Hyenas of the Security Industry

[Brad Spengler <spender () grsecurity net>]

By now, most on this list and elsewhere have read from various news 
sources the "controversy" regarding Tavis Ormandy's recent 
full-disclosure of a vulnerability in older versions of Microsoft 
Windows.  The advisory was posted here:
http://seclists.org/fulldisclosure/2010/Jun/205
from Tavis' personal email account on his own personal time, and as 
mentioned in his advisory, represented no agency or person but himself.

It was disgusting to see not only the resulting press but also the
response (or more accurately, the lack thereof) from the security
community (if such a thing exists anymore).

So since most researchers in the security community have had their 
spines and sense of justice/fairness contractually removed by their 
respective employers, I'd like to comment on some of these topics.  The 
purpose of my mail is to call out (by name) the individuals, 
"journalists", and companies that manufactured the controversy for their 
own benefit.

The only thing Tavis did wrong was assume his readership understood the 
details of his situation as well as he did.  The clarity regarding what 
happened during the five days between private and public disclosure 
wasn't there, leading to rampant speculation and inaccuracies that 
continued even after Tavis corrected them.  How many vulnerabilities 
Tavis has "responsibly" reported to Microsoft isn't known by most 
because such reports aren't often newsworthy.

The only carrot-on-a-stick Microsoft used to be able to offer to 
independent researchers was recognition within their advisories.  I 
don't find this to be any significant motivator at all.  Red Hat has the 
same policy as well, but unfortunately for the vendors that adopt this 
policy it doesn't affect public recognition.  Though Microsoft won't 
acknowledge the author of a vulnerability that is not "responsibly 
disclosed", everyone else will.  Not that any kind of recognition is 
particularly important for some -- using one's own name can just be due to a 
disinterest in the usefulness of submitting a report from an alias with 
an anonymous email address.

The upsetting trend (which I imagine has been keeping security companies 
playing along with Microsoft's silly game) is for Microsoft to call into 
question the ethics of the reporter, and even if that reporter was 
acting independently, tying that question of ethics to the reporter's 
employer.  This wasn't some flippant reaction by a random MSRC employee, 
the Director of MSRC, Mike Reavey, mentioned Tavis' employer three times 
in his blog regarding the vulnerability:
http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx
It was an intentional (and successful) attempt at framing the discussion 
that was repeated endlessly by the media.

Speaking of framing discussions, we need to reject the legitimacy of the 
phrase "responsible disclosure."  It's a loaded term that by itself 
implies that any other kind of disclosure is irresponsible.  Such a 
claim couldn't be farther from the truth.  "Responsible disclosure" is 
an invention of the vendors to reduce public embarrassment and allow 
them to sit on the bugs for as long as they feel like, as long as they 
keep coming up with excuses.  Researchers wanted a deadline to prevent 
exactly that situation (as Tavis requested for his vulnerability), but 
it seems that more and more, any kind of public disclosure is regarded 
as irresponsible, even if a vendor says they won't fix it in two months.

http://www.zerodayinitiative.com/advisories/upcoming/
Shows how well that "responsible" disclosure is working out:
ZDI-CAN-357      Microsoft      High    2008-06-25, 720 days ago
ZDI-CAN-527      Microsoft      High    2009-07-14, 336 days ago
ZDI-CAN-533      Microsoft      High    2009-07-23, 327 days ago
ZDI-CAN-543      Microsoft      High    2009-08-06, 313 days ago
ZDI-CAN-599      Microsoft      High    2009-10-20, 239 days ago
What's responsible about letting a vendor sit on a serious vulnerability 
for almost two years?

I can't think of a catchier phrase to describe what's going on here 
("Damage Control Disclosure" perhaps? maybe someone else can think of 
something more clever), but it's effectively: "Give us the 
vulnerability for free, argue with us in phone conferences about its 
importance and exploitability, then let us sit on it for as long as we 
want, providing excuse x, y, and z if necessary to delay a fix.  In 
return, we will give you a gold star and not actively attempt to create 
a controversy in order to have you fired from your job or sink your 
company, so that we can retain our image.  At least, as long as you 
keep playing by these rules -- don't think about trying to actually 
enforce any deadlines on that most important vulnerability out of the 
20 total you reported."  It's clear why this is so attractive to the 
industry!

It's also curious how much complaining is done when Microsoft/Adobe/etc 
don't fix a vulnerability overnight when an exploit for it gets reported 
as being found in the wild, yet many of the same people are now 
complaining that Microsoft wasn't given 60 days that they won't need to 
produce a patch -- talk about double standards.  Will we now see a patch 
within 60 days that was previously impossible?

On to an analysis of the coverage by "journalists."  I'm not quite sure 
why there's a need for so many of them, when they all have about the 
same level of understanding and repeat the same misinformation from the 
same sources.  I was interested in my analysis of how many times Tavis' 
employer was mentioned in the article, who the references were for the 
article, and whether the information provided by said references were 
Glenn Beck-style inventions of the imagination (dramatization: "well 
yes, he claimed he was acting alone, but he mentions at least one other 
person in his greets section who also has the same employer!  Now, I 
know nothing about this person, but based on this alone...don't you find 
it interesting?  I'm just the one asking questions here!")

Here's my summary with links:
http://threatpost.com/en_us/blogs/does-google-have-double-standard-full-disclosure-061010
http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/
(Robert Hansen)
References: his own massive brain
Number of times employer mentioned: 14

http://www.computerworld.com/s/article/9178084/Hackers_exploit_Windows_XP_zero_day_Microsoft_confirms
(Gregg Keizer)
Number of times employer mentioned: 3
References: Graham Cluley, Andrew Storms
Glenn Beck impersonation from: Graham Cluley

http://www.computerworld.com/s/article/9177966/Microsoft_confirms_critical_Windows_XP_bug
(Gregg Keizer)
Number of times employer mentioned: 7
References: Robert Hansen/"RSnake", Andrew Storms
Glenn Beck impersonation from: Robert Hansen/"RSnake"

http://www.computerworld.com/s/article/9177948/Google_researcher_gives_Microsoft_5_days_to_fix_XP_zero_day_bug
(Gregg Keizer)
Number of times employer mentioned: 16
References: Robert Hansen/"RSnake", Andrew Storms, Secunia, Vulpen Security
Glenn Beck impersonations from: Robert Hansen/"RSnake", Andrew Storms

http://threatpost.com/en_us/blogs/week-security-full-disclosure-rabbit-hole-re-opens-061110
(Dennis Fisher)
Number of times employer mentioned: 13
References: Robert Hansen/"RSnake", Dino Dai Zovi
Glenn Beck impersonation by: Robert Hansen/"RSnake"
(Dino was one of only three people I found who were quoted in support)

http://threatpost.com/en_us/blogs/attackers-exploiting-windows-help-center-flaw-061510
(Dennis Fisher)
Number of times employer mentioned: 1
References: Graham Cluley

http://www.theregister.co.uk/2010/06/11/google_microsoft_zeroday/
(John Oates)
Has subtitle of: "Impatient engineer called, but you were out, you f**ker"
Classy!
Number of times employer mentioned: 3
References: random full-disclosure poster Susan Bradley
makes reference to "other observers" (Hansen, Storms) further
perpetuating made-up scenario

http://www.zdnet.com/blog/security/googler-releases-windows-zero-day-exploit-microsoft-unimpressed/6659
(Ryan Naraine)
Number of times employer mentioned: 5
References: links to article by Robert Hansen/"RSnake" for a discussion 
of "ethics"

http://news.cnet.com/8301-27080_3-20007421-245.html
(Elinor Mills)
Number of times employer mentioned: 17
References: Robert Hansen/"RSnake", Andrew Storms, HDM, fyodor
Glenn Beck impersonations by: Robert Hansen/"RSnake", Andrew Storms
(HDM and fyodor were the only other two found quoted in support, though
fyodor's not marked as explicit)

http://krebsonsecurity.com/2010/06/unpatched-windows-xp-flaw-being-exploited/
(Brian Krebs)
Number of times employer mentioned: 1
References: links to Donato Ferrante's blog, the actual technical
content that Graham Cluley editorialized and sensationalized

http://krebsonsecurity.com/2010/06/security-alert-for-windows-xp-users/
(Brian Krebs)
Number of times employer mentioned: 3

http://www.theregister.co.uk/2010/06/15/windows_help_bug_exploited/
(Dan Goodin)
Number of times employer mentioned: 0
References: links to Donato Ferrante's blog, the actual technical 
content that Graham Cluley editorialized and sensationalized

http://www.theregister.co.uk/2010/06/10/windows_help_bug/
(Dan Goodin)
Number of times employer mentioned: 0
References: HDM
(HDM was one of three in support, but is only quoted for technical 
relevance here)

Dan Goodin seems to be the only journalist in the group.  I've even 
removed the quotes because he actually did his job!  Brian Krebs would 
be a close second: he stuck to the technical content, though still 
mentioned Tavis' employer several times (and the comments below his 
articles (perhaps as a result) mirror that association).   As for the rest, 
they latched onto the manufactured controversy, copy+pasting gems from 
Hansen, Storms, and Cluley among each other.  You all fail, especially
John Oates -- you seriously call that reporting?

As a comparison, observe what was reported when Tavis let Microsoft sit 
on the vm86 vulnerability for 7 months without a fix:
http://www.computerworld.com/s/article/9146820/Microsoft_confirms_17_year_old_Windows_bug
Moral here is: if you let the vendor sit on a 17 year old vulnerability 
for 7 months and then go public when there's no fix yet, you get 
thanked, but if you determine 5 days after responsibly reporting to 
the vendor that a fix isn't coming any time soon and then go public, 
Microsoft wants you to shut up, or else.

A recent quote from Wikileaks' twitter account seems apropos here, 
though I would even extend the scope beyond journalists in this case:
"Bad journalists assume people are motivated by revenge or fame -- 
because that is what bad journalists are motivated by."

With this in mind, let's take a closer at the three people constantly 
quoted who helped create a controversy out of thin air.  Since they 
apparently have no sense of decency themselves and had no problem 
maligning Tavis just for some media attention, I'm sure they won't mind 
having their names and their company names reproduced below.

Graham Cluley, self-described "computer security expert"
Senior Technology Consultant for Sophos
Blog post located at:
http://www.sophos.com/blogs/gc/g/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/
Note the coincidentally inflammatory URL.
I'm commenting on almost every area of the post, so I won't include it 
inline here.  He starts off by associating Tavis with his employer, 
repeating the already false claim that Tavis only gave Microsoft 5 days 
to come up with a patch (he's able to make multiple updates to the blog 
but conveniently doesn't fix this central inaccuracy).  He calls Tavis 
irresponsible, then mentions that luckily for the reader, Sophos (his 
company's product) will protect you against the one website they found 
exploiting the vulnerability, which they won't mention.

Cluley could use a clue about the definition of "proactive" though -- he 
claims Sophos "proactively detects the page as Sus/HcpExpl-A", the link 
showing the protection being available since June 14th, 4 days after 
Tavis' advisory.  It seems like a "reactive" detection of a 
vulnerability that existed for 9 years which was only possible 4 days 
after the fact, entirely due to Tavis' advisory.  Antivirus is a joke in 
itself, but that's a completely different topic.

A Slashdot commenter wrote the following about Graham Cluley:
"There are a lot of "go-to" commentators that the press goes to for
 supposed insights about security. Graham is one of them. He's a smart
 guy, but also one of the worst carnival-barkers in the industry; always
 chasing stories. Here are a few classics:

    * On Bluetooth phone viruses, [crn.com] apparently the next big
 thing in malware (2004): "If you don't know about bluejacking these
 messages can be quite a shock" (2004)
    * On the groundswell of Mac malware: [techtree.com] "This means two
 real viruses have emerged for the Mac OS X platform in less than a week.
 The question on everyone's lips is - when will we see the next one, and
 will it have a more malicious payload?" (2006)
    * On "naming and shaming" [sophos.com] (his words) countries from
 whose IP address space spam appears to emanate: "A new dirty 'gang of
 four' - South Korea, Brazil, India and their ringleader USA - account
 for over 30% of all the spam relayed by hacked computers around the
 globe." (2010)

 It is a bit rich that he's asking Tavis whether he "feels good about
 himself." Just saying."

http://www.sophos.com/pressoffice/news/articles/2010/04/dirty-dozen.html
http://www.techtree.com/techtree/jsp/article.jsp?article_id=71444&cat_id=582
http://www.crn.com/security/56200605

Next we have Andrew Storms, Director of Security Operations at nCircle 
Security.  He had this to say:
 "That's impossible, argued Andrew Storms, director of security operations
 at nCircle Security. "[As a security researcher] you can't really
 separate your work from your employer. So you have to wonder if
 [Ormandy[] isn't intentionally feeding the feud between Google and
 Microsoft."

 Like Hansen, Storms questioned Ormandy's decision to reveal his findings
 just five days after he reported the vulnerability to Microsoft. "You
 can't say in this case that the vendor was sitting on their hands, not
 being responsive, which is why researchers usually go public, to force
 [a vendor's] hand.

 "This is no better than not reporting it to Microsoft," concluded
 Storms."

Storms' other activities for the press include discussion of recently 
reported vulnerabilities that he doesn't understand but will say 
something generic like "the one in Internet Explorer is the most 
important" just to get his nCircle Security's  name in the news.  In his 
quotes used by the various "journalists" he advances the idea that Tavis' 
disclosure of the vulnerability is some conspiratorial fueling of a feud 
between Tavis' employer and Microsoft, despite the fact that the only 
people associating it with Tavis' employer are commentators like Storms.

Finally we have the turd wrapped up in an enigma that is
Robert Hansen/"RSnake", CEO of SecTheory
Reading his post:
http://threatpost.com/en_us/blogs/does-google-have-double-standard-full-disclosure-061010
http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/
it's clear that he has an axe to grind with Tavis' employer.  He creates 
the false, repeated claim that Tavis only gave Microsoft 5 days to 
create a fix (not only that, he assigns this fault to Tavis' employer, 
not Tavis himself).  He then, again falsely, claims that Tavis wasn't 
doing this in his own time, simply because some other individuals with 
the same employer appear in his greets section.  Maybe they don't teach 
this in clickjacking training, an extensive 5 week course, but "greets" 
is short for "greetings" -- I've been mentioned in the list before, but 
it didn't mean I had anything to do with the vulnerability discovery or 
released exploit.  Not to mention that there's nothing wrong with two 
employees of the same company collaborating on projects (or in 
this case, specific smaller aspects of a larger project) outside of work 
-- being friends with others in the community, many of whom work for the 
same large companies, is nothing unusual.
"RSnake" then complains about the hostname Tavis chose to use for links 
in his advisory.  Finally, after an entire article focusing on Tavis' 
motives and ethics, he ends it with "I don't mean to say anything bad 
about Tavis" -- he means it so much he made a blog post trashing him, 
reposted to another site, and repeated the same lies to any reporter 
that would listen to him.  Towards the end of his comments on his 
ha.ckers.org blog, before locking it from additional comments because 
people didn't agree with him, he states: "I'm over it."  After calling 
for one of the most well-known and respected researchers to be fired and 
repeating those comments to reporters, I'm glad you had the empathy to 
finally conclude that everything is ok now and that you're over it, 
because surely Tavis hasn't been affected at all by your reckless, 
idiotic statements.  You stay classy out there, scumbag.

Some final comments:

Microsoft should strongly reconsider their actions.  If this were any 
other security researcher, how likely would that researcher be to 
cooperate in a "responsible" fashion in the future, for free?  How 
likely would they be to sit in on phone conferences trying to convince 
Microsoft that a vulnerability is exploitable and important?  How likely 
instead, now being treated as some kind of outlaw instead of a person 
for whom security is genuinely important, would they be to profit off 
their finding obtained in their own time?  Does Microsoft believe 
they're improving security if these vulnerabilities are instead sold to 
the highest domestic/foreign bidder?  Or is it only the appearance of 
security they're interested in?  Don't bite the hand that feeds you -- 
any alternative action by a researcher due to chilling effects is worse 
for security than what Microsoft is scolding Tavis for.  Punishing Tavis 
plays into the interests of the anti-sec crowd who want him humiliated 
to the point that he quits killing bugs so that the bugs can continue to 
be exploited in private.

Is Tavis unethical because his personal views on vulnerability 
disclosure that he practices in his own time differ from those of his 
employer?  As a reminder of this foolish argument from authority, said 
employer is the same one that we recently discovered thought it was 
perfectly ethical to secretly and purposefully sniff WiFi traffic in 
countries all over the world.  Is anyone seriously questioning that 
Tavis has ulterior motives, given that he spends much of his free time 
finding vulnerabilities and reporting them to vendors for free?  Anyone 
who knows Tavis knows his ethics and integrity are beyond reproach; 
libel seems to be reserved for the others.

Locke, via Leibniz in "New Essays on Human Understanding" said, 
"boldness is the power to speak or do what we intend, before others, 
without being intimidated."
It takes a bold, ethical person like Tavis to do what he did.  He should 
be supported and defended by the community, not allowed to be ostracized 
and raked over the coals in the press by attention-seeking CEOs with an 
axe to grind.

TL;DR: If we don't collectively stick up for Tavis, we're all hurting 
our ability to perform our jobs objectively in the future, slaves to the 
multi-billion dollar corporations taking our free work and creating the 
illusion that we have any responsibility to feed into their damage 
control systems.

tags: horrible security company corporate shills bandwagon responsible
disclosure useless analysis microsoft vulnerabilities snake oil salesmen
cargo cult rsnake is a fool everything i needed to know about clickjacking i
learned in elementary school cluley clueless those who can do those who
can't are named andrew storms and write blog entries about mundane
topics rsnakeoil secconspiracy ncirclejerk
ItUk-5FI0Ek
<part where I drop the microphone>
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave