mailing list archives
Re: Rate Stratfor's Incident Response
From: Benjamin Kreuter <ben.kreuter () gmail com>
Date: Sat, 14 Jan 2012 15:29:37 -0500
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 14 Jan 2012 13:11:37 -0600
Paul Schmehl <pschmehl_lists () tx rr com> wrote:
--On January 14, 2012 8:33:13 AM -0700 Sanguinarious Rose
<SanguineRose () OccultusTerra com> wrote:
I've been watching this chat for a while and I have to say a lot of
views here does not impress me and in fact why I will never report a
vulnerability if I found one. Why would I want to even risk getting
arrested and/or FBI trouble from observing a security flaw? My
policy on finding them is to quietly just move a long. I'm sure I
am not the only one that does this or come to such a conclusion of
is it even worth the trouble.
The reaction of a security professional like me to this is, why
aren't you looking for security flaws on your own site?
You / your organization's developers wrote your system, perhaps
building on some other systems. That gives me the intellectual
challenge of trying to find the flaws in *your* design. It is just a
different sort of game from finding flaws in my own designs.
Why are you
looking for security flaws on other people's sites? If you want to
do security research, setup a site virtually and bang away at it to
your heart's content. Then report your findings.
Meanwhile, your systems continue to be vulnerable, and the bad guys who
want to exploit those vulnerabilities for criminal purposes will
continue to do so. Unless you system is just a bunch of off-the-shelf
components that you assembled, there are going to be parts of your
system that you wrote yourself, and that in all likelihood will be
vulnerable to some sort of attack. It helps if someone who is not
familiar with your development process and who is not operating under
the same assumptions that you are operating under tries to attack that
Most places do not already have in-house pen testers for these things,
so the only way they will get any useful information on the security of
their systems is if someone tries to attack them.
I like how the assumptions are always this person is horrible and
bad for have founding a security flaw, he must not be trusted and
treated like a criminal.
You missed the point. It isn't that I think that you're a criminal.
It's that, as a security professional, I cannot take the chance that
you are not.
It is more that if one person found the vulnerability, then any number
of other people might have found and exploited it. What makes you
think that the first person to identify a problem is the only person to
have spotted it? Again, I would be more worried about the people who
might have found the vulnerability and not reported it than the person
who found the vulnerability and did report it.
So why do you think it's acceptable for you to do some minimal work
to force others to do lots of extra work?
Or perhaps save a lot of work, by identifying a vulnerability before it
is exploited by someone who creates a big mess.
Nobody's talking about punishing people for finding security flaws,
That is pretty much how I read a lot of the comments in this
discussion. People are basically saying that the only way someone
could report a problem without facing prosecution is if they stop at
the hypothetical part -- "You seem to be running an old version of
Apache that could be attacked using this buffer overflow." It is hard
to convince anyone that a hypothetical problem needs to be fixed, and
it is easy to dismiss someone who provides no evidence. Just take a
look at the argument between Red Hat's SELinux team and the Mozilla
developers on the topic of writable/executable memory if you think
hypothetical attacks are enough to convince people about security
but you're punishing the security professionals
By telling them that there is an exploitable vulnerability in their
system? Their job is to fix those problems; how is reporting problems
to them in any way a punishment?
If I find a vulnerability in
our assets, I can simply fix or remediate the problem. If you find
it, I have to treat it as a breach, or I'm not doing my job.
So if you found a vulnerability, you would not immediately audit the
vulnerable system? You have no concerns about all those hackers out
there who might not have bothered to report the problem to you?
It's 2012. I seriously doubt most sites ignore vulnerabilities any
Really, you doubt that? You can still access security cameras in
arbitrary places by entering the right keywords into Google. A lot of
people run unpatched Wordpress blogs. There are still SQL injection
attacks out there, XSS attacks, and CSRF attacks. People are still not
salting password hashes, and in some cases they are storing passwords
in the clear. Many websites are still not using TLS for things like
These are basic, common, well-known vulnerabilities that people are
ignoring, and these only cover problems related to websites; plenty
more problems exist with other systems. We have a long way to go
before we can say that vulnerabilities are not being ignored.
We HAVE learned a few things over the years. We are constantly
auditing for flaws, assessing for flaws and insisting that flaws are
*You* and your organization might be doing that. All you need to do is
read the details about attacks that make the news to see that plenty of
high profile companies are not doing that.
We don't need your help to do our jobs. I can assure you
that we are not sitting around waiting for someone like you to help
Good for your organization, but what about all those others who are not
auditing, who do not take security seriously, and who are not going to
listen to people who come to them with hypothetical attacks?
- -- Ben
Benjamin R Kreuter
UVA Computer Science
brk7bx () virginia edu
"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/