Researcher for whom exploit code means freedom of speech

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.smh.com.au/articles/2004/01/14/1073877889610.html

By Sam Varghese
January 15, 2004

Georgi Guninski is a man who is respected on vulnerability mailing
lists. The Bulgarian security expert - and this is one instance when
the word can be safely used - has spread himself wide when it comes to
security but all of his vulnerability posts merit attention.

 From kernel bugs to browser holes, Guninski has found them all. His
advisories are terse and to the point but cause a predictable degree
of consternation when they are put out. His own favourite discovery is
a race condition in the OpenBSD kernel.

While many formerly independent researchers are slowly going over to
the corporates, and in the process losing their ability to freely
reveal details about flaws in proprietary software, Guninski has kept
the faith. Indeed, his advice to other researchers is precisely that:  
"Keep the faith."

He is passionate about full disclosure and the posting of exploit
code; he feels this is often the only way to get software vendors to
patch buggy programs.

There is logic behind his rationale - according to him, some vendors
wait six months before issuing a patch when a flaw is reported to
them; on the other hand, in one case when an exploit was released in
the wild (without the bug which it was exploiting being reported to
the vendor), and military computers got broken into, the same vendor
issued a patch in double quick time.

Guninski is often accused of being a publicity seeker but dismisses
such talk by saying that it is merely put out by companies "and their
puppies" who do not like him. To his credit, he does not favour this
side or that - his own site has a long list of the vulnerabilities
he's found and be it in open source or proprietary software, he sticks
to his principles of disclosing things in full.

To those who try to offer the excuse that software will always be
buggy, Guninski has one piece of advice - go and get a job at
McDonald's.

He was interviewed by email.

How did you come to be interested in computer security? Was it in the
family or were you one of those little nerdy boys who's always dying
to find out how things work?

Not the family. I have always had an unexplainable passion for
computers. And I am more interested to find how things don't work or
work in "strange" ways than to find out how just things work ;).


How is Bulgaria in terms of technology, compared to countries in the
west?

There are talented people in Bulgaria, but the country is poor and
people migrate.


What led to your first IT job?

Karma. See below.


> From your CV, it looks like you are mostly a self-taught researcher.  
Is this right or was there some guru who guided you?

No one guided me. Sure, I have learned a lot from the internet. One my
favorite quotes is: "Education is an admirable thing. But it is well
to remember from time to time that nothing that is worth knowing can
be taught. - Oscar Wilde"


How come you didn't take up a career in finance or turn to teaching
after studying international economic relations?

I have always been interested in computers, never been really
interested in business or finance. Here is a joke quote from Terry
Prachett with some truth in it (translated from Bulgarian, don't
remember the exact book). "From conversation between two witches -
'You don't choose your profession, the profession chooses you'."


What was the first major vulnerability you discovered?

An AIX (Unix operating system by IBM) buffer overflow.


How long was it before you gained acceptance within the security
community?

I can't answer this question, the community should answer.


Many people in the security industry accuse you of being a publicity
seeker? What's your response?

This is false. I have not profited from publicity and I haven't sought
publicity for a long time. Buggy software is out there and killing the
messenger does not help anyone. Truth is, some companies and their
puppies does not like me and they use false arguments to discredit me.  
I will enjoy posting from (an) anonymous account as much as I do now
and if the time comes I'll do it.


What is your stand on the release of exploit code on mailing lists?

Exploit code should be released if the author wants. I consider
exploit code "freedom of speech". There are some trends to try to stop
publishing exploit code - I am disturbed by these trends to try to
steal rights from the citizens. Exploit code is not the problem. The
problem is buggy software. And I am not buying the "writing software
is difficult, software will always be buggy" argument - those who
think they cannot write good software better get a job at McDonald's.


What do you think is a reasonable period for a researcher to give a
company before releasing details of an exploit?

This is up to the researcher. He decides. The exploit is his property,
so he can do whatever he wants. It depends to whom is reported also.


You say that you prefer to work in open source projects? Why?

I just like open source. And I am selective about who profits from my
skills.


What do you consider your favourite vulnerability - the one which
really made you feel good when you discovered it?

I classify my bugs in two categories:  a) the ones which are
discovered by examining the source code b) the ones which are
discovered "by chance" or by an irrational way.

My favorite ones are type b). I consider a) craftsmanship, which is
not very interesting. Don't have a favorite one, but quite like the
OpenBSD race condition bug.


How do you see the future of security research evolving? And the
future of the internet?

About security - quote from Bon Jovi: "It's all the same, only the
names will change". About internet - expect a decline of Microsoft
products on the internet.


Has your choice of career affected you personally? Or socially? Many
geeks say they are unable to get a date - how about you?

I am not very sociable, but believe I have a good social life. I don't
complain about it.


If you had a chance to do it all over again, would you choose the same
career? Whatever answer you give, why?

I doubt that one can escape his karma. I probably would have done it
the same with small changes.


Any other interests apart from IT?

I like going to parties and bars. I have an amateur interest in
mathematics.


If someone wanted to start out as a security researcher, what advice
would you give them?

Be careful. Very careful.


Any famous last words?

Keep up the faith.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence 
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================ 
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.