[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Rate Stratfor's Incident Response



On Sat, Jan 14, 2012 at 12:11 PM, Paul Schmehl <pschmehl_lists@xxxxxxxxx> wrote:
> --On January 14, 2012 8:33:13 AM -0700 Sanguinarious Rose
> <SanguineRose@xxxxxxxxxxxxxxxxx> wrote:
>
>> I've been watching this chat for a while and I have to say a lot of
>> views here does not impress me and in fact why I will never report a
>> vulnerability if I found one. Why would I want to even risk getting
>> arrested and/or FBI trouble from observing a security flaw? My policy
>> on finding them is to quietly just move a long. I'm sure I am not the
>> only one that does this or come to such a conclusion of is it even
>> worth the trouble.
>>
>
> The reaction of a security professional like me to this is, why aren't you
> looking for security flaws on your own site?  Why are you looking for
> security flaws on other people's sites?  If you want to do security
> research, setup a site virtually and bang away at it to your heart's
> content.  Then report your findings.
>

I don't normally go around looking unless asked. However it's rather
hard not to notice sites that display php errors and sometimes in
normal usage sql errors. Some of them are so bad it's like having a
pink elephant in the middle of a room with a sign that says
"vulnerable". A good example which I've personally seen more than once
is during normal website usage is searching the website using their
built in search and noticing it doesn't sanitize it's input. It's
rather hard not to notice that once you have the eye for it.

I have also noticed software that is way too old running and keeping
up with security bulletins I often know it's vulnerable. it's like
another pink elephant.

There is of course an exception to that is a guy trying to come off as
some big hot shot security expert super hacker which I will leave
nameless that I really love tormenting. He loves downloading and
running these really really bad free php scripts from the 90s by how
some of them are coded. It usually only takes 10 minutes tops before I
found a few flaws, point them out by line number, and watch him silent
rage and remove the script from his server. For clarification the
source code of these scripts being freely available and I did not
actively test the located flaws on his server so nothing I did was
illegal.Given the non-importance I did not confirm them on my own dev
server.

>
>> I like how the assumptions are always this person is horrible and bad
>> for have founding a security flaw, he must not be trusted and treated
>> like a criminal.
>
>
> You missed the point.  It isn't that I think that you're a criminal.  It's
> that, as a security professional, I cannot take the chance that you are not.
>  I am forced to do due diligence, take the server offline, do forensics,
> etc.  That's a lot of work, time spent and disruption of my normal duties,
> all you so you can feel proud about finding a vulnerability.  The cost to
> you is minimal.  To me, it's expensive.
>

I never doubted fixing the problem can sometimes be work intensive in
some situations and if someone else has used it maliciously.

> So why do you think it's acceptable for you to do some minimal work to force
> others to do lots of extra work?
>

Fixing a problem reported as part of your job description is so...
bad? I would be happier if someone reported it rather than reading
about it in the news.

>
>> Why would he even be reporting it to begin with if
>> his goal is abusing the security flaw? After all the audacity of this
>> dangerous cyber criminal took the time to tell you about the flaw in
>> an email and should be punished for their indiscretion of reporting
>> it.
>>
>
> Nobody's talking about punishing people for finding security flaws, but
> you're punishing the security professionals for the "pleasure" of finding
> vulnerabilities on their site.  If I find a vulnerability in our assets, I
> can simply fix or remediate the problem.  If you find it, I have to treat it
> as a breach, or I'm not doing my job.
>

I would call "punishing people" using the flaw to embarrass and damage
the company rather then discreetly reporting it but that is just me
apparently.

>
>> The analogies of a house is a very very bad one. Do you expect
>> thousands of people to be walking around your house akin to viewing
>> the website?
>
>
> I think thousands of people walking or driving past my house and looking at
> it as they go by is perfectly normal.  What's not normal is for one of them
> to pull over, get out of their car, walk up to my door and check to see if
> it's unlocked, walk around the house checking all the windows and doors,
> etc., etc.
>
>
>> A more appropriate one would be a public store with doors
>> happen to be unlocked to completely open.
>>
>
> As Valdis pointed out, even public stores have private areas where you are
> not allowed.  You go there and someone is going to question you, maybe even
> arrest you depending upon what you're doing.
>

This is still a bad analogy considering the internet is very different
than life. A private area keeping with this bad analogy would be more
akin to a login screen and trying to break it which is no doubt
illegal. However how do you not notice say the key being in the door,
the door being wide open with important things inside, etc. and being
in legal trouble for telling someone that works there about it?

>
>> "If it's not broken don't fix it" is the classical saying of many
>> individuals and sadly even more apply it to security. Even reporting
>> the flaw in some cases results not in fixing it but legal troubles for
>> the person reporting it. You would think they might want to fix it
>> after being informed about it right? After all if it works why fix it?
>> Why not silence that bad apple that found the flaw and no one else
>> will know kinda like daddy's little secret.
>>
>
> It's 2012.  I seriously doubt most sites ignore vulnerabilities any more. We
> HAVE learned a few things over the years.  We are constantly auditing for
> flaws, assessing for flaws and insisting that flaws are corrected.  We don't
> need your help to do our jobs.  I can assure you that we are not sitting
> around waiting for someone like you to help us.
>

As I said for me personally I don't report anything I come across so I
wouldn't fit the "need your help to do our jobs". Judging by the tone
of "We don't need your help to do our jobs", "sitting around waiting
for someone like you to help us" and from earlier "force others to do
lots of extra work" you rather don't appreciate filling your job
description.

> Paul Schmehl, If it isn't already
>
> obvious, my opinions are my own
> and not those of my employer.
> ******************************************
> "When intelligence argues with stupidity and bias,
> intelligence is bound to lose; intelligence has limits,
> but stupidity and bias have none."
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/