[widdershins] independent security researchers vs companies ?!
Stuart MacIntosh
stuart at linuxsecurity.co.nz
Thu Sep 8 23:13:28 EDT 2005
'responsible disclosure' is prone to corruption(bribes anyone?) and is
not ultimately fair or responsible to the public or private. Security
researchers are in a field of their own and have absolutely no
obligation to grant 'grace time' to corporations or software developers.
I support full, public disclosure; which is not a problem but, the civil
response to the greater problem of dodgy security.
-Stuart
Adrian Sanabria wrote:
> While a good article, I think it ignores the largest problem that may
> develop in the world of disclosure. After what Cisco pulled,
> researchers in fear of being persued legally, even if they try to do
> the right thing, may just release all the details of vulnerabilities
> anonymously without any warning at all. That's what many people I've
> talked to are most worried about. No more responsible disclosure -
> just straight to the public without warning...
>
> --Adrian
>
>
> On 9/8/05, *Gmx Private 01* <gegohouse at gmx.at
> <mailto:gegohouse at gmx.at>> wrote:
>
> http://news.zdnet.com/2100-1009_22-5846019.html
>
> By Joris Evers, and Marguerite Reardon, CNET News.com
> <http://News.com>
> Published on ZDNet News: September 6, 2005
>
> Tom Ferris is walking a fine line. He could be Microsoft's friend or
> foe.
>
> Ferris, an independent security researcher in Mission Viejo, Calif.,
> found what he calls a serious vulnerability in Microsoft's Internet
> Explorer Web browser. He reported it to the software giant on Aug. 14
> via the "secure at microsoft.com <mailto:secure at microsoft.com>"
> e-mail address and has since exchanged
> several e-mail messages with a Microsoft researcher.
>
> Up to that point, Ferris did everything according to Microsoft's
> "responsible disclosure" guidelines, which call for bug hunters to
> delay the announcement of security holes until some time after the
> company has provided a fix. That way, people who use flawed products
> are protected from attack, the argument goes.
>
> Last weekend, however, Ferris came close to running afoul of those
> guidelines by posting a brief description of the bug on his Security
> Protocols Web site and talking to the media about the flaw. So far,
> the move has done little more than raise some eyebrows at Microsoft.
>
> "I am walking a fine line, but I am doing it very carefully because I
> am not disclosing actual vulnerability details," Ferris said. "I do
> this to inform users that flaws still do exist in IE...I don't like it
> that Microsoft tries to give users a nice warm feeling that they are
> disclosing everything researchers report to them."
>
> At issue is the push for "responsible disclosure" of software flaws by
> many industry players, including titans such as Microsoft, Oracle and
> Cisco Systems.
>
> Microsoft publicly chastises security researchers who don't follow its
> rules. Also, those researchers won't get credit for their flaw
> discovery in Microsoft's security bulletin, which is published when
> the company releases a patch. Because Ferris did not disclose any
> actual vulnerability details, he's still on Microsoft's good side, a
> company representative said.
>
> While many software makers promote responsible disclosure, it isn't
> universally backed by the security community. Critics say it could
> make security companies lazy in patching. Full disclosure of flaws is
> better, they say, and turns up the heat on software makers to protect
> their customers as soon as possible.
>
>
> How long is too long?
>
> "Microsoft obviously takes way too long to fix flaws," Ferris said.
> "All researchers should follow responsible disclosure guidelines, but
> if a vendor like Microsoft takes six months to a year to fix a
> flaw, a
> researcher has every right to release the details."
>
> By that time someone else, perhaps a malicious person, may also have
> found the same flaw and might be using it to attack users, Ferris
> said.
>
> Often lambasted for bugs in its products, Microsoft is doing its best
> to win the respect of the security community. The company has
> "community outreach experts" who travel the world to meet with
> security researchers, hosts parties at security events and plans to
> host twice-annual "Blue Hat" events with hackers on it its Redmond,
> Wash., campus. At Blue Hat, hackers are invited to Microsoft's
> headquarters to demonstrate flaws in Microsoft's product security.
>
> "Security researchers provide a valuable service to our customers in
> helping us to secure our products," said Stephen Toulouse, a program
> manager in Microsoft's security group. "We want to get face to face
> with them to talk about their views on security, our views on
> security, and see how best we can meet to protect customers."
>
> Many companies are getting better at dealing with security
> researchers, said Michael Sutton, director of iDefense Labs, which
> deals with researchers and software makers. "The environment has
> definitely changed from two or three years ago, though there are
> vendors who are going in the opposite direction," he said.
>
> While Microsoft sometimes is still referred to as the "evil empire,"
> it appears to be successfully wooing security researchers.
>
> "We are at the point where all the obvious things we tell Microsoft to
> do, they already do it," Dan Kaminsky, a security researcher who
> participated in Microsoft's first Blue Hat event last March, has said.
>
>
> Balancing act
>
> Other technology companies still struggle with hacker community
> relations. Cisco especially has managed to alienate itself from the
> hacker community to the extent that T-shirts with anti-Cisco slogans
> were selling well at this year's Defcon event. Oracle also isn't a
> favorite, researchers said.
>
> Cisco, along with Internet Security Systems, last month sued security
> researcher Michael Lynn after he gave a presentation on hacking router
> software at the Black Hat security conference. The company had
> previously tried to stop Lynn from giving his talk in the first place.
>
> "It was definitely a surprise to see Cisco's reaction," iDefense's
> Sutton said. "I don't think that's the best approach. I do feel that
> it is happening less and that vendors are realizing that we don't
> want
> to work against them, but with them."
>
> Cisco contends it doesn't have any beef with Lynn's discoveries, but
> instead the company is unhappy about the way he went about
> distributing the information to the public.
>
> "This incident violated aspects of normal protocol for dealing with
> security flaws," said Bob Gleichauf, CTO for Cisco's Security
> Technology Group. "And we are real sticklers for protocol."
>
> But it seems that there have been several instances where Cisco has
> had similar problems in its dealings with researchers.
>
> Early in 2004, Paul Watson discovered a flaw in the TCP/IP protocol
> that could be exploited on a number of networking products, including
> Cisco's routers. Watson said he initially e-mailed two of Cisco's
> engineers, who responded promptly. They were helpful and even
> contributed some thoughts and ideas to his research, he said.
>
> But once the issue was identified as a serious security risk by the
> legal team at Cisco, the tone of the communication changed, Watson
> said. Cisco still wanted information from Watson, but no longer
> responded to his queries. Watson provided Cisco with several possible
> methods to correct the problem.
>
> Frustrated by the lack of communication with Cisco, Watson decided to
> present his research at the CanSecWest Security Conference in April
> 2004. In a scenario similar to that at Black Hat, Cisco and the U.S.
> Department of Homeland Security asked the conference organizer to pull
> the talk. The request was denied.
>
> The impending talk spurred the company into action. Fixes were
> released a few days before the conference. However, Cisco not only
> provided patches, it also patented a fix for the flaw. This raised
> fears that Cisco might charge for the fix, which also affected other
> vendors, although Cisco did not.
>
> "I was shocked," Watson said in an e-mail. "It really broke my trust
> in them." Cisco, like other software makers, wants security
> researchers to report flaws privately and have time to patch before
> disclosure, but Cisco took advantage of this period to apply for a
> patent, he said.
>
>
> Playing it smart
>
> A similar situation played out about a year later. Cisco tried to
> patent a fix to a flaw in the ICMP protocol that was discovered by
> Fernando Gont. The researcher outsmarted Cisco by documenting his
> discovery and the fix, and also by sharing the information privately
> with the open-source community and the Internet Engineering Task
> Force, a standards organization.
>
> Mary Ann Davidson, chief security officer at Oracle, sees security
> researchers who threaten vendors with disclosure of bugs as a problem,
> she wrote in a recent perspective piece on News.com
> <http://News.com>. "The reality is
> that most vendors are trying to do better in vulnerability handling.
> Most don't need threats to do so," Davidson said.
>
> Alexander Kornbrust specializes in security of Oracle products. He
> went public with details on six security vulnerabilities in Oracle
> software in July, about two years after he reported the bugs to the
> software maker and fixes still had not been provided.
>
> Oracle chided Kornbrust as irresponsible for disclosing the data.
>
> Although not entirely happy about his dealings with Oracle, Kornbrust
> said it is not an adversarial relationship. "Hostile is not the right
> expression. I did get feedback from Oracle," Kornbrust said. But that
> was only immediately after he reported the bugs. Oracle did not give
> Kornbrust updates on how it was addressing the problems afterwards.
>
> "Oracle supports guidelines for responsible disclosure. One of those
> guidelines is that the company should send out updates to the
> researcher. They don't," said Kornbrust, who runs Germany's Red
> Database Security.
>
> In the past, many hackers and security researchers outed glitches
> without giving much thought to the impact the disclosures would have
> on Internet users. Software makers have been working to provide a
> channel for disclosure. Several have also established patching
> schedules. Microsoft releases patches every second Tuesday of the
> month, and Oracle has a quarterly schedule.
>
> Still, the debate on responsible disclosure rages. Recently the
> French
> Security Incident Response Team, or FrSIRT, was the subject of
> discussion on a popular security mailing list. FrSIRT, formerly known
> as K-Otic, releases details on vulnerabilities and also publishes
> exploit code that could help attackers. Sometimes the holes aren't
> yet
> patched. Other than FrSIRT selling its service, what good can such
> publishing do? critics have asked.
>
> "With our dependency on IT systems, responsible disclosure is of
> paramount importance," said Howard Schmidt, an independent security
> consultant who has served as cybersecurity adviser to the White House
> and security executive at Microsoft and eBay.
>
> Technology companies that are not responsive to security researchers
> do pose a problem, Schmidt said. He suggests that the government,
> specifically the US Computer Emergency Readiness Team (the Department
> of Homeland Security's Internet security agency), could act as an
> intermediary. "And then perhaps the government could put some
> pressure
> on (technology companies)," he said.
>
>
>
> _________________________________________
> Attend ToorCon
> Sept 16-18th, 2005
> Convention Center
> San Diego, California
> www.toorcon.org <http://www.toorcon.org>
>
> _______________________________________________
> widdershins mailing list
> widdershins at attrition.org <mailto:widdershins at attrition.org>
> http://www.attrition.org/mailman/listinfo/widdershins
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>widdershins mailing list
>widdershins at attrition.org
>http://www.attrition.org/mailman/listinfo/widdershins
>
>
More information about the widdershins
mailing list