of a vulnerability that is not "responsibly
disclosed", everyone else will. Not that any kind of recognition is
particularly important for some -- using one's own name can just be due to a
disinterest in the usefulness of submitting a report from an alias with
an anonymous email address.
The upsetting trend (which I imagine has been keeping security companies
playing along with Microsoft's silly game) is for Microsoft to call into
question the ethics of the reporter, and even if that reporter was
acting independently, tying that question of ethics to the reporter's
employer. This wasn't some flippant reaction by a random MSRC employee,
the Director of MSRC, Mike Reavey, mentioned Tavis' employer three times
in his blog regarding the vulnerability:
http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx
It was an intentional (and successful) attempt at framing the discussion
that was repeated endlessly by the media.
Speaking of framing discussions, we need to reject the legitimacy of the
phrase "responsible disclosure." It's a loaded term that by itself
implies that any other kind of disclosure is irresponsible. Such a
claim couldn't be farther from the truth. "Responsible disclosure" is
an invention of the vendors to reduce public embarrassment and allow
them to sit on the bugs for as long as they feel like, as long as they
keep coming up with excuses. Researchers wanted a deadline to prevent
exactly that situation (as Tavis requested for his vulnerability), but
it seems that more and more, any kind of public disclosure is regarded
as irresponsible, even if a vendor says they won't fix it in two months.
http://www.zerodayinitiative.com/advisories/upcoming/
Shows how well that "responsible" disclosure is working out:
ZDI-CAN-357 Microsoft High 2008-06-25, 720 days ago
ZDI-CAN-527 Microsoft High 2009-07-14, 336 days ago
ZDI-CAN-533 Microsoft High 2009-07-23, 327 days ago
ZDI-CAN-543 Microsoft High 2009-08-06, 313 days ago
ZDI-CAN-599 Microsoft High 2009-10-20, 239 days ago
What's responsible about letting a vendor sit on a serious vulnerability
for almost two years?
I can't think of a catchier phrase to describe what's going on here
("Damage Control Disclosure" perhaps? maybe someone else can think of
something more clever), but it's effectively: "Give us the
vulnerability for free, argue with us in phone conferences about its
importance and exploitability, then let us sit on it for as long as we
want, providing excuse x, y, and z if necessary to delay a fix. In
return, we will give you a gold star and not actively attempt to create
a controversy in order to have you fired from your job or sink your
company, so that we can retain our image. At least, as long as you
keep playing by these rules -- don't think about trying to actually
enforce any deadlines on that most important vulnerability out of the
20 total you reported." It's clear why this is so attractive to the
industry!
It's also curious how much complaining is done when Microsoft/Adobe/etc
don't fix a vulnerability overnight when an exploit for it gets reported
as being found in the wild, yet many of the same people are now
complaining that Microsoft wasn't given 60 days that they won't need to
produce a patch -- talk about double standards. Will we now see a patch
within 60 days that was previously impossible?
On to an analysis of the coverage by "journalists." I'm not quite sure
why there's a need for so many of them, when they all have about the
same level of understanding and repeat the same misinformation from the
same sources. I was interested in my analysis of how many times Tavis'
employer was mentioned in the article, who the references were for the
article, and whether the information provided by said references were
Glenn Beck-style inventions of the imagination (dramatization: "well
yes, he claimed he was acting alone, but he mentions at least one other
person in his greets section who also has the same employer! Now, I
know nothing about this person, but based on this alone...don't you find
it interesting? I'm just the one asking questions here!")
Here's my summary with links:
http://threatpost.com/en_us/blogs/does-google-have-double-standard-full-disclosure-061010
http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/
(Robert Hansen)
References: his own massive brain
Number of times employer mentioned: 14
http://www.computerworld.com/s/article/9178084/Hackers_exploit_Windows_XP_zero_day_Microsoft_confirms
(Gregg Keizer)
Number of times employer mentioned: 3
References: Graham Cluley, Andrew Storms
Glenn Beck impersonation from: Graham Cluley
http://www.computerworld.com/s/article/9177966/Microsoft_confirms_critical_Windows_XP_bug
(Gregg Keizer)
Number of times employer mentioned: 7
References: Robert Hansen/"RSnake", Andrew Storms
Glenn Beck impersonation from: Robert Hansen/"RSnake"
http://www.computerworld.com/s/article/9177948/Google_researcher_gives_Microsoft_5_days_to_fix_XP_zero_day_bug
(Gregg Keizer)
Number of times employer mentioned: 16
References: Robert Hansen/"RSnake", Andrew Storms, Secunia, Vulpen Security
Glenn Beck impersonations from: Robert Hansen/"RSnake", Andrew Storms
http://threatpost.com/en_us/blogs/week-security-full-disclosure-rabbit-hole-re-opens-061110
(Dennis Fisher)
Number of times employer mentioned: 13
References: Robert Hansen/"RSnake", Dino Dai Zovi
Glenn Beck impersonation by: Robert Hansen/"RSnake"
(Dino was one of only three people I found who were quoted in support)
http://threatpost.com/en_us/blogs/attackers-exploiting-windows-help-center-flaw-061510
(Dennis Fisher)
Number of times employer mentioned: 1
References: Graham Cluley
http://www.theregister.co.uk/2010/06/11/google_microsoft_zeroday/
(John Oates)
Has subtitle of: "Impatient engineer called, but you were out, you f**ker"
Classy!
Number of times employer mentioned: 3
References: random full-disclosure poster Susan Bradley
makes reference to "other observers" (Hansen, Storms) further
perpetuating made-up scenario
http://www.zdnet.com/blog/security/googler-releases-windows-zero-day-exploit-microsoft-unimpressed/6659
(Ryan Naraine)
Number of times employer mentioned: 5
References: links to article by Robert Hansen/"RSnake" for a discussion
of "ethics"
http://news.cnet.com/8301-27080_3-20007421-245.html
(Elinor Mills)
Number of times employer mentioned: 17
References: Robert Hansen/"RSnake", Andrew Storms, HDM, fyodor
Glenn Beck impersonations by: Robert Hansen/"RSnake", Andrew Storms
(HDM and fyodor were the only other two found quoted in support, though
fyodor's not marked as explicit)
http://krebsonsecurity.com/2010/06/unpatched-windows-xp-flaw-being-exploited/
(Brian Krebs)
Number of times employer mentioned: 1
References: links to Donato Ferrante's blog, the actual technical
content that Graham Cluley editorialized and sensationalized
http://krebsonsecurity.com/2010/06/security-alert-for-windows-xp-users/
(Brian Krebs)
Number of times employer mentioned: 3
http://www.theregister.co.uk/2010/06/15/windows_help_bug_exploited/
(Dan Goodin)
Number of times employer mentioned: 0
References: links to Donato Ferrante's blog, the actual technical
content that Graham Cluley editorialized and sensationalized
http://www.theregister.co.uk/2010/06/10/windows_help_bug/
(Dan Goodin)
Number of times employer mentioned: 0
References: HDM
(HDM was one of three in support, but is only quoted for technical
relevance here)
Dan Goodin seems to be the only journalist in the group. I've even
removed the quotes because he actually did his job! Brian Krebs would
be a close second: he stuck to the technical content, though still
mentioned Tavis' employer several times (and the comments below his
articles (perhaps as a result) mirror that association). As for the rest,
they latched onto the manufactured controversy, copy+pasting gems from
Hansen, Storms, and Cluley among each other. You all fail, especially
John Oates -- you seriously call that reporting?
As a comparison, observe what was reported when Tavis let Microsoft sit
on the vm86 vulnerability for 7 months without a fix:
http://www.computerworld.com/s/article/9146820/Microsoft_confirms_17_year_old_Windows_bug
Moral here is: if you let the vendor sit on a 17 year old vulnerability
for 7 months and then go public when there's no fix yet, you get
thanked, but if you determine 5 days after responsibly reporting to
the vendor that a fix isn't coming any time soon and then go public,
Microsoft wants you to shut up, or else.
A recent quote from Wikileaks' twitter account seems apropos here,
though I would even extend the scope beyond journalists in this case:
"Bad journalists assume people are motivated by revenge or fame --
because that is what bad journalists are motivated by."
With this in mind, let's take a closer at the three people constantly
quoted who helped create a controversy out of thin air. Since they
apparently have no sense of decency themselves and had no problem
maligning Tavis just for some media attention, I'm sure they won't mind
having their names and their company names reproduced below.
Graham Cluley, self-described "computer security expert"
Senior Technology Consultant for Sophos
Blog post located at:
http://www.sophos.com/blogs/gc/g/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/
Note the coincidentally inflammatory URL.
I'm commenting on almost every area of the post, so I won't include it
inline here. He starts off by associating Tavis with his employer,
repeating the already false claim that Tavis only gave Microsoft 5 days
to come up with a patch (he's able to make multiple updates to the blog
but conveniently doesn't fix this central inaccuracy). He calls Tavis
irresponsible, then mentions that luckily for the reader, Sophos (his
company's product) will protect you against the one website they found
exploiting the vulnerability, which they won't mention.
Cluley could use a clue about the definition of "proactive" though -- he
claims Sophos "proactively detects the page as Sus/HcpExpl-A", the link
showing the protection being available since June 14th, 4 days after
Tavis' advisory. It seems like a "reactive" detection of a
vulnerability that existed for 9 years which was only possible 4 days
after the fact, entirely due to Tavis' advisory. Antivirus is a joke in
itself, but that's a completely different topic.
A Slashdot commenter wrote the following about Graham Cluley:
"There are a lot of "go-to" commentators that the press goes to for
supposed insights about security. Graham is one of them. He's a smart
guy, but also one of the worst carnival-barkers in the industry; always
chasing stories. Here are a few classics:
* On Bluetooth phone viruses, [crn.com] apparently the next big
thing in malware (2004): "If you don't know about bluejacking these
messages can be quite a shock" (2004)
* On the groundswell of Mac malware: [techtree.com] "This means two
real viruses have emerged for the Mac OS X platform in less than a week.
The question on everyone's lips is - when will we see the next one, and
will it have a more malicious payload?" (2006)
* On "naming and shaming" [sophos.com] (his words) countries from
whose IP address space spam appears to emanate: "A new dirty 'gang of
four' - South Korea, Brazil, India and their ringleader USA - account
for over 30% of all the spam relayed by hacked computers around the
globe." (2010)
It is a bit rich that he's asking Tavis whether he "feels good about
himself." Just saying."
http://www.sophos.com/pressoffice/news/articles/2010/04/dirty-dozen.html
http://www.techtree.com/techtree/jsp/article.jsp?article_id=71444&cat_id=582
http://www.crn.com/security/56200605
Next we have Andrew Storms, Director of Security Operations at nCircle
Security. He had this to say:
"That's impossible, argued Andrew Storms, director of security operations
at nCircle Security. "[As a security researcher] you can't really
separate your work from your employer. So you have to wonder if
[Ormandy[] isn't intentionally feeding the feud between Google and
Microsoft."
Like Hansen, Storms questioned Ormandy's decision to reveal his findings
just five days after he reported the vulnerability to Microsoft. "You
can't say in this case that the vendor was sitting on their hands, not
being responsive, which is why researchers usually go public, to force
[a vendor's] hand.
"This is no better than not reporting it to Microsoft," concluded
Storms."
Storms' other activities for the press include discussion of recently
reported vulnerabilities that he doesn't understand but will say
something generic like "the one in Internet Explorer is the most
important" just to get his nCircle Security's name in the news. In his
quotes used by the various "journalists" he advances the idea that Tavis'
disclosure of the vulnerability is some conspiratorial fueling of a feud
between Tavis' employer and Microsoft, despite the fact that the only
people associating it with Tavis' employer are commentators like Storms.
Finally we have the turd wrapped up in an enigma that is
Robert Hansen/"RSnake", CEO of SecTheory
Reading his post:
http://threatpost.com/en_us/blogs/does-google-have-double-standard-full-disclosure-061010
http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/
it's clear that he has an axe to grind with Tavis' employer. He creates
the false, repeated claim that Tavis only gave Microsoft 5 days to
create a fix (not only that, he assigns this fault to Tavis' employer,
not Tavis himself). He then, again falsely, claims that Tavis wasn't
doing this in his own time, simply because some other individuals with
the same employer appear in his greets section. Maybe they don't teach
this in clickjacking training, an extensive 5 week course, but "greets"
is short for "greetings" -- I've been mentioned in the list before, but
it didn't mean I had anything to do with the vulnerability discovery or
released exploit. Not to mention that there's nothing wrong with two
employees of the same company collaborating on projects (or in
this case, specific smaller aspects of a larger project) outside of work
-- being friends with others in the community, many of whom work for the
same large companies, is nothing unusual.
"RSnake" then complains about the hostname Tavis chose to use for links
in his advisory. Finally, after an entire article focusing on Tavis'
motives and ethics, he ends it with "I don't mean to say anything bad
about Tavis" -- he means it so much he made a blog post trashing him,
reposted to another site, and repeated the same lies to any reporter
that would listen to him. Towards the end of his comments on his
ha.ckers.org blog, before locking it from additional comments because
people didn't agree with him, he states: "I'm over it." After calling
for one of the most well-known and respected researchers to be fired and
repeating those comments to reporters, I'm glad you had the empathy to
finally conclude that everything is ok now and that you're over it,
because surely Tavis hasn't been affected at all by your reckless,
idiotic statements. You stay classy out there, scumbag.
Some final comments:
Microsoft should strongly reconsider their actions. If this were any
other security researcher, how likely would that researcher be to
cooperate in a "responsible" fashion in the future, for free? How
likely would they be to sit in on phone conferences trying to convince
Microsoft that a vulnerability is exploitable and important? How likely
instead, now being treated as some kind of outlaw instead of a person
for whom security is genuinely important, would they be to profit off
their finding obtained in their own time? Does Microsoft believe
they're improving security if these vulnerabilities are instead sold to
the highest domestic/foreign bidder? Or is it only the appearance of
security they're interested in? Don't bite the hand that feeds you --
any alternative action by a researcher due to chilling effects is worse
for security than what Microsoft is scolding Tavis for. Punishing Tavis
plays into the interests of the anti-sec crowd who want him humiliated
to the point that he quits killing bugs so that the bugs can continue to
be exploited in private.
Is Tavis unethical because his personal views on vulnerability
disclosure that he practices in his own time differ from those of his
employer? As a reminder of this foolish argument from authority, said
employer is the same one that we recently discovered thought it was
perfectly ethical to secretly and purposefully sniff WiFi traffic in
countries all over the world. Is anyone seriously questioning that
Tavis has ulterior motives, given that he spends much of his free time
finding vulnerabilities and reporting them to vendors for free? Anyone
who knows Tavis knows his ethics and integrity are beyond reproach;
libel seems to be reserved for the others.
Locke, via Leibniz in "New Essays on Human Understanding" said,
"boldness is the power to speak or do what we intend, before others,
without being intimidated."
It takes a bold, ethical person like Tavis to do what he did. He should
be supported and defended by the community, not allowed to be ostracized
and raked over the coals in the press by attention-seeking CEOs with an
axe to grind.
TL;DR: If we don't collectively stick up for Tavis, we're all hurting
our ability to perform our jobs objectively in the future, slaves to the
multi-billion dollar corporations taking our free work and creating the
illusion that we have any responsibility to feed into their damage
control systems.
tags: horrible security company corporate shills bandwagon responsible
disclosure useless analysis microsoft vulnerabilities snake oil salesmen
cargo cult rsnake is a fool everything i needed to know about clickjacking i
learned in elementary school cluley clueless those who can do those who
can't are named andrew storms and write blog entries about mundane
topics rsnakeoil secconspiracy ncirclejerk
ItUk-5FI0Ek
<part where I drop the microphone>
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
 By Date 
By Thread
Current thread:
- Hyenas of the Security Industry Brad Spengler (Jun 17)
|
