Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Rate Stratfor's Incident Response
From: Sanguinarious Rose <SanguineRose () OccultusTerra com>
Date: Sat, 14 Jan 2012 14:21:21 -0700

On Sat, Jan 14, 2012 at 12:11 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote:
--On January 14, 2012 8:33:13 AM -0700 Sanguinarious Rose
<SanguineRose () OccultusTerra com> wrote:

I've been watching this chat for a while and I have to say a lot of
views here does not impress me and in fact why I will never report a
vulnerability if I found one. Why would I want to even risk getting
arrested and/or FBI trouble from observing a security flaw? My policy
on finding them is to quietly just move a long. I'm sure I am not the
only one that does this or come to such a conclusion of is it even
worth the trouble.

The reaction of a security professional like me to this is, why aren't you
looking for security flaws on your own site?  Why are you looking for
security flaws on other people's sites?  If you want to do security
research, setup a site virtually and bang away at it to your heart's
content.  Then report your findings.

I don't normally go around looking unless asked. However it's rather
hard not to notice sites that display php errors and sometimes in
normal usage sql errors. Some of them are so bad it's like having a
pink elephant in the middle of a room with a sign that says
"vulnerable". A good example which I've personally seen more than once
is during normal website usage is searching the website using their
built in search and noticing it doesn't sanitize it's input. It's
rather hard not to notice that once you have the eye for it.

I have also noticed software that is way too old running and keeping
up with security bulletins I often know it's vulnerable. it's like
another pink elephant.

There is of course an exception to that is a guy trying to come off as
some big hot shot security expert super hacker which I will leave
nameless that I really love tormenting. He loves downloading and
running these really really bad free php scripts from the 90s by how
some of them are coded. It usually only takes 10 minutes tops before I
found a few flaws, point them out by line number, and watch him silent
rage and remove the script from his server. For clarification the
source code of these scripts being freely available and I did not
actively test the located flaws on his server so nothing I did was
illegal.Given the non-importance I did not confirm them on my own dev

I like how the assumptions are always this person is horrible and bad
for have founding a security flaw, he must not be trusted and treated
like a criminal.

You missed the point.  It isn't that I think that you're a criminal.  It's
that, as a security professional, I cannot take the chance that you are not.
 I am forced to do due diligence, take the server offline, do forensics,
etc.  That's a lot of work, time spent and disruption of my normal duties,
all you so you can feel proud about finding a vulnerability.  The cost to
you is minimal.  To me, it's expensive.

I never doubted fixing the problem can sometimes be work intensive in
some situations and if someone else has used it maliciously.

So why do you think it's acceptable for you to do some minimal work to force
others to do lots of extra work?

Fixing a problem reported as part of your job description is so...
bad? I would be happier if someone reported it rather than reading
about it in the news.

Why would he even be reporting it to begin with if
his goal is abusing the security flaw? After all the audacity of this
dangerous cyber criminal took the time to tell you about the flaw in
an email and should be punished for their indiscretion of reporting

Nobody's talking about punishing people for finding security flaws, but
you're punishing the security professionals for the "pleasure" of finding
vulnerabilities on their site.  If I find a vulnerability in our assets, I
can simply fix or remediate the problem.  If you find it, I have to treat it
as a breach, or I'm not doing my job.

I would call "punishing people" using the flaw to embarrass and damage
the company rather then discreetly reporting it but that is just me

The analogies of a house is a very very bad one. Do you expect
thousands of people to be walking around your house akin to viewing
the website?

I think thousands of people walking or driving past my house and looking at
it as they go by is perfectly normal.  What's not normal is for one of them
to pull over, get out of their car, walk up to my door and check to see if
it's unlocked, walk around the house checking all the windows and doors,
etc., etc.

A more appropriate one would be a public store with doors
happen to be unlocked to completely open.

As Valdis pointed out, even public stores have private areas where you are
not allowed.  You go there and someone is going to question you, maybe even
arrest you depending upon what you're doing.

This is still a bad analogy considering the internet is very different
than life. A private area keeping with this bad analogy would be more
akin to a login screen and trying to break it which is no doubt
illegal. However how do you not notice say the key being in the door,
the door being wide open with important things inside, etc. and being
in legal trouble for telling someone that works there about it?

"If it's not broken don't fix it" is the classical saying of many
individuals and sadly even more apply it to security. Even reporting
the flaw in some cases results not in fixing it but legal troubles for
the person reporting it. You would think they might want to fix it
after being informed about it right? After all if it works why fix it?
Why not silence that bad apple that found the flaw and no one else
will know kinda like daddy's little secret.

It's 2012.  I seriously doubt most sites ignore vulnerabilities any more. We
HAVE learned a few things over the years.  We are constantly auditing for
flaws, assessing for flaws and insisting that flaws are corrected.  We don't
need your help to do our jobs.  I can assure you that we are not sitting
around waiting for someone like you to help us.

As I said for me personally I don't report anything I come across so I
wouldn't fit the "need your help to do our jobs". Judging by the tone
of "We don't need your help to do our jobs", "sitting around waiting
for someone like you to help us" and from earlier "force others to do
lots of extra work" you rather don't appreciate filling your job

Paul Schmehl, If it isn't already

obvious, my opinions are my own
and not those of my employer.
"When intelligence argues with stupidity and bias,
intelligence is bound to lose; intelligence has limits,
but stupidity and bias have none."

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]