Firm To Release Database, Web Server 0-Days 220
krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."
What's up with the confusing article title? (Score:5, Insightful)
Firm To Drop Database, Web Server 0-Days
The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:
Fed-up security firm to release Database & Web Server vulnerabilities publicly
Look at how much more information is conveyed in that second title. A work of beauty, it is.
Why not? (Score:5, Insightful)
FTFA:
At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret
Hasn't this been proven to be true - and legal?
In all honesty, if they've contacted the vendor and the vendor hasn't patched it in a month or two, I think its completely ethical and practical to release the vulnerabilities. After all, there could be a few other small firms who have discovered the vulnerability and are exploiting it. Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it. I prefer security over new features.
Re:Responsible Disclosure (Score:5, Insightful)
The alternative to irresponsible disclosure is for the vulnerability to be used maliciously for an unknown period of time. Which of those is preferable?
Re:Responsible Disclosure (Score:5, Insightful)
Here's a quote from TFA...
Legerov said. For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.
Re:Responsible Disclosure (Score:3, Insightful)
Yes, because it coerces vendors to fix vulns and therefore improves ecosystem health.
If the internet ecosystem were not under steady attack, it would be weak and much more vulnerable.
What does not kill it makes it stronger.
Irresponsible (Score:4, Insightful)
Re:Responsible Disclosure (Score:5, Insightful)
Responsible Disclosure is like "pro choice" or "pro life". It is a deliberately positive term for purely demagogic reasons. You can't be for irresponsible disclosure, just like you can't be against choice or against life.
The protocol for publishing information about exploitable software bugs is an intensely debated topic and the choices affect multi-billion dollar businesses where it hurts them most: The bottom line. Do not for a second believe that anyone in this game argues for the sake of rational discourse alone.
So, what are they selling? (Score:5, Insightful)
Right, what are they selling again?
Re:Responsible Disclosure (Score:5, Insightful)
Yes, because "responsible" goes both ways. They're being responsible by notifying the vendor before going public. If the vendor is not fixing the issue, it's time to go public.
As far as I'm concerned a public release is still a responsible one. At least in that case everyone knows about it.
Irresponsible is selling unknown vulnerabilities to private parties that will use them for their own gain. The vendor's customer's get screwed and the vendor has no idea that it's even happening.
Nice short term marketing gimic (Score:5, Insightful)
"Pay attention to us, we'll disclose everything up front before everyone else! BTW, here's our products and services."
Re:Why not? (Score:3, Insightful)
I don't have a problem with the disclosure of vulnerabilities once the vendor has been notified, because I think it does cause the problems to be resolved quicker. However, not telling the vendor means there's no chance for them to even start on a fix before everyone knows the exploit.
Re:Irresponsible (Score:3, Insightful)
Problem is that if you warn a vendor privately, they will either dismiss you outright, or get a court to sign a gag order against you in a matter of hours.
Re:Irresponsible (Score:3, Insightful)
The devil you don't know is less dangerous than the devil you know? Fact is, the guy says he's got holes from Real from two years ago that haven't been patched. Two years isn't enough time, now you want two years and three months?
Re:Responsible Disclosure (Score:1, Insightful)
That is what is generally called "responsible disclosure". The point here however is that vendors allegedly twiddle thumbs as long as the exploit isn't released, so any time you give the vendor before you release the information is time wasted, unnecessarily leaving admins of vulnerable systems in the dark.
secutiry theater gate crashers (Score:3, Insightful)
I welcome this.
In ancient ages past, we put up with "It's a theoretical attack, no one could actually execute it"...
to "group X has released a THEORETICAL working example of an attack to the public, so we fix it six months after revealing it to us"...
to "Here is how you fail... here is how to make you fail... FAIL!!!"
'responsible disclosure' is just wearing the nice guy badge...
You're the only one wearing the nice guy badge.
I'd rather see "Oh CRAP! This thing in Word is broken!" "Oh CRAP! This thing in Excell is broken!" "Oh CRAP! I went to look at a brittany spears vid and now can't move my mouse! Why is my DSL light blinking a lot?"
And then see it fixed in a day or two (at most), rather than a month or two (if we're lucky).
Re:Responsible Disclosure (Score:4, Insightful)
God forbid vendors actually start testing their software *before* it's in the field.
socialized risk (Score:5, Insightful)
This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk. When you screw up in the auto industry, the company faces the massive expense of a product recall. That helps to keep you honest with your engineering quality.
I personally think 30 days is a reasonable notification period. Not pleasant for the vendor to have to respond that briskly, but this isn't about being pleasant. If the vendor wants pleasant, they should invest more competence in the original product. This isn't easy, and might move a few pointy-haired managers out of the executive suite.
Probably a more viable compromise is eight weeks. This adds a thin margin for the possibility that key zero-day SWAT staff are booked off, that multiple issues are raised concurrently, or that a product has a stupendously long build cycle.
I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks, period, perhaps with the odd extension on a track record of good behaviour.
I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.
Speaking of which, that whole TCO thing really bends my biscuits. It's just loaded with sly neglect of not entirely apparent costs, of which the year-long critical vulnerability update is one of the more egregious.
During that time, your pants are down if anyone less ethical discovers the same flaw. It never happens that two scientists make the same discovery in the same year and end up in priority dispute, according to the industry of socialized risk.
Re:Irresponsible (Score:5, Insightful)
What he seems to be saying, is that he's already told the companies and they've done nothing. A better term for it might be "effective disclosure" in order to differentiate itself from the, proven ineffective, "responsible disclosure" advocated by the industry.
Re:Responsible Disclosure (Score:5, Insightful)
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.
It's most likely a case of resource management and insufficient resources available. Businesses exist to make money. Features make money, bugs cost money. So, given NNN amount of money, do you:
A) Fix the bugs that people are experiencing problems with RIGHT NOW with exploits in the wild, or
B) Fix the bugs that are "theoretical" and MAY be exploited at some point in the future if somebody else finds it?
Now, the clueful would note that the set of B includes the set of A, but for those who are living close to the edge, A is where the attention goes, and that's why you see announcements like this one.
Re:Irresponsible (Score:3, Insightful)
Re:Irresponsible (Score:3, Insightful)
What court? This firm is located in Russia.
Re:Responsible disclosure works (Score:3, Insightful)
Agreed - inform the vendor with all the details. Same day, publicly announce that the vulnerability has been discovered, but with no details. At a specified date (60-90 days later) make full details public.
Sounds so simple, doesn't it?
Re:Why not? (Score:5, Insightful)
He's a step ahead of you. He's tried doing it the right way and gotten no results. So he's going to skip the part where he wastes his time.
If companies want responsible disclosure, they should respond in some way to the disclosure. Maybe companies will actually fix bugs instead of sitting on them, and he can go back to doing it the right way. He also warned the companies he's going to do it, so they have a chance to fix things before then.
Here's a tip for you. In the real world, sometimes you have to force the other party's hand to get them to act responsibly. He's to that point, and fortunately has leverage. By making this choice public, he shames the irresponsible software companies which allow security problems to sit around unfixed.
Hopefully they'll scramble to release some fixes, which they haven't done yet, which is a net improvement over the current situation where millions of people have unpatched vulnerabilities.
In short, I don't see a problem here. I use software, it has security problems, I expect those to be fixed. Whatever it takes to get there, I'm all for it.
Re:Responsible Disclosure (Score:2, Insightful)
Let's not go there. The point is that calling it "responsible disclosure" makes arguing against it much harder than, for example, calling it "delayed disclosure" would.
Re:socialized risk (Score:3, Insightful)
This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk.
Sometimes I think I've been transported to Ferengenar. 95th rule of acquisition: "Exploitation starts at home".
Re:So, what are they selling? (Score:3, Insightful)
From the blurb in the summary, it sounds like "jackassery."
Re:Responsible Disclosure (Score:3, Insightful)
It's most likely a case of resource management and insufficient resources available. Businesses exist to make money.
And as long as we keep putting up with shoddy software, they'll continue to sell it to us. Bugs cost money, as you said, so I would think they might put a few more resources to getting rid of the bugs before they shovel it out the door.
Re:Why not? (Score:3, Insightful)
We've had that discussion five years or so ago, hadn't we?
To rehash the two most important arguments of each side:
Pro Full Disclosure: "99% chance that the evil hackers already know about the exploits when a whitehat finds it, plus vendors don't get their lazy bums up unless there's danger in the air and the customers demand it."
Pro "Responsible Disclosure": "Mimimi, that's sooo evil. Plus vendors will certainly fix things ASAP and work with researchers and everything will be better and I'm not being paid to say this."
The only argument that the Full Disclosure side could not kill was that giving vendors a head start would greatly improve things, because it had never been tried in that form. Well, it has now. Show me the statistics that show the improvements. By everything I hear, there's been no change whatsoever, except one: 0-days have become more valuable because the black hats have more lead time before a public disclosure.
Re:Responsible Disclosure (Score:5, Insightful)
Agreed. (Score:3, Insightful)
Clearly the balance of incentives has been wildly off for some time now. Researchers finding possibly big-cost vulnerabilities and reporting them to vendors/middlemen have found that the responses to their discoveries have been slow. Additionally, the payouts for these researchers has been relatively low.
They've been slow because companies have very little incentive to actually fix these bugs, provided that the rate of exploitation of these bugs is sufficiently low.
The incentives for a company using commercial software are stacked heavily against disclosure (do they discover the intrusion? angry customers upon disclosure? etc.), and software vendors are rarely motivated by costs that are, probabilistically, very low. Only once companies are hit by the overwhelming stigma of wide-spread exploits, and the long tail of consumer distrust, do they take greater care in the future.
Companies these days get the sense that they can dodge 180 days of exposure for the price of a used Honda Accord, but the reality is that knowledge of the bug may not be a significant contributor to the risk of exploitation. If one honest researcher has found a vulnerability, can we be confident that no malicious researchers have? Hell, every little wanna-be hacker and future programmer among us used to have floppies and notebooks of vulnerabilities, some collected, some personally discovered. The vulnerability is the source of risk. Put the blame back on the companies that have failed to fix them. More accurately, shift the incentives . With huge shake-ups like mass disclosures, the effect on all companies could be a shift toward more attention being paid to security. To me, it seems like a net win.
Re:Why not? (Score:4, Insightful)
Re:Responsible Disclosure (Score:3, Insightful)
Which is followed by a letter from the firm's legal department ordering you to keep quiet or be sued for far more than you can afford to pay a lawyer to defend you.
Then Mr. Legorov responds with something that says, basically, "sod off" in russian and gets on with his life.