Dailydave mailing list archives
Re: Hyenas of the Security Industry
From: dislosure () hushmail com
Date: Sat, 19 Jun 2010 15:52:04 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Such a long post Spender. I agree with many of your arguments but I also agree with many of RSnake's opinions. I don't want to talk about who's right or wrong, I just want to point out some facts - ------------------------------------------------------------- Fact 1. Tavis actually only gave Microsoft ~3 business working day to fix the bug - - He sent the bug to Microsoft on the end of Friday, Jun 05, 2010 about 21:00 to 21:30 GMT+2 (his timezone) (http://twitter.com/taviso/status/15502740844) - - He sent out the 0day to FD on Thu, Jun 10, 2010 01:46 GMT+2 (http://seclists.org/fulldisclosure/2010/Jun/205) So in fact, it's less than 05 days and due to the weekends, Microsoft guys actually only had about 3 working business days to fix and release the patch. The leave the question on how possible a big company like MS can do that to the readers. Fact 2. Tavis did not either practice Full Disclosure or Responsible Disclosure * Full Disclosure: he would have sent out the advisory immediately to the community instead of inform Microsoft and wait for 05 days * Responsible Disclosure: he should have given Microsoft guy at least enough of time to fix, test and release the patch. I could see that Microsoft security guy acknowledged on the bug and said they would work on it just a few hours after received it. (http://twitter.com/dustin_childs/status/15512183488) Fact 3. His workaround on the advisory did not work which left all the users vulnerable to his 0day due to no workaround and no patch from Microsoft. Fact 4. Tavis is a well known Google security guy (he's even in the #1 of eweek's 15 most influential people in security today http://www.eweek.com/c/a/Security/The-15-Most-Influential-People-in- Security-Today/1/) Fact 5. Google (like many other big companies) does have Code of Conduct for all employees. You need to follow it while you're still working for Google (http://investor.google.com/corporate/code-of- conduct.html). There are many interesting things inside the CoC which you may want to read, I just quote one part which is directly relevant to this case <quote> III. Avoid Conflicts of Interest In working at Google, we have an obligation to always do what's best for the company and our users. When you are in a situation where competing loyalties could cause you to pursue a personal benefit for you or your friends or family at the expense of Google or our users, you may be subject to a conflict of interest. All of us should avoid circumstances that present even the appearance of such a conflict. When faced with a potential conflict of interest, ask yourself: * Would this relationship or situation embarrass me or Google if it showed up on the front page of a newspaper or the top of a blog? * Am I reluctant to disclose the relationship or situation to my manager, Legal or Ethics & Compliance? * Could the potential relationship or situation create an incentive for me, or be perceived by others to create an incentive for me, to benefit myself, my friends or family or an associated business, at the expense of Google? If the answer to any of these questions is 'yes,' the relationship or situation is likely to create a conflict of interest, and you should avoid it. </quote> Question: did Taviso violate Google Code of Conduct? Fact 6. Google does have its Philosophy on many things. And Google Philosophy for Security strongly states the the importance of "Responsible disclosure". (http://www.google.com/corporate/security.html). <quote> Responsible disclosure is important to the ecology of the Internet. It allows companies like Google to better protect our users by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure. Our Security team follows the same procedure when we discover and report security vulnerabilities to other companies. </quote> Did you see this "Our Security team follows the same procedure when we discover and report security vulnerabilities to other companies."? - ------------------------------------------------------------- Ok. I'm done with facts, now something more debatable questions and some relevant funny facts a. Did Taviso found that bug using Google tools? From his blog http://my.opera.com/taviso/blog/2008/08/16/update/ two years ago, he did mention that he found an IE bug and a number of other windows bugs by using a few tools he developed at work. <quote> Some security news, I'm not usually involved with windows security, but recently did some experimentation with a few tools I've developed or contributed to at work, and tried making them apply to windows software. I actually found several serious vulnerabilities in Internet Explorer using this method, and the first one was just recently released here (more to come): </quote> b. Did Google security guys discuss / play with this bug at work? Tavis did mentioned he got helped from some of Google security guys in his advisory <quote> Special thanks to lcamtuf for his assistance with the deferred execution problem. ... Without access to extremely smart colleagues, I would likely have given up, leaving you vulnerable to attack from those who just want root on your network and do not care about disclosure policies. </quote> c. Did Google known about the bugs in advanced and known what that Taviso was going to release it personally without following its Google Security Philosophy and Code of Conduct? d. Now the fun thing is that actually Microsoft did report bugs of Google Chrome to Google following Responsible Disclosure (http://googlechromereleases.blogspot.com/2009/11/google-chrome- frame-update-bug-fixes.html) <quote> Credit: Thanks to Billy Rios and Microsoft Vulnerability Research (MSVR) and also to Lostmon for finding and reporting this vulnerability responsibly. </quote> Cheers, - --Anonymous On Fri, Jun 18, 2010 at 6:01 AM, Brad Spengler <spender () grsecurity net> wrote:
By now, most on this list and elsewhere have read from various
news
sources the "controversy" regarding Tavis Ormandy's recent full-disclosure of a vulnerability in older versions of Microsoft Windows. The advisory was posted here: http://seclists.org/fulldisclosure/2010/Jun/205 from Tavis' personal email account on his own personal time, and
as
mentioned in his advisory, represented no agency or person but
himself.
It was disgusting to see not only the resulting press but also the response (or more accurately, the lack thereof) from the security community (if such a thing exists anymore). So since most researchers in the security community have had their spines and sense of justice/fairness contractually removed by
their
respective employers, I'd like to comment on some of these
topics. The
purpose of my mail is to call out (by name) the individuals, "journalists", and companies that manufactured the controversy
for their
own benefit. The only thing Tavis did wrong was assume his readership
understood the
details of his situation as well as he did. The clarity
regarding what
happened during the five days between private and public
disclosure
wasn't there, leading to rampant speculation and inaccuracies that continued even after Tavis corrected them. How many
vulnerabilities
Tavis has "responsibly" reported to Microsoft isn't known by most because such reports aren't often newsworthy. The only carrot-on-a-stick Microsoft used to be able to offer to independent researchers was recognition within their advisories.
I
don't find this to be any significant motivator at all. Red Hat
has the
same policy as well, but unfortunately for the vendors that adopt
this
policy it doesn't affect public recognition. Though Microsoft
won't
acknowledge the author of a vulnerability that is not "responsibly disclosed", everyone else will. Not that any kind of recognition
is
particularly important for some -- using one's own name can just
be due to a
disinterest in the usefulness of submitting a report from an
alias with
an anonymous email address. The upsetting trend (which I imagine has been keeping security
companies
playing along with Microsoft's silly game) is for Microsoft to
call into
question the ethics of the reporter, and even if that reporter was acting independently, tying that question of ethics to the
reporter's
employer. This wasn't some flippant reaction by a random MSRC
employee,
the Director of MSRC, Mike Reavey, mentioned Tavis' employer
three times
in his blog regarding the vulnerability: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-
vulnerability-disclosure.aspx
It was an intentional (and successful) attempt at framing the
discussion
that was repeated endlessly by the media. Speaking of framing discussions, we need to reject the legitimacy
of the
phrase "responsible disclosure." It's a loaded term that by
itself
implies that any other kind of disclosure is irresponsible. Such
a
claim couldn't be farther from the truth. "Responsible
disclosure" is
an invention of the vendors to reduce public embarrassment and
allow
them to sit on the bugs for as long as they feel like, as long as
they
keep coming up with excuses. Researchers wanted a deadline to
prevent
exactly that situation (as Tavis requested for his
vulnerability), but
it seems that more and more, any kind of public disclosure is
regarded
as irresponsible, even if a vendor says they won't fix it in two
months.
http://www.zerodayinitiative.com/advisories/upcoming/ Shows how well that "responsible" disclosure is working out: ZDI-CAN-357 Microsoft High 2008-06-25, 720 days ago ZDI-CAN-527 Microsoft High 2009-07-14, 336 days ago ZDI-CAN-533 Microsoft High 2009-07-23, 327 days ago ZDI-CAN-543 Microsoft High 2009-08-06, 313 days ago ZDI-CAN-599 Microsoft High 2009-10-20, 239 days ago What's responsible about letting a vendor sit on a serious
vulnerability
for almost two years? I can't think of a catchier phrase to describe what's going on
here
("Damage Control Disclosure" perhaps? maybe someone else can
think of
something more clever), but it's effectively: "Give us the vulnerability for free, argue with us in phone conferences about
its
importance and exploitability, then let us sit on it for as long
as we
want, providing excuse x, y, and z if necessary to delay a fix.
In
return, we will give you a gold star and not actively attempt to
create
a controversy in order to have you fired from your job or sink
your
company, so that we can retain our image. At least, as long as
you
keep playing by these rules -- don't think about trying to
actually
enforce any deadlines on that most important vulnerability out of
the
20 total you reported." It's clear why this is so attractive to
the
industry! It's also curious how much complaining is done when
Microsoft/Adobe/etc
don't fix a vulnerability overnight when an exploit for it gets
reported
as being found in the wild, yet many of the same people are now complaining that Microsoft wasn't given 60 days that they won't
need to
produce a patch -- talk about double standards. Will we now see
a patch
within 60 days that was previously impossible? On to an analysis of the coverage by "journalists." I'm not
quite sure
why there's a need for so many of them, when they all have about
the
same level of understanding and repeat the same misinformation
from the
same sources. I was interested in my analysis of how many times
Tavis'
employer was mentioned in the article, who the references were
for the
article, and whether the information provided by said references
were
Glenn Beck-style inventions of the imagination (dramatization:
"well
yes, he claimed he was acting alone, but he mentions at least one
other
person in his greets section who also has the same employer!
Now, I
know nothing about this person, but based on this alone...don't
you find
it interesting? I'm just the one asking questions here!") Here's my summary with links: http://threatpost.com/en_us/blogs/does-google-have-double-
standard-full-disclosure-061010
http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/ (Robert Hansen) References: his own massive brain Number of times employer mentioned: 14
http://www.computerworld.com/s/article/9178084/Hackers_exploit_Windo ws_XP_zero_day_Microsoft_confirms
(Gregg Keizer) Number of times employer mentioned: 3 References: Graham Cluley, Andrew Storms Glenn Beck impersonation from: Graham Cluley
http://www.computerworld.com/s/article/9177966/Microsoft_confirms_cr itical_Windows_XP_bug
(Gregg Keizer) Number of times employer mentioned: 7 References: Robert Hansen/"RSnake", Andrew Storms Glenn Beck impersonation from: Robert Hansen/"RSnake"
http://www.computerworld.com/s/article/9177948/Google_researcher_giv es_Microsoft_5_days_to_fix_XP_zero_day_bug
(Gregg Keizer) Number of times employer mentioned: 16 References: Robert Hansen/"RSnake", Andrew Storms, Secunia,
Vulpen Security
Glenn Beck impersonations from: Robert Hansen/"RSnake", Andrew
Storms
http://threatpost.com/en_us/blogs/week-security-full-disclosure-
rabbit-hole-re-opens-061110
(Dennis Fisher) Number of times employer mentioned: 13 References: Robert Hansen/"RSnake", Dino Dai Zovi Glenn Beck impersonation by: Robert Hansen/"RSnake" (Dino was one of only three people I found who were quoted in
support)
http://threatpost.com/en_us/blogs/attackers-exploiting-windows-
help-center-flaw-061510
(Dennis Fisher) Number of times employer mentioned: 1 References: Graham Cluley http://www.theregister.co.uk/2010/06/11/google_microsoft_zeroday/ (John Oates) Has subtitle of: "Impatient engineer called, but you were out,
you f**ker"
Classy! Number of times employer mentioned: 3 References: random full-disclosure poster Susan Bradley makes reference to "other observers" (Hansen, Storms) further perpetuating made-up scenario http://www.zdnet.com/blog/security/googler-releases-windows-zero-
day-exploit-microsoft-unimpressed/6659
(Ryan Naraine) Number of times employer mentioned: 5 References: links to article by Robert Hansen/"RSnake" for a
discussion
of "ethics" http://news.cnet.com/8301-27080_3-20007421-245.html (Elinor Mills) Number of times employer mentioned: 17 References: Robert Hansen/"RSnake", Andrew Storms, HDM, fyodor Glenn Beck impersonations by: Robert Hansen/"RSnake", Andrew
Storms
(HDM and fyodor were the only other two found quoted in support,
though
fyodor's not marked as explicit) http://krebsonsecurity.com/2010/06/unpatched-windows-xp-flaw-
being-exploited/
(Brian Krebs) Number of times employer mentioned: 1 References: links to Donato Ferrante's blog, the actual technical content that Graham Cluley editorialized and sensationalized http://krebsonsecurity.com/2010/06/security-alert-for-windows-xp-
users/
(Brian Krebs) Number of times employer mentioned: 3
http://www.theregister.co.uk/2010/06/15/windows_help_bug_exploited/
(Dan Goodin) Number of times employer mentioned: 0 References: links to Donato Ferrante's blog, the actual technical content that Graham Cluley editorialized and sensationalized http://www.theregister.co.uk/2010/06/10/windows_help_bug/ (Dan Goodin) Number of times employer mentioned: 0 References: HDM (HDM was one of three in support, but is only quoted for technical relevance here) Dan Goodin seems to be the only journalist in the group. I've
even
removed the quotes because he actually did his job! Brian Krebs
would
be a close second: he stuck to the technical content, though still mentioned Tavis' employer several times (and the comments below
his
articles (perhaps as a result) mirror that association). As for
the rest,
they latched onto the manufactured controversy, copy+pasting gems
from
Hansen, Storms, and Cluley among each other. You all fail,
especially
John Oates -- you seriously call that reporting? As a comparison, observe what was reported when Tavis let
Microsoft sit
on the vm86 vulnerability for 7 months without a fix:
http://www.computerworld.com/s/article/9146820/Microsoft_confirms_17 _year_old_Windows_bug
Moral here is: if you let the vendor sit on a 17 year old
vulnerability
for 7 months and then go public when there's no fix yet, you get thanked, but if you determine 5 days after responsibly reporting
to
the vendor that a fix isn't coming any time soon and then go
public,
Microsoft wants you to shut up, or else. A recent quote from Wikileaks' twitter account seems apropos here, though I would even extend the scope beyond journalists in this
case:
"Bad journalists assume people are motivated by revenge or fame -- because that is what bad journalists are motivated by." With this in mind, let's take a closer at the three people
constantly
quoted who helped create a controversy out of thin air. Since
they
apparently have no sense of decency themselves and had no problem maligning Tavis just for some media attention, I'm sure they
won't mind
having their names and their company names reproduced below. Graham Cluley, self-described "computer security expert" Senior Technology Consultant for Sophos Blog post located at: http://www.sophos.com/blogs/gc/g/2010/06/15/tavis-ormandy-pleased-
website-exploits-microsoft-zeroday/
Note the coincidentally inflammatory URL. I'm commenting on almost every area of the post, so I won't
include it
inline here. He starts off by associating Tavis with his
employer,
repeating the already false claim that Tavis only gave Microsoft
5 days
to come up with a patch (he's able to make multiple updates to
the blog
but conveniently doesn't fix this central inaccuracy). He calls
Tavis
irresponsible, then mentions that luckily for the reader, Sophos
(his
company's product) will protect you against the one website they
found
exploiting the vulnerability, which they won't mention. Cluley could use a clue about the definition of "proactive"
though -- he
claims Sophos "proactively detects the page as Sus/HcpExpl-A",
the link
showing the protection being available since June 14th, 4 days
after
Tavis' advisory. It seems like a "reactive" detection of a vulnerability that existed for 9 years which was only possible 4
days
after the fact, entirely due to Tavis' advisory. Antivirus is a
joke in
itself, but that's a completely different topic. A Slashdot commenter wrote the following about Graham Cluley: "There are a lot of "go-to" commentators that the press goes to
for
supposed insights about security. Graham is one of them. He's a
smart
guy, but also one of the worst carnival-barkers in the industry;
always
chasing stories. Here are a few classics: * On Bluetooth phone viruses, [crn.com] apparently the next big thing in malware (2004): "If you don't know about bluejacking
these
messages can be quite a shock" (2004) * On the groundswell of Mac malware: [techtree.com] "This
means two
real viruses have emerged for the Mac OS X platform in less than
a week.
The question on everyone's lips is - when will we see the next
one, and
will it have a more malicious payload?" (2006) * On "naming and shaming" [sophos.com] (his words) countries
from
whose IP address space spam appears to emanate: "A new dirty
'gang of
four' - South Korea, Brazil, India and their ringleader USA -
account
for over 30% of all the spam relayed by hacked computers around
the
globe." (2010) It is a bit rich that he's asking Tavis whether he "feels good
about
himself." Just saying." http://www.sophos.com/pressoffice/news/articles/2010/04/dirty-
dozen.html
http://www.techtree.com/techtree/jsp/article.jsp?article_id=71444&ca t_id=582
http://www.crn.com/security/56200605 Next we have Andrew Storms, Director of Security Operations at
nCircle
Security. He had this to say: "That's impossible, argued Andrew Storms, director of security
operations
at nCircle Security. "[As a security researcher] you can't really separate your work from your employer. So you have to wonder if [Ormandy[] isn't intentionally feeding the feud between Google
and
Microsoft." Like Hansen, Storms questioned Ormandy's decision to reveal his
findings
just five days after he reported the vulnerability to Microsoft.
"You
can't say in this case that the vendor was sitting on their
hands, not
being responsive, which is why researchers usually go public, to
force
[a vendor's] hand. "This is no better than not reporting it to Microsoft," concluded Storms." Storms' other activities for the press include discussion of
recently
reported vulnerabilities that he doesn't understand but will say something generic like "the one in Internet Explorer is the most important" just to get his nCircle Security's name in the news.
In his
quotes used by the various "journalists" he advances the idea
that Tavis'
disclosure of the vulnerability is some conspiratorial fueling of
a feud
between Tavis' employer and Microsoft, despite the fact that the
only
people associating it with Tavis' employer are commentators like
Storms.
Finally we have the turd wrapped up in an enigma that is Robert Hansen/"RSnake", CEO of SecTheory Reading his post: http://threatpost.com/en_us/blogs/does-google-have-double-
standard-full-disclosure-061010
http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/ it's clear that he has an axe to grind with Tavis' employer. He
creates
the false, repeated claim that Tavis only gave Microsoft 5 days to create a fix (not only that, he assigns this fault to Tavis'
employer,
not Tavis himself). He then, again falsely, claims that Tavis
wasn't
doing this in his own time, simply because some other individuals
with
the same employer appear in his greets section. Maybe they don't
teach
this in clickjacking training, an extensive 5 week course, but
"greets"
is short for "greetings" -- I've been mentioned in the list
before, but
it didn't mean I had anything to do with the vulnerability
discovery or
released exploit. Not to mention that there's nothing wrong with
two
employees of the same company collaborating on projects (or in this case, specific smaller aspects of a larger project) outside
of work
-- being friends with others in the community, many of whom work
for the
same large companies, is nothing unusual. "RSnake" then complains about the hostname Tavis chose to use for
links
in his advisory. Finally, after an entire article focusing on
Tavis'
motives and ethics, he ends it with "I don't mean to say anything
bad
about Tavis" -- he means it so much he made a blog post trashing
him,
reposted to another site, and repeated the same lies to any
reporter
that would listen to him. Towards the end of his comments on his ha.ckers.org blog, before locking it from additional comments
because
people didn't agree with him, he states: "I'm over it." After
calling
for one of the most well-known and respected researchers to be
fired and
repeating those comments to reporters, I'm glad you had the
empathy to
finally conclude that everything is ok now and that you're over
it,
because surely Tavis hasn't been affected at all by your reckless, idiotic statements. You stay classy out there, scumbag. Some final comments: Microsoft should strongly reconsider their actions. If this were
any
other security researcher, how likely would that researcher be to cooperate in a "responsible" fashion in the future, for free? How likely would they be to sit in on phone conferences trying to
convince
Microsoft that a vulnerability is exploitable and important? How
likely
instead, now being treated as some kind of outlaw instead of a
person
for whom security is genuinely important, would they be to profit
off
their finding obtained in their own time? Does Microsoft believe they're improving security if these vulnerabilities are instead
sold to
the highest domestic/foreign bidder? Or is it only the
appearance of
security they're interested in? Don't bite the hand that feeds
you --
any alternative action by a researcher due to chilling effects is
worse
for security than what Microsoft is scolding Tavis for.
Punishing Tavis
plays into the interests of the anti-sec crowd who want him
humiliated
to the point that he quits killing bugs so that the bugs can
continue to
be exploited in private. Is Tavis unethical because his personal views on vulnerability disclosure that he practices in his own time differ from those of
his
employer? As a reminder of this foolish argument from authority,
said
employer is the same one that we recently discovered thought it
was
perfectly ethical to secretly and purposefully sniff WiFi traffic
in
countries all over the world. Is anyone seriously questioning
that
Tavis has ulterior motives, given that he spends much of his free
time
finding vulnerabilities and reporting them to vendors for free?
Anyone
who knows Tavis knows his ethics and integrity are beyond
reproach;
libel seems to be reserved for the others. Locke, via Leibniz in "New Essays on Human Understanding" said, "boldness is the power to speak or do what we intend, before
others,
without being intimidated." It takes a bold, ethical person like Tavis to do what he did. He
should
be supported and defended by the community, not allowed to be
ostracized
and raked over the coals in the press by attention-seeking CEOs
with an
axe to grind. TL;DR: If we don't collectively stick up for Tavis, we're all
hurting
our ability to perform our jobs objectively in the future, slaves
to the
multi-billion dollar corporations taking our free work and
creating the
illusion that we have any responsibility to feed into their damage control systems. tags: horrible security company corporate shills bandwagon
responsible
disclosure useless analysis microsoft vulnerabilities snake oil
salesmen
cargo cult rsnake is a fool everything i needed to know about
clickjacking i
learned in elementary school cluley clueless those who can do
those who
can't are named andrew storms and write blog entries about mundane topics rsnakeoil secconspiracy ncirclejerk ItUk-5FI0Ek <part where I drop the microphone> _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkwcdyQACgkQnflY7a8T1bCcqAP/Vujx0+CAgdjkYzBeFgPyz+2h4s4K +8H/BLuqr0DRXm8svVWKP4sxt79OIWAzVEfVfd5JgzcU6Drh4tD0k2VabzmT58If+4aD V3AyyADgxJHKMJPqqFwfa7B9k3QYMUObZHx8bBo3CAkIQeXa2oZ2UiL8MRCsRy9MZU4E ita9Amc= =Od1S -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Hyenas of the Security Industry Brad Spengler (Jun 17)
- Re: Hyenas of the Security Industry Marsh Ray (Jun 21)
- <Possible follow-ups>
- Re: Hyenas of the Security Industry dislosure (Jun 19)
- Re: Hyenas of the Security Industry Tavis Ormandy (Jun 19)
- Re: Hyenas of the Security Industry dave (Jun 24)
- Re: Hyenas of the Security Industry Tavis Ormandy (Jun 19)