UK ISP threatens security researcher
http://www.theregister.com/2007/04/17/hackers_service_terminated/ "A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers." I happen to know the guy, and I am saddened by this. Gadi.
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK. I'm not sure I have as much sympathy for him as you do. [1] http://blogs.securiteam.com/index.php/archives/826 [2] IANAL
On Apr 19, 2007, at 10:20 AM, Will Hargrave wrote:
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK.
He admitted to logging in, but, was clear that he didn't actually modify or inspect the routers in detail. It looks like he did the minimum necessary to verify the extent of the security risk. IANAL either, but, I would say that such actions are probably not prohibited in the spirit of the law, even if they are prohibited in the letter of the law. Generally, anti-intrusion laws fall under either anti-theft (I don't think you can really say he stole bandwidth or service by these actions) or anti-vandalism (I don't think you can really call his actions vandalism). He was definitely in a gray area and could have handled things better, but, the ISPs actions are way over the top and beyond reason for the situation in question. Owen
At 11:32 -0700 4/19/07, Owen DeLong wrote: Being that I know nothing more than what is in the article, I will go along with the assessment that the ISP could have done a better job in running their network. But I don't think that their reaction is uncalled for (given again that the article is all that I have to go on).
He was definitely in a gray area and could have handled things better, but, the ISPs actions are way over the top and beyond reason for the situation in question.
The article fails to mention whether the student did try to use proper channels. Perhaps he did - that would change my assessment. Passing judgement on so little data - and data in the press at that - is only as good as, well, the data presented. Employing official channels is preferable to public humiliation. Complaints that "postmaster@" isn't set up correctly take on bigger importance when we can say "we tried to contact you via proper channels but then had to take our complaint public." When I hear about such stunts, I wonder if the student did this all for self-promotion. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Sarcasm doesn't scale.
On Thu, 19 Apr 2007, Will Hargrave wrote:
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK.
I'm not sure I have as much sympathy for him as you do.
The guy basically looked at his own modem, which is what this was all about. The rest of what he may have done is indeed up to your judgement. I am generally worried about the trend that is emerging of reporting security issues resulting in legal threats. Gadi.
[1] http://blogs.securiteam.com/index.php/archives/826 [2] IANAL
Gadi Evron wrote:
On Thu, 19 Apr 2007, Will Hargrave wrote:
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK.
I'm not sure I have as much sympathy for him as you do.
The guy basically looked at his own modem, which is what this was all about. The rest of what he may have done is indeed up to your judgement.
I am generally worried about the trend that is emerging of reporting security issues resulting in legal threats.
Gadi.
What worries me more is that they managed to do such a blindly stupid thing as put the exact same back door passwords on *ALL* their customer CPE and then make it accessible from anywhere. This really does not encourage me about the security of the box that holds my credit card number. This was not a critical vulnerability, it was a bloody stupid thing to do. Leaving the keys in your car in Brixton is not a critical vulnerability, it's a bloody stupid thing to do. So, any company (person) who is stupid enough to do this in the first place probably wouldn't take any notice of being informed of it anyway, because they were informed of it a number of times.. -- Leigh Porter
On Thu, Apr 19, 2007 at 06:10:06PM -0500, Gadi Evron wrote:
On Thu, 19 Apr 2007, Will Hargrave wrote:
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK.
I'm not sure I have as much sympathy for him as you do.
The guy basically looked at his own modem, which is what this was all about. The rest of what he may have done is indeed up to your judgement.
I am generally worried about the trend that is emerging of reporting security issues resulting in legal threats.
well in this case i dont know the nature of the threat but asking the guy to hold back the passwords seems reasonable what other examples are there as you suggest a trend in hushing security vulns? Steve
On Fri, 20 Apr 2007 15:51:20 BST, Stephen Wilcox said:
what other examples are there as you suggest a trend in hushing security vulns?
Skylarov ended up in jail for a while for daring to point out that a certain foolish vendor had used ROT-13 as their encryption scheme. Raven Adler had her run-in with Apple: "After realizing that Apple were not my friends and were more interested in their PR spin": http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/52959 Cisco initiated legal action at Michael Lynn and the Black Hat crew: http://news.com.com/Cisco+hits+back+at+flaw+researcher/2100-1002_3-5807551.h... Ed Felten at Princeton had his famous run-in with the SDMI folks: http://www.usenix.org/events/sec01/craver.pdf which lead to threatened legal action: http://cryptome.org/sdmi-attack.htm Threats of legal action scuttled an RFID hacking demo at a recent BlackHat: http://www.securityfocus.com/news/11444 Now, as you were saying?
On Fri, 20 Apr 2007, Stephen Wilcox wrote:
On Thu, Apr 19, 2007 at 06:10:06PM -0500, Gadi Evron wrote:
I am generally worried about the trend that is emerging of reporting security issues resulting in legal threats.
well in this case i dont know the nature of the threat but asking the guy to hold back the passwords seems reasonable
what other examples are there as you suggest a trend in hushing security vulns?
Replying off-list. Gadi.
Steve
On Friday 20 April 2007 10:51, Stephen Wilcox wrote:
On Thu, Apr 19, 2007 at 06:10:06PM -0500, Gadi Evron wrote:
On Thu, 19 Apr 2007, Will Hargrave wrote:
Gadi Evron wrote:
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I happen to know the guy, and I am saddened by this.
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK.
I'm not sure I have as much sympathy for him as you do.
The guy basically looked at his own modem, which is what this was all about. The rest of what he may have done is indeed up to your judgement.
I am generally worried about the trend that is emerging of reporting security issues resulting in legal threats.
well in this case i dont know the nature of the threat but asking the guy to hold back the passwords seems reasonable
what other examples are there as you suggest a trend in hushing security vulns?
Steve
In my personal opinion, ISPs, vendors, and such should legally be held responsible for their product's security and unconditionally be made to repair any security holes. -- if a vendor or ISP maintains good security practices, there will be nothing for them to fear from this. If per-se Microsoft doesn't want to fix their code, why don't they release the source and let the open source community do it? Clearly they displayed their non-interest with that ANI exploit, they off-set the fix for MONTHS after knowing it, then what do you know, only did when it became something in the wild did Microsoft do something about it. But phasing back on topic, as in this case: Unless some form of a Denial of Service was being performed, the ISP should just fix the problem instead of making themselves look like overpowering legal-system abusing bigots. They seem to think if the problem isn't discovered, that it doesn't exist, I think they heard the "if a tree falls in a forest, does it make a sound?" quote too many times. What is the ISP going to do when someone malicious actually takes the open hole to the next level? i.e. actively DOES cause a denial of service on a massive scale? Obviously if one person found it, someone else will also. There SHOULD be more accountability on the providers/vendors' part reguardless of the technology. If the provider/vendor cannot handle securiing the product. they probably shouldn't be putting the product out to the market But nothing like that will ever happen as too many people prefer the "ignore it and it will go away" philosophy and too many lawmakers are old twits who don't know anything about technology and probably couldn't care less.
In my personal opinion, ISPs, vendors, and such should legally be held responsible for their product's security and unconditionally be made to repair any security holes. -- if a vendor or ISP maintains good security practices, there will be nothing for them to fear from this. What's really upsetting is that often it's faster to just fix the problem
than it is to complain about it. Unfortunately companies seem to feel that legally threatening people is the wiser course of action. I'd like to know when people stopped taking pride in their work. When I screw up- I'm upset with myself, not with the guy who pointed out the mistake. Now if he used my screwup to wreck everything I've worked- then to hell with him- but if all he did is point out the mistake- then I should learn from it and make sure it doesn't happen again. -Don
On Fri, 20 Apr 2007 14:56:06 EDT, Kradorex Xeron said:
In my personal opinion, ISPs, vendors, and such should legally be held responsible for their product's security and unconditionally be made to repair any security holes. -- if a vendor or ISP maintains good security practices, there will be nothing for them to fear from this.
Repair *ANY* holes? *unconditionally*? Including ones that are *demonstrably* difficult to actually exploit (for instance, attacks that require physical access to the router), or have a low probability of causing significant damage? For a "reducto ad absurdum" - I have found an attack against the MPEG format, which combined with a known weakness in one vendor's handling of long runs of zero bits, has the potential of corrupting one or two pixels in every 56 minutes of downloaded video, and requires that I be able to clamp a device of my design around the cable within 2 feet of the router. You're required to fix it, even though the fix will require the forklift upgrade of your entire backbone, as the long-run issue is a design limitation of the router you use throughout your core, and also harden all your PoP's to withstand an attack by a squad of 3 to 5 M1 Abrams tanks, just in case I'm *really* determined to get into the room with the router rack. Oh, and it's arguable that it isn't even *your* problem to fix, but somebody else's. Did you want to be legally held to this? Be careful what you ask for - you might actually get it.
On Friday 20 April 2007 16:16, Valdis.Kletnieks@vt.edu wrote:
On Fri, 20 Apr 2007 14:56:06 EDT, Kradorex Xeron said:
In my personal opinion, ISPs, vendors, and such should legally be held responsible for their product's security and unconditionally be made to repair any security holes. -- if a vendor or ISP maintains good security practices, there will be nothing for them to fear from this.
Repair *ANY* holes? *unconditionally*? Including ones that are *demonstrably* difficult to actually exploit (for instance, attacks that require physical access to the router), or have a low probability of causing significant damage?
For a "reducto ad absurdum" - I have found an attack against the MPEG format, which combined with a known weakness in one vendor's handling of long runs of zero bits, has the potential of corrupting one or two pixels in every 56 minutes of downloaded video, and requires that I be able to clamp a device of my design around the cable within 2 feet of the router. You're required to fix it, even though the fix will require the forklift upgrade of your entire backbone, as the long-run issue is a design limitation of the router you use throughout your core, and also harden all your PoP's to withstand an attack by a squad of 3 to 5 M1 Abrams tanks, just in case I'm *really* determined to get into the room with the router rack. Oh, and it's arguable that it isn't even *your* problem to fix, but somebody else's.
Did you want to be legally held to this?
Maybe if companies repaired holes when people find them instead of shrugging them off like they do, or threatened the researcher with a lawsuit (even though no malicious action was taken) such action would NOT have to be taken. What would you rather do? A: Patch the hole ASAP, process over within days, perhaps keeping the problem out of the media, minimal energy taken. B: Take someone to court for finding a problem in your system thus looking like a bigot, media coverage ensues. C: Ignore the problem, wait until someone with malicious intent comes along and causes a DoS or otherwise, then struggle to keep the problem down until a patch is deployed So many companies talk out both sides of their mouths, they tell the media and post on their websites that security is one of the most important things to them, yet they don't take any action to keep their systems and products secure.
Be careful what you ask for - you might actually get it.
I wish for many things, most of which are only present in a perfect world.. ;)
On Thu, Apr 19, 2007 at 06:20:50PM +0100, Will Hargrave wrote: [...]
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK. I'm not sure I have as much sympathy for him as you do.
[2] IANAL
It *is* a criminal offence under extensions to the original CMA1990 in the Police and Justice Act 2006. The maximum penalty was also increased to two years imprisonment. I don't think this particular incident is enough to attract a custodial sentence, but he will almost certainly end up with a well-deserved criminal record for his stupidity if somebody can be bothered to press charges.
It *is* a criminal offence under extensions to the original CMA1990 in the Police and Justice Act 2006. The maximum penalty was also increased to two years imprisonment.
I don't think this particular incident is enough to attract a custodial sentence, but he will almost certainly end up with a well-deserved criminal record for his stupidity if somebody can be bothered to press charges. Some people's opinions are truly astounding.
Why do we even bother having best practices if people aren't going to follow them? No damage was done- that's a hell of a lot more than you can ask from a damned hacker. And if your provisioning system doesn't blow- then fixing the problem isn't a big deal either. Would your insurance company pay a claim on your stolen car if you left it running, with the doors wide open, in Harlem? Of course not. Nobody wants to take any responsibility for their own stupidity. The only criminal act here was the negligence on the part of the ISP. They got embarrassed- no harm was done- get on with your damned life. The fact is that people will ALWAYS be curious- it's what makes human beings so amazing. People will explore their surroundings and if you don't want them to- then try taking some basic steps to ensure they can't. As for the laws? Prison is for people who irrevocably harm society- some stupid kid who went exploring his cable modem DOES NOT QUALIFY. And what about a criminal record? Who the hell does that help? Give the guy a record and force him to go to work for the spammers and botnet writers? Great thinking. "well-deserved criminal record for his stupidity." Where is the criminal record for the idiot who allowed remote access with a single username and password to every single cable modem? That's pretty damned stupid. Honetly- when did we all become such vindictive assholes? Had the guy caused any real damage then you might have an argument. He didn't. We need to stop letting companies abuse the law instead of performing due dilligence. -Don
"well-deserved criminal record for his stupidity." Where is the criminal record for the idiot who allowed remote access with a single username and password to every single cable modem? That's pretty damned stupid.
Honetly- when did we all become such vindictive assholes? Had the guy caused any real damage then you might have an argument. He didn't. We need to stop letting companies abuse the law instead of performing due dilligence.
<AOL> Well Deserved Criminal Record For His Stupidity? I'm thinking that if stupidity qualifies one for a criminal record, the original poster must have a long rap-sheet. -- TTFN, patrick
Gentlemen and Ladies, I think we should shut down this line of argument. Enjoy the beautiful weather here and Europe and have a good weekend. Regards, Roderick S. Beck Hibernia Atlantic 30 Dongan Place, NY, NY 10040 http://www.hiberniaatlantic.com Landline: 1-212-942-3345 Wireless: 1-212-444-8829. rod.beck@hiberniaatlantic.com rodbeck@erols.com ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein. -----Original Message----- From: owner-nanog@merit.edu on behalf of Patrick W. Gilmore Sent: Fri 4/20/2007 7:25 PM To: nanog@merit.edu Cc: Patrick W. Gilmore Subject: Re: UK ISP threatens security researcher
"well-deserved criminal record for his stupidity." Where is the criminal record for the idiot who allowed remote access with a single username and password to every single cable modem? That's pretty damned stupid.
Honetly- when did we all become such vindictive assholes? Had the guy caused any real damage then you might have an argument. He didn't. We need to stop letting companies abuse the law instead of performing due dilligence.
<AOL> Well Deserved Criminal Record For His Stupidity? I'm thinking that if stupidity qualifies one for a criminal record, the original poster must have a long rap-sheet. -- TTFN, patrick This e-mail and any attachments thereto is intended only for use by the addressee(s) named herein and may be proprietary and/or legally privileged. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, without the prior written permission of the sender is strictly prohibited. If you receive this e-mail in error, please immediately telephone or e-mail the sender and permanently delete the original copy and any copy of this e-mail, and any printout thereof. All documents, contracts or agreements referred or attached to this e-mail are SUBJECT TO CONTRACT. The contents of an attachment to this e-mail may contain software viruses that could damage your own computer system. While Hibernia Atlantic has taken every reasonable precaution to minimize this risk, we cannot accept liability for any damage that you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment
In article <20070420151225.GA31047@cabal.org.uk>, Peter Corlett <abuse@cabal.org.uk> writes
In his blog post [1] he did admit to accessing other routers of Be's customers using the backdoor password; this is probably [2] a criminal offence in the UK. I'm not sure I have as much sympathy for him as you do.
[2] IANAL
It *is* a criminal offence under extensions to the original CMA1990 in the Police and Justice Act 2006. The maximum penalty was also increased to two years imprisonment.
But the relevant sections of PJA 2006 are not in force yet, nor is there any authoritative prediction of when they will be. (If I had to guess, I'd say "at least another six months"). -- Roland Perry
At 18:30 -0500 4/17/07, Gadi Evron wrote:
http://www.theregister.com/2007/04/17/hackers_service_terminated/
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I don't see any part of the story that indicates that the ISP did wrong, I see plenty that the student did wrong. E.g., did the student ever try to discreetly raise the issue with the ISP before going public? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Sarcasm doesn't scale.
On Thu, 19 Apr 2007, Edward Lewis wrote:
At 18:30 -0500 4/17/07, Gadi Evron wrote:
http://www.theregister.com/2007/04/17/hackers_service_terminated/
"A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers."
I don't see any part of the story that indicates that the ISP did wrong, I see plenty that the student did wrong. E.g., did the student ever try to discreetly raise the issue with the ISP before going public?
I believe he covers his good, or lacking, disclosure policy in his blog. Fact is, he "hacked" (read telnet) his own modem. Looking at the lack of security response and seriousness from this ISP, I personally, in hindsight (although it was impossible to see back then) would not waste time with reporting issues to them, now. Gadi.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar
Sarcasm doesn't scale.
On Thu, 19 Apr 2007, Gadi Evron wrote:
Looking at the lack of security response and seriousness from this ISP, I personally, in hindsight (although it was impossible to see back then) would not waste time with reporting issues to them, now.
These days there is almost never any reason to report a security issue unless you are a professional security researcher who is looking for publicity/work. [1] If you are a random person who comes across a security hole in a website or commercial product then the best thing to do is tell nobody, refrain from any further investigation and if possible remove all evidence you ever did anything. There is almost zero potential upside of reporting these holes vs the very real potential downside that the company might decide to go after you with their legal team or the police. Anonymous notifications to 3rd parties like security forums or journalists might be an option if you really fell it is important. However in the scheme of things giving $50 to your favorite charity is likely to be safer and do the world more good. [1] - An exception might be for open source projects or as part of your normal job with your companies products. Even then you should only follow normal channels and always be careful. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
I guess my experience in this area differs. Of the times I reported security holes to vendors/site operators they were grateful for the tip. I used my real name (which apparently is somewhat unique) and real contact information in case they had questions. I always made sure to contact the most appropriate person I could get contact info for (i.e. the security team if possible; avoiding the general information address). Though I guess the big difference with me is I did not post detailed information about those problems on the Internet for anyone to see. Frankly, posting a major flaw in the setup of thousands of routers before the ISP has had a chance to correct the problem is doing more harm than good. I am not surprised at the ISPs response. The person in question here should have first notified the ISP and unless the ISP was unwilling to fix the problem, only then should he have considered releasing the information publicly. My $0.02, Adam Stasiniewicz -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Simon Lyall Sent: Thursday, April 19, 2007 8:26 PM To: nanog@merit.edu Subject: Re: UK ISP threatens security researcher On Thu, 19 Apr 2007, Gadi Evron wrote:
Looking at the lack of security response and seriousness from this ISP, I personally, in hindsight (although it was impossible to see back then) would not waste time with reporting issues to them, now.
These days there is almost never any reason to report a security issue unless you are a professional security researcher who is looking for publicity/work. [1] If you are a random person who comes across a security hole in a website or commercial product then the best thing to do is tell nobody, refrain from any further investigation and if possible remove all evidence you ever did anything. There is almost zero potential upside of reporting these holes vs the very real potential downside that the company might decide to go after you with their legal team or the police. Anonymous notifications to 3rd parties like security forums or journalists might be an option if you really fell it is important. However in the scheme of things giving $50 to your favorite charity is likely to be safer and do the world more good. [1] - An exception might be for open source projects or as part of your normal job with your companies products. Even then you should only follow normal channels and always be careful. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
On Fri, 20 Apr 2007, Simon Lyall wrote:
On Thu, 19 Apr 2007, Gadi Evron wrote:
Looking at the lack of security response and seriousness from this ISP, I personally, in hindsight (although it was impossible to see back then) would not waste time with reporting issues to them, now.
These days there is almost never any reason to report a security issue unless you are a professional security researcher who is looking for publicity/work. [1]
Now, that is off-topic to NANOG. One comment: just because they are not reported does not mean they are not used. Proved beyond doubt this past year with all the 0day attacks and targeted attacks going on. Gadi.
On Fri, 20 Apr 2007, Gadi Evron wrote:
On Fri, 20 Apr 2007, Simon Lyall wrote:
On Thu, 19 Apr 2007, Gadi Evron wrote:
Looking at the lack of security response and seriousness from this ISP, I personally, in hindsight (although it was impossible to see back then) would not waste time with reporting issues to them, now.
These days there is almost never any reason to report a security issue unless you are a professional security researcher who is looking for publicity/work. [1]
Now, that is off-topic to NANOG.
Just because you disagree with someone's opinion, doesn't make it offtopic.
One comment: just because they are not reported does not mean they are not used. Proved beyond doubt this past year with all the 0day attacks and targeted attacks going on. I'm not sure if Simon's comment was tongue-in-cheek.
I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense. I'm not sure the debate on public disclosure vs private falls under NANOG AUP. -alex
alex@pilosoft.com wrote:
I'm not sure if Simon's comment was tongue-in-cheek.
I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense.
I'm not sure the debate on public disclosure vs private falls under NANOG AUP.
-alex
I beg to differ here on a few points... 1) Reporting to vendors... I don't know how many vendors from Microsoft on down I've reported issues to... Sometimes it works sometimes it doesn't. For the heavy hitters (MS, IBM, etc.) they should acknowledge and take responsibility for their issues, else have the issues publicly disclosed. How would you feel if you used a product a company KNOWS lacks fundamental security controls and does little to fix it. How would you feel if AFTER the fact someone leveraged a method to affect you. How would you feel AFTER the fact, finding out they were told and did nothing for eons. I've disclosed a pretty bad denial of service bug. Tested not only by me, but by about six other individuals one in one of the world's biggest insurance agencies... Confirmed... Another in academia land... Confirmed... A professional pentester with a DoD contract... Confirmed... Sent it to MS... "Well it doesn't work" said the MS team... I didn't even bother disclosing it out after that. Not because it didn't work but because the last thing I wanted to see was something akin to another Smurf like attack on MS being part of my own shop where I work is MS based. I gave up. On occasion I will take a few minutes to find something stupid to break because I fiddle with things. Sometimes I release things publicly, sometimes I don't depending on what I perceive to be a level of severity. If its minor, it gets released and this is only because I've gotten tired of dealing with the idiotic policies these companies use to shoot themselves in their own foot. On the other hand, if I attempted to contact someone, got the cold shoulder, attempted again, and something was that bad, why should I be chastised after I decided to let others using that product know "Hey if you use that product... It might not be all that safe." I get flack whenever I release something in the wild and those whose messages go to my trash bin, know little about the fact that I'd made attempts to contact the vendor. From Cisco, to Microsoft, to open source vendors (Asterisk), whomever, most times I will contact the necessary party... They fail to respond, it goes public. Same happened way back when with Computrace (LoJack for Laptops)... Where I contacted them over and over... They told me "You're wrong... After proving my points repeatedly... Finally I ended up pulling their card and posting their entire email transcription... I still have an NDA they wanted me to sign which is summarized as "We will pay you x amount of what you spend if you just... well shut up." Right.... I see nothing wrong with responsible public disclosure. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
On Fri, 20 Apr 2007, J. Oquendo wrote:
alex@pilosoft.com wrote:
I'm not sure if Simon's comment was tongue-in-cheek.
I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense.
I'm not sure the debate on public disclosure vs private falls under NANOG AUP.
I beg to differ here on a few points...
1) Reporting to vendors... I don't know how many vendors from Microsoft on down I've reported issues to... Sometimes it works sometimes it doesn't. For the heavy hitters (MS, IBM, etc.) they should acknowledge and take responsibility for their issues, else have the issues publicly disclosed. This is getting into the discussion on whether public disclosure (and attendant attention of script kiddies, public embarassment of vendor, and "glory" to the reporter) is better way to get the bug fixed than working with your vendor (who, presumably, receives $$$ from you on maintenance contract or hopes to receive $$$ from you on the upgrade to next version).
How would you feel if you used a product a company KNOWS lacks fundamental security controls and does little to fix it. How would you feel if AFTER the fact someone leveraged a method to affect you. How would you feel AFTER the fact, finding out they were told and did nothing for eons. Vote with your wallet, use a vendor that is responsive to customer needs.
I've disclosed a pretty bad denial of service bug. Tested not only by me, but by about six other individuals one in one of the world's biggest insurance agencies... Confirmed... Another in academia land... Confirmed... A professional pentester with a DoD contract... Confirmed... Sent it to MS... "Well it doesn't work" said the MS team... I didn't even bother disclosing it out after that. Not because it didn't work but because the last thing I wanted to see was something akin to another Smurf like attack on MS being part of my own shop where I work is MS based. I gave up. On occasion I will take a few minutes to find something stupid to break because I fiddle with things. Sometimes I release things publicly, sometimes I don't depending on what I perceive to be a level of severity. If its minor, it gets released and this is only because I've gotten tired of dealing with the idiotic policies these companies use to shoot themselves in their own foot. It's your choice, it is not the only way.
From Cisco, to Microsoft, to open source vendors (Asterisk), whomever, most times I will contact the necessary party... They fail to respond, it goes public. Same happened way back when with Computrace (LoJack for Laptops)... Where I contacted them over and over... They told me "You're wrong... After proving my points repeatedly... Finally I ended up pulling their card and posting their entire email transcription... I still have an NDA they wanted me to sign which is summarized as "We will pay you x amount of what you spend if you just... well shut up." Right.... I see nothing wrong with responsible public disclosure. Responsible is the key word. There's been much discussion on the mailing
<snip> lists that are *more appropriate* to discuss full-disclosure what constitutes responsible. Note that those mailing lists are not NANOG, where this subject is tangential. -alex
On Fri, 20 Apr 2007 12:33:26 EDT, alex@pilosoft.com said:
How would you feel if you used a product a company KNOWS lacks fundamental security controls and does little to fix it. How would you feel if AFTER the fact someone leveraged a method to affect you. How would you feel AFTER the fact, finding out they were told and did nothing for eons. Vote with your wallet, use a vendor that is responsive to customer needs.
The discussion started out regarding an IP-over-cable ISP. Please point me at places where there is significant *real* competition (i.e. addresses that have more than one copper cable-TV line running into the consumer residence).
The discussion started out regarding an IP-over-cable ISP. Please point me at places where there is significant *real* competition (i.e. addresses that have more than one copper cable-TV line running into the consumer residence).
There are a number of cable overbuilders out there. Knology, Grande, WoW. sam
On Fri, 20 Apr 2007 alex@pilosoft.com wrote:
On Fri, 20 Apr 2007, Gadi Evron wrote:
Now, that is off-topic to NANOG. Just because you disagree with someone's opinion, doesn't make it offtopic.
<snip>
I'm not sure the debate on public disclosure vs private falls under NANOG AUP.
Do you even read your own emails? Gadi.
-alex
I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense.
Public disclosure of the existence of a vulnerability and whatever information is required to understand it well enough to mitigate it, resolve it, or work around it is a good and useful thing. Public disclosure of details of how to exploit the vulnerability beyond what is required in my previous paragraph is not useful and is both rude and counterproductive. Generally, however, I do not think it should be actionable or criminal. If you leave your front door unlocked, that's dumb. If I tell you that you left your front door unlocked, that's a good thing. If I tell your neighbors that you left your front door unlocked, it's not necessarily helpful, but, it's not illegal, nor should it be. OTOH, if you buy your lock from LockCo and I discover that there is a key pattern that will open ALL LockCo locks, then, it's good if I tell LockCo about that. It's better if I also tell the public so that people who choose to can either have their locks repaired or can replace them if they so choose. If I tell the public the exact key pattern required, that's not so good, but, it's not illegal and it shouldn't be illegal or actionable. Now, if I used stolen LockCo engineering diagrams to identify the key pattern in question, the use of the stolen diagrams might be actionable and/or criminal. Owen
On Thursday 19 April 2007 18:25, Simon Lyall wrote:
If you are a random person who comes across a security hole in a website or commercial product then the best thing to do is tell nobody, refrain from any further investigation and if possible remove all evidence you ever did anything.
There is almost zero potential upside of reporting these holes vs the very real potential downside that the company might decide to go after you with their legal team or the police.
Bullshit. And when we start propagating messages like this, it will be bad news. Just report the bug. Unless they are ignorant idiots they should thank you in some way. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada April 18-20 - 2007 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
Dragos Ruiu wrote:
On Thursday 19 April 2007 18:25, Simon Lyall wrote:
If you are a random person who comes across a security hole in a website or commercial product then the best thing to do is tell nobody, refrain from any further investigation and if possible remove all evidence you ever did anything.
There is almost zero potential upside of reporting these holes vs the very real potential downside that the company might decide to go after you with their legal team or the police.
Bullshit.
And when we start propagating messages like this, it will be bad news.
Just report the bug. Unless they are ignorant idiots they should thank you in some way.
cheers, --dr
Yeah but in this case the company the bug was being reported to deliberately setup this back door password and had previously ignored people bringing it to their attention. There is a point where, as you say, their being ignorant idiots takes over. So what do you do then? Yer damned if you do and everybody's pwned if you don't! -- Leigh
participants (19)
-
alex@pilosoft.com
-
Donald Stahl
-
Dragos Ruiu
-
Edward Lewis
-
Gadi Evron
-
J. Oquendo
-
Kradorex Xeron
-
Leigh Porter
-
Owen DeLong
-
Patrick W. Gilmore
-
Peter Corlett
-
Rod Beck
-
Roland Perry
-
Sam Hayes Merritt, III
-
Simon Lyall
-
Stasiniewicz, Adam
-
Stephen Wilcox
-
Valdis.Kletnieks@vt.edu
-
Will Hargrave