Re: submission

[rain forest puppy <rfp () WIRETRIP NET>]

Oh boy, here we go.

First off, let's start with hellNback's post:

- "There is nothing forcing Georgi or anyone for that matter to follow
- RFPolicy, but the policy is a good idea and is very sound, so why not
- follow it."

I want to make it clear that RFPolicy is not a definitive way to interact
with a vendor--it is only one suggested way.  There are as many logically
sound reasons to not use a policy as there are reasons to use it.  Not to
mention, someone may choose an alternative policy that better suites their
ideals.

So I hope the only person who would be ostracized for not following
RFPolicy would be me.  RFPolicy still has many shortcomings which do not
make it perfect; it should be considered best effort.

- "Georgi himself claimed to not be required to work with Microsoft for
- free."

And in various forms this is true.  A vendor should be thankful that a
researcher took the initiative and provided them with a chance to correct
the problem.  Granted, a researcher should definately be willing to help
reproduce the problem (particularly after spending time in finding it in
the first place), but seriously, who's helping who?  I may find a bug, and
I may feel like disclosing it to the vendor, but I may not have time to
deal with it.

So first thing to ask yourself: if a researcher doesn't have time to play
'support' to a vendor on a bug they wandered across (particularly if it
was by accident), would they be better off not bothering telling the
vendor in the first place?  Where is it stated that you *must* assume
responsibility for a bug if you report it to a vendor?

Then ask yourself: given the fact that the vendor has the original source,
wouldn't it suffice to review the suspect code for indications to the
problem, rather than having to reliably reproduce it first?  Why spend 20
hours trying to reproduce a problem verified with 15 minutes of code
review?

- "Could one assume that Georgi is only releasing his vulnerabilities in
- this fashion because Microsoft is a competitor?"

Your assuming Georgi can somehow pay the bills by taking time to support
Microsoft in reproducing and fixing their problems.  Last I checked
Microsoft didn't offer a bounty on found bugs.

And Georgi's AOL/Netscape contract now becomes apparently obvious--I'm
sure there are a lot of people who would not take the choice of poverty
just so they can continue vulnerability research.

- "Why is Georgi only concentrating on Microsoft products?"

There is an unfortunate reality that some people seem not to realize: if a
researcher is interested in improving the security of a product, and the
company is willing to contract/support/pay/whatever the researcher
accordingly for their time, you enter the realm of a business
relationship.  In that sense, you may be under legal binding (read: NDA)
to not disclose vulnerabilities found.

Now, is that a conflict of interest?  It depends...if your interest is
purely full disclosure (which I see as a 'means'), then yes.  However, if
your interested in the overall security of the product (the 'end'), then
no.  And if the vendor is correctly using the researcher's findings to fix
the vulnerabilities in their product, it could be a sign of the vendor
becoming responsible and approaching security proactively.

So it should be considered that Georgi's relationship with AOL/Netscape
prevents him from posting vulnerabilities in Netscape.  However, if
instead those findings are going straight into the vendor for immediate
fixing, then that is a good thing.

- "It seems to me that people like Georgi Guninski while they claim to
- support full disclosure obviously support it for reasons other than the
- good of the security community."

Given that disclosure brings the problem to light (albeit full light) so
that it can get fixed, what would you prefer:

Full disclosure or private exploitation?

I like to think the former is the preferred route...so rather than
targetting Georgi and others who do so, why not expand energy on the
individuals who make the latter choice?  Be happy that Georgi wears a
white hat.

- "A security professional has a responsibility to report issues to
- vendors and to work with vendors to solve them."

Funny, I thought vendors had a professional responsibility to not have
those problems in the first place.

- "Georgi, take this message for what it is worth, you are no longer doing
- the security industry a service"

I'm willing to bet you run either Netscape or Internet Explorer in some
capacity--therefore, keep in mind, Georgi has done *you* a service by
bringing issues in *your* browser to light, so they may be fixed.

Or would you rather be vulnerable?  Again, full disclosure or private
exploitation?

.............................

Moving along to comments by Ryan Russell:

- "...Some Linux vendors jumped the gun"

Another interesting example that I did not fully think about until after a
recent get together with Mudge and Weld from @Stake.  Given three vendors,
each having the same vulnerability, what is the approriate action if two
of the three have fixes, and the third is still months off?  Do the two
stall and wait for the third?  Or do they release their patches anyway?

By asking the first two vendors to wait for the third, you are asking
those vendors to *knowingly keep their customers vulnerable*.  That, in
many legal circles, can be seen as a great liability.

Is it responsible for the vendor to choose to keep it's customers
vulnerable?  Particularly if the bug is potentially being exploited?

.............................

Looking at Georgi's reply:

- "If I really concentrate on Microsoft's products I suppose I would find
- much more vulnerabilities"

At first, that's a scary thought.  But then, who would be better qualified
to give a thorough once-over so that, in the long run, IE would be more
secure?

And because Georgi has a talent at ferretting out those bugs, does that
make him obligated to provide charity research?  Let alone be publicly
slammed because he does as much as he can with the time he can afford to
give away?

- "Would you prefer not to post anything to Bugtraq and on my web site?
- Would you feel safer then?"

Which, of course, is what *I'm* scared of.  There have been many times
I've felt like 'throwing in the towel' because people criticized me for
taking time, finding vulnerabilities, and bringing them to light so they
can be fixed.  Imagine if I did just give it up.  Imagine if Georgi does.
Keep in mind, regardless of how they go about doing it, our actions do
contribute to getting the problem fixed.  Granted, there may be more
efficient means to do so, but make no mistake, the bug is now on the path
to being fixed.



In short, don't blame the messenger.  Or in this case, the researcher.
Just be happy that the vendor has a chance to see the message, regardless
of how it's delivered.



- rain forest puppy