Reporting Vulnerabilities Is For The Brave 245
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
Depends on who you report to (Score:5, Insightful)
And that's why I use open source (Score:5, Insightful)
wierd (Score:2, Insightful)
'if im gonna get jailed anyways...might as well make some money off of it'
Anonymous reporting (Score:3, Insightful)
You could have some sort of secret key to verify that you were the original submitor, if you later wanted recognition for the report. (I imagine a PGP signature of a secret text would be sufficient to allow validation, without any chance of determining who posted until they came forward.)
/. effect (Score:3, Insightful)
Anonymous Email (Score:3, Insightful)
What you did was open the door litigation against Bob's Software for negligence. Bob's Software doesn't want the flaw to become public. When you stand up and point the finger at Bob's Software, they will be looking for someone to pass on the litigation fees to, so you get sued. Not only that, someone needs to be made an example of so others don't try it in the future.
Anonymous email accounts are easy to come by. Send an anonymous announcement to the Full Disclosure mailing list and be done with it. Otherwise you're risking the legal bills of fighting whatever company decides to sue you.
Re:Depends on who you report to (Score:2, Insightful)
If reporting a security bug to one of your vendors (OS or other software) or suppliers (ISP / hosted software) is a problem, change your vendor.
If reporting a security bug to one of your employers is a problem, change your employer.
Posting anonymously (Score:4, Insightful)
of course, this means that everyone else finds out about vulnerabilities first. This might not be exactly what they wanted when they make it illegal to report.
Re:And that's why I use open source (Score:4, Insightful)
Re:Anonymous reporting (Score:2, Insightful)
Re:I don't get it (Score:1, Insightful)
Re:I don't get it (Score:1, Insightful)
Compare it to reporting that the outside door to your apartment that is supposed to require a key, also opens with a little tug.
Unintended consequences (Score:3, Insightful)
The people running Web sites, or creating software for that matter, might want to consider some of the consequences of their current crack-down on vulnerability reports. Yes, vulnerability reports are bad PR. However, if this keeps up people who find vulnerabilities will have only two feasible alternatives:
Re:I don't get it (Score:2, Insightful)
I fail to see what any of your comments have to do with TFA. The author explicity does not condone hacking. Your metaphor is wrongheaded, too. Public web sites are not the equivalent of a random private house on the street. If I walk into a store to buy something, go to the checkout, and discover that if I lean against the checkout counter that cash streams out the register, does the store want me to let someone know or not? Obviously they wouldn't want me to take the money, but if they're going to arrest me for telling them that their cash registers are brokent I'm just gonna go. You're not going up to Joe Blow's house and shaking his knobs and checking the windows, knowing full well that it's his private home and you're just gonna check things out. We're talking about an open house where the owner is saying "Come on in and look around! We hope you'll buy something." If I walk around and find an open safe, I haven't broken the law. The owner invited me in. If he's going to leave an open safe around, that's his stupidity.
It's like a crook reporting a drug stash... (Score:3, Insightful)
I'd venture to say that most hackers 'smart' enough to hack into a website is probably smart enough to send an anonymous email reporting the hack. If the administrator ignores the emails or warnings, then the burden falls upon them.
This is similar to a crook breaking into a house and then reporting the secret stash of drugs or child porn they found. Ok, it would be nice if they could report it anonymously, but it certainly doesn't justify the initial illegal behavior. And, like most crooks, they probably break into hundreds of places before they either get caught or find stuff worth reporting (like being able to access student grades or SSN).
That said, I agree it's in the website's best interest to allow folks to anonomously post vulnerabilities. Duh.
Re:True story (Score:1, Insightful)
Re:Depends on who you report to (Score:3, Insightful)
That's fine for application software, where the code is running on your machine. However, this article is talking about security testing on 3rd party web pages. In this case, I think the article's opinion is correct. Unless there's a signed statement explicitly allowing you to do penetration testing, you shouldn't go prying into other peoples web sites even if you do think there is a vulnerability. And, should you (inadvertently) find a vulnerability, you ought to keep it to yourself and delete all evidence of the vulnerability from your computer.
To revert to the overused house analogy, you don't tell a stranger that their front door is unlocked. To do so is to invite speculation about how you arrived at that knowledge. And if there's a burglary at that residence, your admitted knowledge automatically makes you a suspect.
Comment removed (Score:3, Insightful)
Not so different (Score:3, Insightful)
You are probably making them a big favour, but the fact remains that they will be suspicious about you, and may call the police. How do you know about those things? What are your intentions? It's quite a natural reaction. We only perceive the situation to be different because we happen to be experts not in alarms but in computers.
Re:Don't ever report a flaw! Ever! (Score:3, Insightful)
Re:While searching for a job, I found a bug... (Score:1, Insightful)
Re:True story (Score:3, Insightful)
It's easy to spoof email addresses with a very simple telnet client.
telnet mail.example.com 25
HELO local.domain.name
MAIL FROM: billg@microsoft.com
RCPT TO: pranked@yourdomain.com
DATA
Subject:
.
QUIT
Hell, you can usually just set an arbitrary 'from' address in your email client. I learned that trick on Netscape 3.0 in gradeschool.
Another good example (Score:3, Insightful)
Advice goes for Physical Security Too (Score:1, Insightful)
What to do when I see these things at other facilities? Keep my damn mouth shut, that's what I do.
The really sad part is I also have to follow asinine rules that provide ZERO additional security (and in some cases actually make things less secure) because the regulations say to do it. I ask for waivers. But then I'm just seen as making waves. It's sad.
Live in a free country (Score:3, Insightful)
One way to safely pulicise the info is to live in a free country or get a friend in a free country to do it.
Re:Not so different (Score:1, Insightful)
For the most part, problems are a result of bad design or an irrational desire to protect property or force users to go through hoops. In the physical world this manifests itself as HEB or Ikea to travel a maze to purchase product. On a website it is excessive redirects so that 500 tracking cookies can be set and the users actions log by every major click handler in the world. Even competent designers force users from one page to another in the name of security, but are really just leaving themselves open for attack.
In reality none of this stuff is that hard. Just because one thinks about the penetration points does not mean that one is a villain. Thinking about the points of failure is a key part of good design, and by terrorizing those who do society is insuring that we have no good engineers.
Does anyone remember the Amazon hack where anyone could set thier own price? The people who exploited it may have been criminals, but it was the fault of the designers, and the lack of imigination, that allowed such a silly mistiake. Sometimes it is not even a matter of penetration testing, but just a need to get by bad code. For instance, I must use a certain site for work. This site has a bunch of mean looking validation, most of which only occasionaly works in IE, and never works in anything else. The interesting thing is that the content itself is not secured at all, and is all stored in the same place. A simple perl script can easily be written to download all the protected IP before anyone new what was going on. Really it is sad. All that work and fustration for nothing.
Re:Simpler than unsecured Wi-Fi (Score:1, Insightful)
You must have missed all that rucus about those "yellow dots" printed by every HP-color-printer (and probably by other manufacturers as well), identifying the machine on anything that is printed by/with it.
No trail ? Forget it. Maybe paper is nowerdays more easily tracked as an e-mail send thru an anonimizer.
Focus on the real issue (Score:3, Insightful)
Many years ago some wise men in the air-traffic industry realized this. Often planes got into dangerous situations, but due to the risk of getting accused of being the wrongdoers and the risk of losing their jobs, no pilots would report these situations. The result was that the security of air-traffic was not improved. Sometimes these incidents caused people to get killed.
So they changed the rules. Today pilots can report all dangerous situations, without blame, even if they themselves caused the situation. Airports have such a briefing room where these reports are collected.
The reason for this is that human error in air traffic does happen. But by getting a clear picture of the situations you may be able to focus on helping them out. If pilots miss a sign on the runways, focus should not be on the pilot, but on the visibility of the sign. It doesn't really matter if you say: Pilots should look out for signs or they should get fired. Next time an unlucky pilot misses the sign... bang.
Something similar could be done with IT security. Reporting a bug if you encounter it should be with the focus on fixing the bug. Not to blame the one who found it.
Remember the focus in this case is the flaw or bug, not the one who finds it. Unfortunately the case appears to be focusing on the man rather than the real issue. We do this in our daily life. It's a part of human nature. But the bug never gets fixed... and then the really bad guy comes...
Re:Reporting vulnerabilities safely? (Score:2, Insightful)
Also, remember to burn the clothes you were wearing - but only in a forest at least 10 miles from any residence, so the smoke is not seen.
You should also wear gloves and sunglasses while typing the actual note and wear a false moustache for at least a week afterwards,
who cares about non open source projects (Score:1, Insightful)
It helps alot more to write articales about hacked and defaced sites in my eyes. thats a plain businesscase for the company to invest less in marketing and more in auditing/software quality.
I also think that the current restriction of "freedom of speech" in that case is totally inappropriate. The following laws will probably prohibit to talk about bad politics...
Re:Reporting vulnerabilities safely? (Score:3, Insightful)
Sure, the report is safe, but admins will try to use their logs to find the IP address of those who exploited the vulnerability before.
If you didn't take precautions when you tested the website and normally you didn't as you were not trying to crack the website, you were just checking that it is safe), if the logs are detailed enough, they will find the IP address of the one who did it and will come knocking at your door.