Dailydave mailing list archives

By Date By Thread Hyenas of the Security Industry From: Brad Spengler <spender () grsecurity net>

Date: Fri, 18 Jun 2010 00:01:19 +0200

By now, most on this list and elsewhere have read from various news sources the "controversy" regarding Tavis Ormandy's recent full-disclosure of a vulnerability in older versions of Microsoft Windows. The advisory was posted here: http://seclists.org/fulldisclosure/2010/Jun/205 from Tavis' personal email account on his own personal time, and as mentioned in his advisory, represented no agency or person but himself. It was disgusting to see not only the resulting press but also the response (or more accurately, the lack thereof) from the security community (if such a thing exists anymore). So since most researchers in the security community have had their spines and sense of justice/fairness contractually removed by their respective employers, I'd like to comment on some of these topics. The purpose of my mail is to call out (by name) the individuals, "journalists", and companies that manufactured the controversy for their own benefit. The only thing Tavis did wrong was assume his readership understood the details of his situation as well as he did. The clarity regarding what happened during the five days between private and public disclosure wasn't there, leading to rampant speculation and inaccuracies that continued even after Tavis corrected them. How many vulnerabilities Tavis has "responsibly" reported to Microsoft isn't known by most because such reports aren't often newsworthy. The only carrot-on-a-stick Microsoft used to be able to offer to independent researchers was recognition within their advisories. I don't find this to be any significant motivator at all. Red Hat has the same policy as well, but unfortunately for the vendors that adopt this policy it doesn't affect public recognition. Though Microsoft won't acknowledge the author of a vulnerability that is not "responsibly disclosed", everyone else will. Not that any kind of recognition is particularly important for some -- using one's own name can just be due to a disinterest in the usefulness of submitting a report from an alias with an anonymous email address. The upsetting trend (which I imagine has been keeping security companies playing along with Microsoft's silly game) is for Microsoft to call into question the ethics of the reporter, and even if that reporter was acting independently, tying that question of ethics to the reporter's employer. This wasn't some flippant reaction by a random MSRC employee, the Director of MSRC, Mike Reavey, mentioned Tavis' employer three times in his blog regarding the vulnerability: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx It was an intentional (and successful) attempt at framing the discussion that was repeated endlessly by the media. Speaking of framing discussions, we need to reject the legitimacy of the phrase "responsible disclosure." It's a loaded term that by itself implies that any other kind of disclosure is irresponsible. Such a claim couldn't be farther from the truth. "Responsible disclosure" is an invention of the vendors to reduce public embarrassment and allow them to sit on the bugs for as long as they feel like, as long as they keep coming up with excuses. Researchers wanted a deadline to prevent exactly that situation (as Tavis requested for his vulnerability), but it seems that more and more, any kind of public disclosure is regarded as irresponsible, even if a vendor says they won't fix it in two months. http://www.zerodayinitiative.com/advisories/upcoming/ Shows how well that "responsible" disclosure is working out: ZDI-CAN-357 Microsoft High 2008-06-25, 720 days ago ZDI-CAN-527 Microsoft High 2009-07-14, 336 days ago ZDI-CAN-533 Microsoft High 2009-07-23, 327 days ago ZDI-CAN-543 Microsoft High 2009-08-06, 313 days ago ZDI-CAN-599 Microsoft High 2009-10-20, 239 days ago What's responsible about letting a vendor sit on a serious vulnerability for almost two years? I can't think of a catchier phrase to describe what's going on here ("Damage Control Disclosure" perhaps? maybe someone else can think of something more clever), but it's effectively: "Give us the vulnerability for free, argue with us in phone conferences about its importance and exploitability, then let us sit on it for as long as we want, providing excuse x, y, and z if necessary to delay a fix. In return, we will give you a gold star and not actively attempt to create a controversy in order to have you fired from your job or sink your company, so that we can retain our image. At least, as long as you keep playing by these rules -- don't think about trying to actually enforce any deadlines on that most important vulnerability out of the 20 total you reported." It's clear why this is so attractive to the industry! It's also curious how much complaining is done when Microsoft/Adobe/etc don't fix a vulnerability overnight when an exploit for it gets reported as being found in the wild, yet many of the same people are now complaining that Microsoft wasn't given 60 days that they won't need to produce a patch -- talk about double standards. Will we now see a patch within 60 days that was previously impossible? On to an analysis of the coverage by "journalists." I'm not quite sure why there's a need for so many of them, when they all have about the same level of understanding and repeat the same misinformation from the same sources. I was interested in my analysis of how many times Tavis' employer was mentioned in the article, who the references were for the article, and whether the information provided by said references were Glenn Beck-style inventions of the imagination (dramatization: "well yes, he claimed he was acting alone, but he mentions at least one other person in his greets section who also has the same employer! Now, I know nothing about this person, but based on this alone...don't you find it interesting? I'm just the one asking questions here!") Here's my summary with links: http://threatpost.com/en_us/blogs/does-google-have-double-standard-full-disclosure-061010 http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/ (Robert Hansen) References: his own massive brain Number of times employer mentioned: 14 http://www.computerworld.com/s/article/9178084/Hackers_exploit_Windows_XP_zero_day_Microsoft_confirms (Gregg Keizer) Number of times employer mentioned: 3 References: Graham Cluley, Andrew Storms Glenn Beck impersonation from: Graham Cluley http://www.computerworld.com/s/article/9177966/Microsoft_confirms_critical_Windows_XP_bug (Gregg Keizer) Number of times employer mentioned: 7 References: Robert Hansen/"RSnake", Andrew Storms Glenn Beck impersonation from: Robert Hansen/"RSnake" http://www.computerworld.com/s/article/9177948/Google_researcher_gives_Microsoft_5_days_to_fix_XP_zero_day_bug (Gregg Keizer) Number of times employer mentioned: 16 References: Robert Hansen/"RSnake", Andrew Storms, Secunia, Vulpen Security Glenn Beck impersonations from: Robert Hansen/"RSnake", Andrew Storms http://threatpost.com/en_us/blogs/week-security-full-disclosure-rabbit-hole-re-opens-061110 (Dennis Fisher) Number of times employer mentioned: 13 References: Robert Hansen/"RSnake", Dino Dai Zovi Glenn Beck impersonation by: Robert Hansen/"RSnake" (Dino was one of only three people I found who were quoted in support) http://threatpost.com/en_us/blogs/attackers-exploiting-windows-help-center-flaw-061510 (Dennis Fisher) Number of times employer mentioned: 1 References: Graham Cluley http://www.theregister.co.uk/2010/06/11/google_microsoft_zeroday/ (John Oates) Has subtitle of: "Impatient engineer called, but you were out, you f**ker" Classy! Number of times employer mentioned: 3 References: random full-disclosure poster Susan Bradley makes reference to "other observers" (Hansen, Storms) further perpetuating made-up scenario http://www.zdnet.com/blog/security/googler-releases-windows-zero-day-exploit-microsoft-unimpressed/6659 (Ryan Naraine) Number of times employer mentioned: 5 References: links to article by Robert Hansen/"RSnake" for a discussion of "ethics" http://news.cnet.com/8301-27080_3-20007421-245.html (Elinor Mills) Number of times employer mentioned: 17 References: Robert Hansen/"RSnake", Andrew Storms, HDM, fyodor Glenn Beck impersonations by: Robert Hansen/"RSnake", Andrew Storms (HDM and fyodor were the only other two found quoted in support, though fyodor's not marked as explicit) http://krebsonsecurity.com/2010/06/unpatched-windows-xp-flaw-being-exploited/ (Brian Krebs) Number of times employer mentioned: 1 References: links to Donato Ferrante's blog, the actual technical content that Graham Cluley editorialized and sensationalized http://krebsonsecurity.com/2010/06/security-alert-for-windows-xp-users/ (Brian Krebs) Number of times employer mentioned: 3 http://www.theregister.co.uk/2010/06/15/windows_help_bug_exploited/ (Dan Goodin) Number of times employer mentioned: 0 References: links to Donato Ferrante's blog, the actual technical content that Graham Cluley editorialized and sensationalized http://www.theregister.co.uk/2010/06/10/windows_help_bug/ (Dan Goodin) Number of times employer mentioned: 0 References: HDM (HDM was one of three in support, but is only quoted for technical relevance here) Dan Goodin seems to be the only journalist in the group. I've even removed the quotes because he actually did his job! Brian Krebs would be a close second: he stuck to the technical content, though still mentioned Tavis' employer several times (and the comments below his articles (perhaps as a result) mirror that association). As for the rest, they latched onto the manufactured controversy, copy+pasting gems from Hansen, Storms, and Cluley among each other. You all fail, especially John Oates -- you seriously call that reporting? As a comparison, observe what was reported when Tavis let Microsoft sit on the vm86 vulnerability for 7 months without a fix: http://www.computerworld.com/s/article/9146820/Microsoft_confirms_17_year_old_Windows_bug Moral here is: if you let the vendor sit on a 17 year old vulnerability for 7 months and then go public when there's no fix yet, you get thanked, but if you determine 5 days after responsibly reporting to the vendor that a fix isn't coming any time soon and then go public, Microsoft wants you to shut up, or else. A recent quote from Wikileaks' twitter account seems apropos here, though I would even extend the scope beyond journalists in this case: "Bad journalists assume people are motivated by revenge or fame -- because that is what bad journalists are motivated by." With this in mind, let's take a closer at the three people constantly quoted who helped create a controversy out of thin air. Since they apparently have no sense of decency themselves and had no problem maligning Tavis just for some media attention, I'm sure they won't mind having their names and their company names reproduced below. Graham Cluley, self-described "computer security expert" Senior Technology Consultant for Sophos Blog post located at: http://www.sophos.com/blogs/gc/g/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/ Note the coincidentally inflammatory URL. I'm commenting on almost every area of the post, so I won't include it inline here. He starts off by associating Tavis with his employer, repeating the already false claim that Tavis only gave Microsoft 5 days to come up with a patch (he's able to make multiple updates to the blog but conveniently doesn't fix this central inaccuracy). He calls Tavis irresponsible, then mentions that luckily for the reader, Sophos (his company's product) will protect you against the one website they found exploiting the vulnerability, which they won't mention. Cluley could use a clue about the definition of "proactive" though -- he claims Sophos "proactively detects the page as Sus/HcpExpl-A", the link showing the protection being available since June 14th, 4 days after Tavis' advisory. It seems like a "reactive" detection of a vulnerability that existed for 9 years which was only possible 4 days after the fact, entirely due to Tavis' advisory. Antivirus is a joke in itself, but that's a completely different topic. A Slashdot commenter wrote the following about Graham Cluley: "There are a lot of "go-to" commentators that the press goes to for supposed insights about security. Graham is one of them. He's a smart guy, but also one of the worst carnival-barkers in the industry; always chasing stories. Here are a few classics: * On Bluetooth phone viruses, [crn.com] apparently the next big thing in malware (2004): "If you don't know about bluejacking these messages can be quite a shock" (2004) * On the groundswell of Mac malware: [techtree.com] "This means two real viruses have emerged for the Mac OS X platform in less than a week. The question on everyone's lips is - when will we see the next one, and will it have a more malicious payload?" (2006) * On "naming and shaming" [sophos.com] (his words) countries from whose IP address space spam appears to emanate: "A new dirty 'gang of four' - South Korea, Brazil, India and their ringleader USA - account for over 30% of all the spam relayed by hacked computers around the globe." (2010) It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying." http://www.sophos.com/pressoffice/news/articles/2010/04/dirty-dozen.html http://www.techtree.com/techtree/jsp/article.jsp?article_id=71444&cat_id=582 http://www.crn.com/security/56200605 Next we have Andrew Storms, Director of Security Operations at nCircle Security. He had this to say: "That's impossible, argued Andrew Storms, director of security operations at nCircle Security. "[As a security researcher] you can't really separate your work from your employer. So you have to wonder if [Ormandy[] isn't intentionally feeding the feud between Google and Microsoft." Like Hansen, Storms questioned Ormandy's decision to reveal his findings just five days after he reported the vulnerability to Microsoft. "You can't say in this case that the vendor was sitting on their hands, not being responsive, which is why researchers usually go public, to force [a vendor's] hand. "This is no better than not reporting it to Microsoft," concluded Storms." Storms' other activities for the press include discussion of recently reported vulnerabilities that he doesn't understand but will say something generic like "the one in Internet Explorer is the most important" just to get his nCircle Security's name in the news. In his quotes used by the various "journalists" he advances the idea that Tavis' disclosure of the vulnerability is some conspiratorial fueling of a feud between Tavis' employer and Microsoft, despite the fact that the only people associating it with Tavis' employer are commentators like Storms. Finally we have the turd wrapped up in an enigma that is Robert Hansen/"RSnake", CEO of SecTheory Reading his post: http://threatpost.com/en_us/blogs/does-google-have-double-standard-full-disclosure-061010 http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/ it's clear that he has an axe to grind with Tavis' employer. He creates the false, repeated claim that Tavis only gave Microsoft 5 days to create a fix (not only that, he assigns this fault to Tavis' employer, not Tavis himself). He then, again falsely, claims that Tavis wasn't doing this in his own time, simply because some other individuals with the same employer appear in his greets section. Maybe they don't teach this in clickjacking training, an extensive 5 week course, but "greets" is short for "greetings" -- I've been mentioned in the list before, but it didn't mean I had anything to do with the vulnerability discovery or released exploit. Not to mention that there's nothing wrong with two employees of the same company collaborating on projects (or in this case, specific smaller aspects of a larger project) outside of work -- being friends with others in the community, many of whom work for the same large companies, is nothing unusual. "RSnake" then complains about the hostname Tavis chose to use for links in his advisory. Finally, after an entire article focusing on Tavis' motives and ethics, he ends it with "I don't mean to say anything bad about Tavis" -- he means it so much he made a blog post trashing him, reposted to another site, and repeated the same lies to any reporter that would listen to him. Towards the end of his comments on his ha.ckers.org blog, before locking it from additional comments because people didn't agree with him, he states: "I'm over it." After calling for one of the most well-known and respected researchers to be fired and repeating those comments to reporters, I'm glad you had the empathy to finally conclude that everything is ok now and that you're over it, because surely Tavis hasn't been affected at all by your reckless, idiotic statements. You stay classy out there, scumbag. Some final comments: Microsoft should strongly reconsider their actions. If this were any other security researcher, how likely would that researcher be to cooperate in a "responsible" fashion in the future, for free? How likely would they be to sit in on phone conferences trying to convince Microsoft that a vulnerability is exploitable and important? How likely instead, now being treated as some kind of outlaw instead of a person for whom security is genuinely important, would they be to profit off their finding obtained in their own time? Does Microsoft believe they're improving security if these vulnerabilities are instead sold to the highest domestic/foreign bidder? Or is it only the appearance of security they're interested in? Don't bite the hand that feeds you -- any alternative action by a researcher due to chilling effects is worse for security than what Microsoft is scolding Tavis for. Punishing Tavis plays into the interests of the anti-sec crowd who want him humiliated to the point that he quits killing bugs so that the bugs can continue to be exploited in private. Is Tavis unethical because his personal views on vulnerability disclosure that he practices in his own time differ from those of his employer? As a reminder of this foolish argument from authority, said employer is the same one that we recently discovered thought it was perfectly ethical to secretly and purposefully sniff WiFi traffic in countries all over the world. Is anyone seriously questioning that Tavis has ulterior motives, given that he spends much of his free time finding vulnerabilities and reporting them to vendors for free? Anyone who knows Tavis knows his ethics and integrity are beyond reproach; libel seems to be reserved for the others. Locke, via Leibniz in "New Essays on Human Understanding" said, "boldness is the power to speak or do what we intend, before others, without being intimidated." It takes a bold, ethical person like Tavis to do what he did. He should be supported and defended by the community, not allowed to be ostracized and raked over the coals in the press by attention-seeking CEOs with an axe to grind. TL;DR: If we don't collectively stick up for Tavis, we're all hurting our ability to perform our jobs objectively in the future, slaves to the multi-billion dollar corporations taking our free work and creating the illusion that we have any responsibility to feed into their damage control systems. tags: horrible security company corporate shills bandwagon responsible disclosure useless analysis microsoft vulnerabilities snake oil salesmen cargo cult rsnake is a fool everything i needed to know about clickjacking i learned in elementary school cluley clueless those who can do those who can't are named andrew storms and write blog entries about mundane topics rsnakeoil secconspiracy ncirclejerk ItUk-5FI0Ek <part where I drop the microphone> _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave By Date By Thread Current thread: Hyenas of the Security Industry Brad Spengler (Jun 17) Re: Hyenas of the Security Industry Marsh Ray (Jun 21) <Possible follow-ups> Re: Hyenas of the Security Industry dislosure (Jun 19) Re: Hyenas of the Security Industry Tavis Ormandy (Jun 19) Re: Hyenas of the Security Industry dave (Jun 24)

Brad Spengler (Jun 17)