lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Jan 2012 15:29:37 -0500
From: Benjamin Kreuter <ben.kreuter@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Rate Stratfor's Incident Response

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sat, 14 Jan 2012 13:11:37 -0600
Paul Schmehl <pschmehl_lists@...rr.com> wrote:

> --On January 14, 2012 8:33:13 AM -0700 Sanguinarious Rose 
> <SanguineRose@...ultusTerra.com> wrote:
> 
> > I've been watching this chat for a while and I have to say a lot of
> > views here does not impress me and in fact why I will never report a
> > vulnerability if I found one. Why would I want to even risk getting
> > arrested and/or FBI trouble from observing a security flaw? My
> > policy on finding them is to quietly just move a long. I'm sure I
> > am not the only one that does this or come to such a conclusion of
> > is it even worth the trouble.
> >
> 
> The reaction of a security professional like me to this is, why
> aren't you looking for security flaws on your own site?

You / your organization's developers wrote your system, perhaps
building on some other systems.  That gives me the intellectual
challenge of trying to find the flaws in *your* design.  It is just a
different sort of game from finding flaws in my own designs.

>  Why are you
> looking for security flaws on other people's sites?  If you want to
> do security research, setup a site virtually and bang away at it to
> your heart's content.  Then report your findings.

Meanwhile, your systems continue to be vulnerable, and the bad guys who
want to exploit those vulnerabilities for criminal purposes will
continue to do so.  Unless you system is just a bunch of off-the-shelf
components that you assembled, there are going to be parts of your
system that you wrote yourself, and that in all likelihood will be
vulnerable to some sort of attack.  It helps if someone who is not
familiar with your development process and who is not operating under
the same assumptions that you are operating under tries to attack that
system.

Most places do not already have in-house pen testers for these things,
so the only way they will get any useful information on the security of
their systems is if someone tries to attack them.

> > I like how the assumptions are always this person is horrible and
> > bad for have founding a security flaw, he must not be trusted and
> > treated like a criminal.
> 
> You missed the point.  It isn't that I think that you're a criminal.
> It's that, as a security professional, I cannot take the chance that
> you are not.

It is more that if one person found the vulnerability, then any number
of other people might have found and exploited it.  What makes you
think that the first person to identify a problem is the only person to
have spotted it?  Again, I would be more worried about the people who
might have found the vulnerability and not reported it than the person
who found the vulnerability and did report it.

> So why do you think it's acceptable for you to do some minimal work
> to force others to do lots of extra work?

Or perhaps save a lot of work, by identifying a vulnerability before it
is exploited by someone who creates a big mess.

> Nobody's talking about punishing people for finding security flaws,

That is pretty much how I read a lot of the comments in this
discussion.  People are basically saying that the only way someone
could report a problem without facing prosecution is if they stop at
the hypothetical part -- "You seem to be running an old version of
Apache that could be attacked using this buffer overflow."  It is hard
to convince anyone that a hypothetical problem needs to be fixed, and
it is easy to dismiss someone who provides no evidence.  Just take a
look at the argument between Red Hat's SELinux team and the Mozilla
developers on the topic of writable/executable memory if you think
hypothetical attacks are enough to convince people about security
problems.

> but you're punishing the security professionals

By telling them that there is an exploitable vulnerability in their
system?  Their job is to fix those problems; how is reporting problems
to them in any way a punishment?

>  If I find a vulnerability in
> our assets, I can simply fix or remediate the problem.  If you find
> it, I have to treat it as a breach, or I'm not doing my job.

So if you found a vulnerability, you would not immediately audit the
vulnerable system?  You have no concerns about all those hackers out
there who might not have bothered to report the problem to you?
 
> It's 2012.  I seriously doubt most sites ignore vulnerabilities any
> more.

Really, you doubt that?  You can still access security cameras in
arbitrary places by entering the right keywords into Google.  A lot of
people run unpatched Wordpress blogs. There are still SQL injection
attacks out there, XSS attacks, and CSRF attacks.  People are still not
salting password hashes, and in some cases they are storing passwords
in the clear.  Many websites are still not using TLS for things like
logins.

These are basic, common, well-known vulnerabilities that people are
ignoring, and these only cover problems related to  websites; plenty
more problems exist with other systems.  We have a long way to go
before we can say that vulnerabilities are not being ignored.

> We HAVE learned a few things over the years.  We are constantly
> auditing for flaws, assessing for flaws and insisting that flaws are
> corrected.

*You* and your organization might be doing that.  All you need to do is
read the details about attacks that make the news to see that plenty of
high profile companies are not doing that.

>  We don't need your help to do our jobs.  I can assure you
> that we are not sitting around waiting for someone like you to help
> us.

Good for your organization, but what about all those others who are not
auditing, who do not take security seriously, and who are not going to
listen to people who come to them with hypothetical attacks?

- -- Ben



- -- 
Benjamin R Kreuter
UVA Computer Science
brk7bx@...ginia.edu

- --

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBCgAGBQJPEeWxAAoJEOV0+MnZK9ij/H4P/jFFymQcDhiAwjZga1as0MzI
dP2nZoQ3i6YKhObSDRh6NUinLZ/DaVx6wTetV+HM4CUSOvswhFMXhLpedR8ARt6s
PPV6s2RtrqsJohS9g5gftjYPqq01/4k9nbIgDr0qBO8/Jw/JWlYhvDPcqRGIfMhA
hiCvBod1sVK9bJY8LKVGl8B++nKxHuo0nLBlTWlIYw6ronyhn15kuwlk6eoD0ATI
mQFRalFHo8gEUOYbjQOQi0Bul/rrgZNa9psc5oJ0LN/90clAEOqFbdfnyiGEcxLg
bUGBky2nrii6TK/Biq7hjuy5ViXjE7NNnDzW8duu/U99sQ+MYb4fyeNkKeXYD4A+
gCDDdvXDBXo/fsJVHNfp6okfg7bE8hSJl7KIqqgMwwbm1w9caQA8iQYsqOROt7h+
9DMnFXotrBk5j6lj9BrgJGDIGdAz2cToB/OOMY/IoQT99VK117iIWHm05TO4MffG
5JsMPjqMdXpbdQHZT7iFZ4ijqrrDGfVh6/iXbq9YSHdJ/jb723Dauw0/i6QnTe1J
P9lehxONlNYhUeOzKwFovk0BNmPSWhf65cyi5+WCS4/ZqQsSu/BthuD9HqnLQG9N
RlXFagUrJ59ZVBL1aqesYXRQQFHQHZVXMXDq5OgLdbcUnpo7EM+rXAR+fFpqOAbw
YU/DaNgo3SIgTTOhkjad
=1phK
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists