sshd exploit & $1,000 whine

[anonpdox () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

Inhale.

> Moderators: Pass if you will. I think this seriously impacts the whole
>  industry.

Vuln-dev isn't really my turf, and I can think of better things
to do on a Friday night, but I feel a strong urge to respond to
this post. I've spent nearly a year thinking about the whole
full disclosure vs. anti-disclosure thing. I've considered
different viewpoints, was once a supporter of full disclosure
myself, etc. I'll share what I've learned in all that time,
if only to shed some light on what I consider most exploit
developers would be feeling when they read that thread.

As I am quite fond of saying, failure to grasp the difference
between the security community and the underground community*
is where most of the confusion regarding these issues stems
from. You can't understand what's going on by applying the
perspective of one community to the events and people of the
other.

You say it affects the "whole industry." I assume you mean
the commercial security industry, because the vast majority
of Net users aren't affected if exploits aren't disclosed
(exploits, not vulnerability information -- pointless to
argue the latter here). Nor is the underground community.
Which raises the question: why were you seeking the exploit
in the first place?

* When I speak of the underground, it's with the exclusion
of the so-called "script kids." I am referring to those
individuals known to dedicate countless hours of their lives to
vulnerability research and exploit coding. Some may consider
themselves part of the security community, but it's been
my experience that most of the exploit coders identify with
the underground community, perhaps tacitly.

>  This email was written after I contacted a prominent "exploit collector" and
>  asked for the new SSH exploit. He asked me "how much are you willing to pay, I
>  selling 'sploits now". I said "You wanna WHAAT?". Afterwards I thought about

Assuming you were speaking to the actual author of the exploit, and
that he wasn't merely being a smartass, what's wrong with demanding
payment for said exploit? The security industry sells penetration tests
using the work of exploit coders on a daily basis. Why should the developer
of the exploit, who's probably gone to the most excruciating lengths to
research/discover the vulnerability and create a well-functioning exploit,
contribute to an industry that uses circular logic to generate hype
and fear in the public (for increasing market gain).

The only regret I have in someone not disclosing vuln info is the open
source developers not getting the support they deserve. But there
you go: the commercial security industry ruins it for the rest of
the world.

Full disclosure of vulnerability information fixes security holes.
Fair enough. I won't bother arguing that. What exactly does the release of
exploits accomplish though?

Security $$ Penetrator: You're vulnerable to XXX
Client: I don't believe you!
Security $$ Penetrator: Ok, here's my proof of concept
Security $$ Penetrator: See?
Client: Oh! We better patch. Here's your payment.

Give me a fscking break. Not even the worst of people are that
thick. I think what really happens is that script kids are
armed, and this gives security professionals many case
studies to choose from and threats to identify in their
risk assessments. And some guy wanting money for an
exploit is evil. Yah ok.

>  it, and here are some comments/predictions as to what is happening in the
>  industry.
>
>  At present a vulnerability is usually disclosed in the following way:
>
>  * L33t Hacker finds problem in vendor ABC's product
>  * L33t Hacker writes to ABC

Partly correct, but no hacker I know writes to ABC. Your use of 'L33t' makes
me feel queasy, btw. Considering that these people have fed the security
industry for so many years, I think they deserve a less intimidating title.

>  * ABC takes some time, builds a patch write an advisory and give credit to L33t
>  Hacker

Wow. Maybe they should start handing out stickers too!

>  * ABC release advisory to bugtraq, SF, packetstorm etc.
>  * Security firm 123 implement patches for brain dead clients.

How about L33t Security firm?

I thought they just ./penetrate from a command line and send their clients
the patch developed by the vendor. I hear the more sophisticated penetrators
use tools with funky GUIs and essentially point-and-click their way into
fortune.

Security professionals don't need exploits. They can construct policies,
craft firewall rulesets, advise on best practice, etc. The obvious
counter-argument to this is that signature-based IDS developers need
exploits to "analyse." How true is this? Think about signatures that
are triggered on pecularities specific to exploitation rather than
the exploits themselves. If an IDS developer can't separate the
exploitation indicator from the exploit, the product is basically
worthless.

If the sshd exploit in question is the one for the sshd vulnerability
published by Bindview months ago, the information is there already and
patches/upgrades are plenty. You don't need the exploit. Bugtraq
doesn't need the exploit. Unless, of course, you really need to
keep the script kids alive and food on the penetrators' tables.

Then again, we all know how considerate Bugtraq is of the private
work of another. Case in point: telnetd vulnerability. The researchers
provided all the vulnerability information to Bugtraq, but their
exploit for the vulnerability was copyrighted and said it wasn't
to be distributed on Bugtraq. There was ABSOLUTELY NO REASON why it
had to be. Even if the copyright notice wouldn't hold out in
a court of law, COMMON COURTESY states that it should have been
respected. All you did was stop the future publication of
vulnerability information by many talented people.


>  * L4t3 Hacker writes exploit for problem
>  * Exploit is seen on hack.co.za, packetstorm etc.
>  * Assessment/Pen-test firm 456 test for the problem.
>
>  Obviously things does not always goes this way. L33t Hacker might write an
>  exploit from the start. Exploit writers are usually after fame, wanting to see
>  their names in lights on a MS advisory. In the above mentioned process the one

Funny. Most exploit writers today have learned their lesson from disclosing
in the past and are now working on ways to protect their work from falling
into the wrong hands -- not just the "script kids," but the clueless security
gluttons who exercise as much skill as the script kids they forever bang on
about in their media interviews.

Current work involves developing ways to encrypt exploit binaries. One of
the best sshd exploits that leaked is password-protected. What you
and the Newsbytes journalists don't realize is that this was written by a
skilled coder MONTHS ago.


>  people/firms that makes money from the bug are Security Firms 123 and 456. The
>  L33t Hacker gets fame, not fortune. Hacker L4t3 also gets some fame - in some
>  cases even more than L33t.
>
>  Then someday, Hacker L33t and L4t3 decides that they are not in it for fame,
>  but for money. So, they open a security firm (many examples e.g. L0pht, Max
>  Vision, RFP, many more). The problem now is keeping the exploits flowing while

RFP? False. He is an advocate of full disclosure, for whatever reason.
His advisories aren't plastered with company logos and whatnot. As far as
I know, he works in the computer industry (so?) and maintains computer
security as a hobby. And even if he is/were paid as a penetrator, he's
a far stretch in skill and ability from all the clueless monkeys who run
nmap and exploits without any respect for the developers themselves.

Max Vision sells penetration tests (or did), but gave something back
by maintaining that snort attack signature database.

L0pht is the classic epitome of sell-outs. The website now redirects
to the @stake website (maybe you can still buy t-shirts somewhere)
and HNN was slaughtered (not that I care) when @stake bought the crew.
Not relevant here anyway, since @stake only pumps out care-factor-zero,
last-drop-in-the-sponge crap like PalmOs vulns...

>  having to write reports, sit in meetings, wear a tie, doing budgets, and
>  speaking to brain dead clients. So, in many cases, it does not work out.
>  Hackers usually don't have a lot of patience with brain dead clients, hates
>  writing report, and can't even balance their own budgets. They see that they
>  only spend 10% of their time writing 0-day exploits...while that was
>  the reason they signed up. Ask any "ethical hacker" - its tricky making money
>  and keeping the brain occupied.
>
>  So, while Security Company 123, 456 and 789 are making money, hackers L33t and
>  L4t3 are unemployed and frustrated by the fact that others are reaping the
>  rewards of their 0-day exploits that took 3 months to code. These two contact
>  Hackers r3L4t3 and r3l3a5h and they form the "cyber underground association",
>  and they sell 0-day exploits. They start off by selling exploit directly to the

I'm having a hard time trying to understand your leet speak and
its purpose here. Out of curiosity, did you type like that when
you asked the exploit coder for his exploit? He'd have seen you coming
from a mile away. It's not the leet speak itself that's annoying; it's the
fact certain excitable people seem to think it's funny or portrays
the underground as a bunch of immature e-punks. Not a good way to bite
the hand that feeds you. The fact you even had to ask for the sshd
exploit tells us a lot about you.

Is it so hard to grasp the concept that there are people out there who
don't give a shit about making a profit (fame OR fortune)? Most of the exploit
coders who release soon learn their lesson and then resolve by trying as
best they can to keep their code in the hands of close friends only.

Yes, readers, there are people in this world who have humbled themselves
and remain unblemished by desires for artificial and, at best, transitory
recognition. Most people posting to Bugtraq seek profit at worst, or
academic fame at best (i.e. showing off).

Yes, readers, there are vulnerabilities floating around beneath the
public surface that would send Bugtraq and its kin on a frenzy if
discovered. Brings new meaning to having the latest software
releases and such -- it's likely you can still get owned with
a hole you've never heard about. Maybe if computer security weren't
so commercialized, the discoverers of these holes would share
their findings with the "community." Anyway, who wants an Internet
that is bolted down and under the patrol of the government? This
is the unseen ancillary path of full disclosure.


>  client and it goes like this:
>
>  * CUA find a problem in vendor ABC's product
>  * CUA codes the exploit
>  * CUA let the word spread that they selling it
>  * 10 script kiddies buy the exploit at $100
>  * Script kiddie l0s3r puts it on his website
>  * Security firm 123 and vendor ABC get it, build patch (and the usual)
>  * Script kiddie l0s3r's site gets DDOS-ed by CUA
>
>  CUA made $1000 from the exploit. Security firm 123 made $25 000 from it. Some
>  networks are comprised by the kids, security firms/vendors takes the heat; an
>  assessment was done on the network a week ago and it was certified as "safe".
>  The whole IT security industry takes a knock. Everyone lose. CUA gets together,


Who cares if the security industry takes a knock? Less laundering in the
world and the public would likely be better off.


>  have a meeting, decides on new strategy. It goes like this:
>
>  * CUA finds a problem in vendor ABC's product (no guessing who ABC is)
>  * CUA codes the exploit
>  * CUA contact "Exploit dealer @m1c$" - a well connected person in script kiddie
>  country.
>  * @m1c$ sells the exploit only to selected few - at $500 a pop. He sells 10
>  copies.
>  * @m1c$ makes $2500, CUA makes $2500.
>  * One of that selected few was in fact working for Security firm 456.
>  * Knowing that CUA is killing the trade, and wanting the fame, 456 employee
>  rebrands the exploit to say 456-inc. and sends if off to Bugtraq (or puts it on
>  their webpage)
>  * Everyone gets the code on SF
>  * 456-inc. gets DDOS-ed.
>
>  The other 9 selected few are typically people that will spend $500 on an
>  exploit, knowing that they can compromise a network that have $5000 worth of
>  credit cards or the likes. They are thus your black hat dudes - the criminal
>  type. The industry takes a knock - again, and in a bigger way. Security firm
>  123 and 789, not willing to pay for the code are booted out of several
>  contracts, as their client's networks were compromised.
>
>  CUA has another meeting. Somehow they are not seeing the $10000s that they
>  expected. They make a new plan - bigger and better than before. They will
>  bypass the dealer and only sell to people they know. It goes like this:
>
>  * CUA finds yet another bug in ABC's software, codes exploit
>  * CUA sells exploit to 25 selected people at $1000 a pop.
>  * Exploit is actually sold to many foreign agencies and a few terrorist
>  * Exploit is also sold to n0h@ck, an undercover FBI agent.
>  * CUA is taken to court and convicted under the 2002 Terrorist Bill thingy
>  * End of CUA
>  * Oh and the FBI gets DDOS-ed
>
>  Think about it for a while. At $1000 an exploit, who are you going to attract?
>  People that will pay that amount of money must surely be in a situation that
>  will make it worth their while. Dealing with these people will be dangerous for
>  sure.


You sure have put a lot of thought into this matter...

>  Non-disclosure will spark paying for exploits. Paying for exploits would be the
>  same as paying for arms. Paying for exploits would make them illegal in no
>  time. It would very much hurt the industry - the whole security industry - from
>  the software vendor to the security vendor to the "ethical hackers", and all

It won't hurt the hard workers who actually find 90% of the "big" vulnerabilities,
write an exploit, and keep the exploit in the hands of a trusted few. It won't
hurt the masses who suffer the fatal consequences of this exploit in the hands
of swarms of script kids. "Ethical hackers" ? What the hell is an ethical
hacker? Those half-assed "ethics" articles sure do poison the mind! In
fact, they're one of the main causes of the slave mindset that 95% of the
underground has which causes it to work with the security industry, without
payment, in the name of noble duty! Also a reason why many so-called
hackers don't hack -- go figure...

While people are building lexicons to make sense of the silly lingo,
debating pointless "hacker vs. cracker" or "whitehat vs. blackhat" nonsense,
there are people out there who turn a blind eye to all of this and just do
their own thing, striving to reach their technical goals. These are the
people who actually write the exploits and they couldn't care less if the
security industry, in all its shame and fraudulent philanthropy, was blown
back into the Stone Age.

>  the way, the client/end user or firm will be taking the fall. Even the exploit

The end users are already taking the fall, but I won't elaborate further
on that -- not here.

>  writers will have a hard time. They are never going to make real money from
>  their "product", will live in fear for their customers, and will take constant
>  heat from their law enforcement agencies. A bigger challenge is to write the
>  code AND make money in an honest way, AND keeping sane in the process, and I
>  believe it can be done. The more underground the industry goes, the more heat

You seem to think the security industry and exploit writers belong to one
big community. Such is not true. The security industry won't go underground.
People happily write exploits without making money. Trust me. And the
ones who write exploits to make money deserve the money, whether they
work for a security company or demand money from security professionals
(and is there really a difference?)

Again, the underground community is not the security industry, and never was.
I find it amazing how many people have not realized this by now.

Maybe you won't be so shocked next time someone requests money for
an exploit. After all, you only use it to make money, no?

>  it will take from government and law enforcement. The more open the industry
>  is, the more transparent it is, the more acceptable it would become. And now I
>  hear people saying - full disclosure is the reason behind script kiddies, the
>  reason behind worms that cost us millions. Well lets quickly think about just
>  that.

[snip]

Exploit developers are now onto the fact that the security industry has
raped them over the years. Concerted efforts are being taken, both technical
and legal, to finally put a stop to the abuse of private research that has
been exhibited by the security industry in the past.

Enjoy the current situation. It won't last...

>  Regards,
>  Roelof.
>
>  ------------------------------------------------------
>  Roelof W Temmingh SensePost IT security
>  roelof () sensepost com +27 83 448 6996
>  http://www.sensepost.com http://www.hackrack.com


- --
Anonymous Paradox <anonpdox () hushmail com>
Sewer Maintenance Specialist - SMS+ / TWIT
http://www.oneworldorder.org


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0

wl0EARECAB0FAjvTlUEWHGFub25wZG94QGh1c2htYWlsLmNvbQAKCRAIQJiskx91ZlXs
AJ9trlzGUJoBYGbr7Fj9U7CSwejt7QCgpAl1kvceWTMKVGiPgOMe6Aadlrk=
=bv3b
-----END PGP SIGNATURE-----