The Spamhaus case, a spam-savvy Illinois lawyer perspective

i’ve been following the spamhaus case with some interest. you see, i am a lawyer, and even an active member of the illinois bar. i happen to teach as an adjunct professor at the same law school where the judge in the case also teaches as an adjunct. and the class i’m
teaching next week is all about what behavior by a defendant in the online world is sufficient to establish a jurisdictional hook. Sun Shine invited me to contribute and, before too much misinformation gets circulating, i feel compelled to chime in with my 2 cents.

as lawyers always do, let me caveat this with the usual disclaimers:
i know only the bare minimum of details about the case, this message should not be construed in any way as legal advice, and no one should mistake me for a qualified trial lawyer. as someone, probably a law professor, once said: those who can do, do; those who can’t, teach.

with that said, below is my take on some of the recent questions that have arisen over the spamhaus case:
(more…)

Share

ATM hack

dd had a nice post today by halvar on an atm fraud:
http://home.hamptonroads.com/stories/story.cfm?story=110889&ran=223062

according to a nathan landon who provided with more details:

they showed it on the news here in virginia. they have security camera footage of the guy who they believe is the perpetrator trying to pull out $250 and getting $1000. he did this twice apparently. he doesn’t look like the “engineer” type. they reported that he was able to turn on the glitch through a series of entered numbers. doubtful he knew what he was doing otherwise he could have turned it off between attempts. (more…)

Share

The World of Botnets – a Virus Bulletin Article

in the latest edition of the virus bulletin magazine (september 2006), a featured article on botnets called “the world of botnets” by dr. alan solomon and myself was published.

all copyright to this article belongs to virus bulletin. virus bulletin is an ads-free professional magazine mostly read in the anti virus world.

we are allowed to share the article with you on our blogs or company websites, providing the above reference to the vb journal is added with a copyright notice.

you can find the article here.

we would love to hear comments and input! :)

gadi evron,
ge@beyondsecurity.com.

Share

Surviellance works, so?

the argument over the necessity of surveillance and the value of privacy has become old, as obviously it does not change what’s going on as far as legislation goes. it may, but not in the near future.

dennis henderson, a great guy, recently wrote to the funsec list:

some say surveillance works.

http://www.washtimes.com/op-ed/20060810-084233-1883r.htm
http://www.opinionjournal.com/editorial/feature.html?id=110008785
http://powerlineblog.com/archives/014970.php
http://newsbusters.org/node/6921

we’ll see…

remember the good guys have to be right 100% of the time.. the bad guys only have to be right once.

my answer is…

of course surveillance works, question often is if it is necessary. it often is to a level which is why the question becomes, how do we know it is not abused?

with security in mind, the difference between a democracy and a dictatorship is that in a democracy you blacklist, saying what is not allowed and allow everything else. in a dictatorship you whitelist and disallow everything else.
security-wise, a dictatorship is better. do you want to live in a dictatorship?

so i made the above up, but it makes sense to explain it to security
folks.

this discussion is ongoing on the funsec list.

or as this unrelated yet cool irish metal song says:

some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.
feed the pigs and milk the cow, milk the cow, milk the cow,
feed the pigs and milk the cow, so early in the morning.
tuck your leg up, paddy, dear. paddy, dear, i’m over here! tuck your leg
up, paddy dear,
it’s time to stop your yawning
some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.
katie, she is tall and thin, tall and thin, tall and thin.
katie, she is tall and thin. she likes a drop of brandy.
drinks it in the bed at night, drinks it in the bed at night, drinks it in
the bed at night.
it makes her nice and randy.
some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.
my man is six foot tall, six foot tall, six foot tall,
my man is six foot tall, he likes his sugar candy.
goes to bed at six o’clock, goes to bed at six o’clock, goes to bed at six
o’clock.
he’s lazy, fat and dandy.
some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.
my wife, she has a hairy thing, a hairy thing, a hairy thing.
my wife, she has a hairy thing, she showed it to me sunday.
she bought it in the furrier shop, bought it in the furrier shop, bought
it in the furrier shop.
it’s going back on monday.
some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.

gadi evron,
ge@beyondsecurity.com.

Share

Leo Stoller Targets CastleCops (!)

leo stoller is targeting castlecops, apparently trying to bully them into paying him settlement money for their trademark.

castlecops are doing important work in the realm of anti phishing, for no charge.

it pisses me off considerably when injustice online is done, especially when it is done to those who can’t afford expensive lawyers!

leo stoller is known for such attacks, and apparently makes a living from it. you can read about him here, here and here.

you can read more from castlecops who are going live in a couple of minutes here:
http://www.castlecops.com/a6615-leo_stoller_targets_castlecops_trademark.html

castlecops is one of us, and it hurts us all when one of us is targeted.

gadi evron,
ge@beyondsecurity.com.

Share

Intellectual Property II

Somebody asked me:

> Rob, Did they give you these policies in advance? Any kind of writer’s
> guidance in advance?

I did, in fact, have the policy in advance, which is another and very
interesting story. This mag is part of a group, and I had previously written an
article for another of their rags. Having written the first article (and, at
the last minute, had to yell and scream when they changed the implication of the
article to the complete opposite of that intended), suddenly I couldn’t get paid
because they didn’t have a “freelance writer’s agreement” with me. So, having
wasted serious time in putting together that first article, I was eager to do
this expediciously. Maybe they could send me either a softcopy of the
agreement, or a scan, by email? Oh, no! Heaven forfend! They couldn’t make a
softcopy or scan of the agreement: the agreement itself was intellectual
property, and they wouldn’t want any possibility of unauthorized copies floating
around. (This is a mag group on high tech topics and they haven’t heard of
photocopiers?)

Anyway, the agreement is one of the more bizarre and convoluted documents I’ve
ever seen, and contradicts itself on this very point. Page two says (buried in
one paragraph) that the item supplied “has not been previously published”, while
page one says that, if it is, the supplier (that’s me) supplies the item under
the terms in the contract.

However, while I used my own previous writings, the item supplied definitely
hadn’t been published before. I’ve written extensively on the history of
computer viruses, but I’ve never before had to pare the text so sparingly,
wondering, often, if I was misrepresenting the actual situation by having to be
so terse. (But that’s always the case with magazines anyway.)

> If not, do you have a lawyer that you can talk to?

A lawyer? You’ve got to be kidding. That’s one of the major points with this
whole copyright issue, and it is a major factor with the file-sharing/RIAA/MPAA
business as well. Copyright law, and lawsuits, are the province of entities who
can afford lawyers, and writers can’t. Corporations can. So, supposing that
this publishing group decided to take what I submitted to them, not pay me, and
publish the feature anyway, even under somebody else’s name. How much is it
going to cost me to sue them? How much chance do I have of getting them to
even
answer the suit? If it did go to court, they’d be able to fill the court with
lawyers: if I *was* able to get anybody to take my case for the pittance I’d be
able to pay, do you truly think that I’d have any chance of winning, even with a
case as clear cut as all that?

I’ve got a lot of experience here, believe me. I’ve had all kinds of people
steal my stuff over the years. Once, somebody took 150 of my reviews, all of
which you have seen marked with the “copyright Robert M. Slade [year]” line, and
published them in his book. I raised that issue with the publisher. I have a
nice letter from a Vice President of John Wiley and Sons, stating that I have no
rights in the matter because, in their considered opinion, anything that appears
on the Internet is completely free of copyright protection. (Someday, when I
get mad enough, I’m going to scan some of Wiley’s books and put them on the net,
along with a copy of that letter.) Most recently, I found that a company had
posted my entire dictionary of security terms on their site. (In that case,
they did apologize and take it down. They had contracted out that part of the
Website, and had no idea that the contractor had delivered stolen goods. I have
no idea what happened to the contractor.) In any case, I can complain, and
sometimes I get an apology, or a request for permission. Never have I gotten
any money. Copyright law just doesn’t work for us producers.

(In related news, Canada recently narrowly missed having an amendment to the
copyright law here, Bill C60. There is an ongoing discussion about it in the
editorial and letters page of the Vancouver Sun. In todays paper [and in yet
another irony, the Sun won't let you see that at

http://www.canada.com/vancouversun/news/letters/story.html?id=36792a16-ae29-

433d-a89d-988f4fb0d8e3 unless you are a subscriber] someone from UBC is
sounding
the “file sharing is theft” mantra. I find this interesting because he talks
about getting royalties for materials he has written. I wrote some stuff for
UBC a while back. When someone signs up for the online course, UBC gets
$2,000,
and I get $5.)

(Oh, dear. I used a couple of lines from her message in this one. Now
I’ll have to get her to sign a formal release before I send this. Ooops, too
late. Hit the “publish” button already …)

Share

Copyright Gone Mad

copyright Robert M. Slade, 2006
(with that little (c) symbol thrown in for good measure)

I got asked to do a 20 year retrospective on computer viruses for a
tech magazine. (The Brain virus is thought to have been released in
1986: there is a string of “(c)1986Brain” in the body of the virus
that is presumably a copyright notice, which is highly ironic for a
number of reasons.) There were a few oddities about the request, such
as a demand for graphics. I normally don’t do graphics, but I had
such a fun time doing the article that I gave in, and finally put
together quite a piece, I thought. It was a gas going back over all
the stuff I’ve seen over the years.

You may never see it.

See, I got this phone call from the magazine today. It seems that
some of the wording in my article bears a striking resemblance to a
site on the Internet: “Robert Slade’s Computer Virus History” at

http://www.cknow.com/vtutor/RobertSladesComputerVirus.html.

This is surprising?

I’ve been writing articles, series, and books about viruses since the
darn things started. As a matter of fact, it’s a bit surprising that
they didn’t find more sites with my stuff on it, especially since
there have been dozens of examples that I’ve seen myself, over the
years, where people have used my material and passed it off as their
own.

But it seems that this outfit has a policy where they won’t publish
anything that has already appeared on the net.

I suppose that’s fair enough. Everybody is getting really antsy about
copyright violations these days, and, as somebody who does an awful
lot of writing, I suppose I should approve.

Except I don’t. The crackdown (and crankdown) on copyright and
copying is making it hard for a lot of us who are relying on our own
research and writing. After all, who else am I going to use for
material on virus history? Oh, lots of people were there, but who
else wrote it down? I do go back (and did go back, for this article)
and check on specifics, and even made corrections on items we’ve found
out more about. But, by and large, if I want to generate a decent
timeline of what happened, I have to rely very heavily on my own
stuff.

Except, now I can’t.

Well, like I said, you may not get to see the history article. Or, if
they are willing to bend their policy a bit, you might. But I’m
willing to bet that their policy is more important to them. After
all, they can always get another writer to do it for them.

Of course, in all probability he won’t know anything about the history
of viruses.

Or, he can read my stuff. And reuse it.

copyright Robert M. Slade, 2006
(with that little (c) symbol thrown in for good measure)

Share

UK Home Office Trying To Ban Development Of Hacker/Security Tools.

I’m all for stronger Cyber Laws in the UK, as I am the first to admit that they really are quite lax at the moment, but the proposed new additions to the Police and Justice bill really are taking things too far now.

I’m happy that they plan on extending the maximum prison sentence for hacking into computer systems from 5 to 10 years. The part of the new bill that I have a huge problem with is Clause 35, which contains provisions to stop the development, ownership and distribution of aptly named “hacker tools”.

My big question on this one is, so where the hell does that leave all of us in the security industry if this goes bill gets passed? If we’re not allowed to legally use the same tools as our enemies, we are not going to be able to defend our networks adequately at all. If this gets passed, then this will end up giving the UK government even more power, and thus making corporations and security professionals powerless against hackers, thus being forced to rely on the British government to protect all computer assets in the country. So if company A gets hacked, what should we do, stand by idly and wait for the police to do something about it? This would cost the country and the economy millions of pounds! I also know for a fact that the National High Tech Crimes unit do not currently have the manpower to take on a task with as great a magnitude as this. I really hope that all parties involved in passing this bill take everything into consideration before coming to a decision, as this could have far reaching consequences for the UK as a whole.

The entire proposed Police and Justice Bill can be found online at http://www.publications.parliament.uk/pa/cm200506/cmbills/119/06119.i-iv.html

Share

Another phisher bites the dust

phishing is a major roi (argh! management talk) source for the bad guys and specifically the russian mob (which runs a large portion of today’s phishing operations globally).

one way to change this roi calculation is by changing the economics of the business, making phishing less profitable or more dangerous for the bad guys.

here is the most recent arrest, in bulgaria, as told by a microsoft press release.

gadi evron,
ge@beyondsecurity.com.

Share

Guilty until proven innocent? [are we France now? ;)]

[the france reference in the title is about the french napoleonic code legal system rather than anything about france or the french. take no offense! :) ]

a cool kid tried to access the internet at school.. high school.
apparently the school now uses an internet content filtering mechanism… that makes sense.

what doesn’t make sense is the story. if we are to believe the kid’s side (which i personally do), this serves to bring up the question of what the right use of censorship is and how easy it is to pass that fine line, even if by mistake, stupidity or ignorance. in this case i believe there was also malice, but go figure.

from necessary evil though censorship to framing?

more to the point though is the kid’s expectation of privacy. where can we expect privacy and where is it a dream?

our homes? an internet cafe? maybe.
schools and libraries? a friend’s computer? i am not so sure. it’s not ours and it is public, so why risk it?

more importantly though, the kid asks for help to.. now get this:
protect himself from such future false allegations by logging his own activity (rather than to bypass the scrutiny).

what do you guys say?

gadi evron,
ge@beyondsecurity.com.

Share

Defining “Authorized”

I read an interesting post on Ido Kanner’s blog about the Egilman civil case. Egilman sued an individual after that individual accessed his web site using credentials of another user.

Rather than bringing his case under Title 18, Section 1030 (which governs “unauthorized access to a protected computer system”), Egilman chose to file his case under the Digital Millennium Copyright Act (DMCA) as an anti-circumvention violation. Egilman’s claim was that using a password without permission from the site owner amounted to “circumvention of a technological measure that effectively controls access to a work protected under this title [DMCA].”

The judge reviewing the case, of course, threw it out, finding no indication that an intent to circumvent existed. Rather than circumventing the protection, the defendant was simply complying with it. Egilman’s decision to pursue the case in this manner is indeed puzzling until one looks at the statute involved.

Title 18, Section 1030, offers three potential points of prosecution that would’ve been relevant to Egilman. Any person who commits any of the following actions is guilty of a felony under Section 1030:

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

[...]

(C) information from any protected computer if the conduct involved an interstate or foreign communication;

[...]

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

[...]

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce;

[...]

Given the federal court’s jurisdiction over this issue, Egilman could reasonably have convinced a judge that the defendant obtained information from a protected computer without authorization in violation of paragraph 2, or that the defendant obtained something of value without authorization in violation of paragraph 4. A less-straightforward, but still plausible case could’ve been made for illegal trafficking of a password in violation of paragraph 6.

Instead, Egilman chose to label the misuse of the password to be circumvention of a protective measure intended to protect copyrighted works shielded from public access by the site’s simple password authentication system. Though the merits of password authentication are another debate for another day, the question I was asking at this point is why in the world Egilman chose to pursue the crime as a DMCA violation?

In this case, it appears Egilman chose this avenue of prosecution because the malicious user was actually authorized for the purposes of Section 1030.

For many sites, a mere username and password pairing authorizes you to access protected portions of a site’s content. Some blog hosts, for instance, require nothing more than a valid e-mail address to setup an account, after which a simple username and password suffices for access to that account. Many content providers include no mention (not even in their lengthy Terms of Use agreements, that nobody reads but me) that using an account you did not create is an unauthorized use of the services that site provides.

In such cases, unauthorized means of obtaining a password (exploitation of software flaws, brute-force cracking attempts, etc.) are obviously illegal under Section 1030. The more murky legal territory surrounds cases where an attacker possesses a valid (authorized) set of credentials via some other means, in spite of not being the authorized user. This could even include cases where the attacker was informed of the credentials by a user who had obtained them illegally. This is true because Section 1030 requires an attacker to “intentionally access a computer without authorization or exceed authorized access” or to “knowingly access a protected computer without authorization” before a crime has been committed. Computer crime laws in most other nations have similar standards of criminal conduct (i.e., the prosecuting plaintiff must prove intent).

In the case of someone who had illegally acquired a password revealing it to an attacker-to-be, the leaker would face conviction under paragraph six (language that is, again, modeled in most of the developed world), but the attacker who used the stolen password could conceivably argue ignorance by claiming that he/she had no idea the access was unauthorized.

Further, a defendant charged under paragraph six could make a compelling argument that because accessing an account created by another user is not unauthorized according to the TOU (provided the credentials are otherwise lawfully obtained — an exercise to the reader) a crime has not been committed.

As a security professional, I understand that access to be unauthorized, as do most in this field. However, the legal system doesn’t provide the grounds to prosecute an offender based solely on that assertion. That means a user who willingly reveals credentials may expose himself/herself to damage and you to lost hours, without leaving you any legal recourse. In a world where people still cough up the goods to random strangers in return for candy bars and coffee, that’s an unacceptably high risk.

But don’t panic… the legal system doesn’t force you to accept the costs of moronic users. It only offers you the opportunity to do so if you don’t cover all your bases. The solution to this potential legal pitfall (and the way to avoid being caught in Egilman’s situation) is to ensure that all users who could potentially be asked to authenticate themselves are aware that using credentials to log in is a testimony by the user to be the owner of the account they correspond to as well as the credentials themselves. It won’t deter criminals, just make them easier to nab if they strike.

At the very least, Terms of Use agreements should be updated to include terms similar to the following:

You agree that you will not disclose your [insert site] account name or password to anyone under any circumstances. You agree to notify [insert site] as expeditiously as possible if you believe that your account details have been compromised. Willful disclosure of account information to a third party may result in the termination of your account at our discretion.

Use of [insert site] user identities not created by you for your personal use is not authorized by [insert site] and is a violation of these terms of use.

This absolves sites of the responsibility to deal with passwords that have been disclosed voluntarily (stolen passwords are another story) by defining that to be prohibited conduct in violation of the TOU. Further, a TOU agreement amended in this fashion also defines use of another user’s credentials to be a violation of the TOU, and specifically unauthorized.

Problem solved, right? Wrong.

Most providers only require a TOU to be read as a precondition of creating an account, with the assumption being that creating an account is a prerequisite to utilizing services. This perceived dependency, in reality, may not exist in a case such as this. Therefore, concern could arise as to whether the TOU is binding upon a person who logs in with another user’s credentials, as this person was never asked to read the TOU.

The solution to this problem? Require agreement to the TOU to log in. This can be in the form of a checkbox, text in the realm used for HTTP authentication, or say… a line or two of text between the input fields and the submit button on a login form:

Logging into this site indicates your agreement to use the services provided according to our terms of use. For more information, please read the agreement [link].

Finally… problem solved. For today. Legal issues are boring, and I’m no superstar lawyer, but not addressing this one could lead to pain down the road… even for non-legal folk.

Share

Scattered Passwords

A federal court recently ruled that using user names and passwords that do not belong to you is not an illegal act according the Digital Millennium Copyright Act (“DMCA”).

InternetCases.com reports:

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site.

The federal court has made the following statement:

the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity

and:

It was irrelevant who provided the username/password combination to the defendant.

So the bottom line is: If someone is using the correct user name and password on a technical device, they are not breaking the law, even if they got the password illegally.

Resources:
Federal Curt decision (pdf)
InternetCases.com

Share

Payback for Ciscogate – new trend?

on the surface it seems like in recent weeks people started going full-disclosure on cisco, surprising them with vulnerabilities reports on bugtraq and friends. i may be wrong and they knew of these ahead of time… if i am forgive me. it seems like “payback time” or “loss of faith” after “ciscogate”.

this possible trend is more than just disturbing, it’s dangerous to us all when it comes to a company like cisco… whether they “deserve” it or not is irrelevant. they represent most of the internet’s infrastructure and that by itself is a problem.

today when microsoft truly /wants/ to work with researchers (even if sometimes they don’t act it), the main problem they face is that researchers simply don’t believe in them. they are used to hearing things like:
“this is not a vulnerability”
“yes, we are already aware of that” (=and that is why you won’t get credit)
and many other responses, although sometimes people don’t even get a response.

myself, i never had such problems with microsoft and found them very responsive and serious in their replies.. at least in recent years.. but that’s just my personal experience and that doesn’t count. :)

with cisco, it can get worse. researchers may fear that if they do get a response (or work with psirt) it will be with some sort of legal document or a search warrant. still, cisco is responsive and i don’t like much the fact of full disclosure where companies actually handle reports and give due credit to researchers.

i suppose only time will tell where this will end, but it seems that much like predicted by mike lynn, raven alder and myself, exploits with cisco are going to become a very serious concern in the near future for the infrastructure.

i believe people should give cisco psirt a *chance* before going public with vulnerabilities… but if they don’t i suppose cisco and everyone else learned a valuable lesson.

what that lesson may be is a whole different blog entry. not many had a grudge against cisco before ciscogate… and lost faith is very difficult to recover.

gadi evron,
ge@beyondsecurity.com.

Share

(More) Security Issues With Sony BMG CDs

A matter of weeks after a recall program for Sony BMG’s “rootkit” XCP technology was put into place, security holes have been found in another protection scheme used by the company.

Reportedly, SunnComm’s MediaMax (the system the more invasive XCP was due to replace) installs binaries on the system with insecure file permissions that let local users gain privilege on systems with MediaMax installed.

The vulnerability was outlined in a report published by the Electronic Frontier Foundation (EFF) as part of its class-action lawsuit against Sony BMG, which seeks damages for consumer complaints regarding MediaMax, as well as the more controversial XCP.

Sony BMG were already in one wicked mess over XCP, with the State of Texas seeking damages against the company of $100,000 for each XCP-infected system. Now, reports of vulnerabilities in MediaMax may be used as ammunition to further consumer complaints against that controversial system as well.

Share

On “Responsible Disclosure”: Stripping the Veil From Corporate Censorship

If you keep up with Microsoft’s Security Advisory releases (most recently Advisory #911302), you’ll note the following disturbingly typical portion:

Microsoft is concerned that this new report of a vulnerability in [insert product] was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Microsoft has included such wording in each and every one of its security advisories that is relevant to a public disclosure and will continue to do this for the foreseeable future. It is rapidly becoming evident that what Microsoft defines as “responsible” is “conforming to the company’s wishes”. The language, aside from being overtly hostile toward a number of talented and professional researchers, is a slap in the face dealt to real efforts for “responsible disclosure”. Microsoft’s public claims to a monopoly on the moral standard of “responsibility” not only cost the company a substantial amount of credibility within the community, but also harm the efforts of researchers who seek real reform in the vulnerability disclosure process.

In the case of 911302, the ‘report of a vulnerability’ Microsoft cites is information published by a British firm regarding the Window.OnLoad Race Condition in its Internet Explorer browser. The catch that Microsoft fails to mention? The vulnerability had already been reported publicly after Microsoft discounted it as a non-exploitable flaw. The lag time between the two reports also hurts Microsoft’s case: the issue has been known since May, and the code execution possibility was reported in November.

So, in the case of 911302, Microsoft is complaining because it failed to consider the possibility that a class of race conditions (those that reliably produce calls to free portions of the virtual address space) that has historically proven exploitable would prove equally dangerous in this instance. Microsoft failed to do its homework, and then chastised the British firm (ComputerTerrorism.com) for exposing the company’s gross negligence in its handling of this vulnerability.

While I think CT should have notified Microsoft, its reasons for not doing so are compelling. A large portion of the exploit vector was already publicly known — so much so that CT’s work had probably been accomplished by other malicious actors or was trivially achievable. The malicious members of the community had the same six months that Microsoft had to identify the exploitability of this flaw. As CT’s research illustrates, Microsoft’s disinterest in the flaw was not shared by the community. Therefore, Microsoft’s claims that CT was “irresponsible” (very explicit in its advisory) are brazen at best, flat out wrong at worst.

But Microsoft isn’t the only major corporate organization trying to muzzle researchers by way of public character assassination. Remember Michael Lynn, the researcher sued by Cisco for violating supposed industry standards of “responsible disclosure”? Lynn’s only crime was publishing an exploit for a long-fixed vulnerability in Cisco’s IOS after Cisco failed to acknowledge the hole in release materials for the relevant IOS update.

Remember SnoSoft? The group was threatened with legal action by Hewlett-Packard after exploit code for HP’s software leaked from its laboratories.

When these practices are criminalized, the meaning of “responsible disclosure” has clearly been coopted by corporate interests to mean “what is deemed acceptable by the affected vendor.”

To further illustrate this, I offer you a hypothetical scenario:

A vendor was informed of a vulnerability in its software in early August. The vulnerability was of exceptional severity, and yet the vendor failed to acknowledge this fact. Though a fix was planned, the vendor made no effort to coordinate the release of fixes for different affected products and would offer no immediate timeline for release. In February, 180 days later, the vulnerability is disclosed to the public, with fully-applicable workarounds, in the absence of a vendor-supported fix.

If that vendor were Microsoft, how many people can seriously doubt that we’d be seeing the same exact wording replicated in the advisory on that vulnerability?

The irony of this, of course, is that Microsoft, HP, Cisco, et al, are shooting themselves in the foot. All of those named would do well to give up the deluded vision that the world will soon return to a culture of non-disclosure, granting vendors indefinite timeframes and the absolute freedom to (mis)handle vulnerability information as they choose. History and today’s experience both tell us that trust in vendors on security issues is naive and misplaced.

Unfortunately, the insistence of vendors on using the term “responsible disclosure” as a tool of their hopeless agendas undermines what little hope any of them have to see real reform in the way vulnerability information is handled.

So, if the corporate agenda doesn’t qualify, what is responsible disclosure? What better source for a community standard than CERT. It’s one of the few bodies with some credibility in the research community that is generally respected by vendors. CERT sets a 45 day baseline to disclose vulnerability information. While this is, in practice, rather toothless, I wish CERT would stick to it, and I wish more members of the community would adopt this relatively moderate standard in a more rigid manner than CERT has done.

Using a community clearinghouse as the source of a semi-standard approach to “responsible disclosure” would force vendors to explain why they consider the disclosure policy of an industry leader “irresponsible”, undermine their legal claims and subject them to large amounts of bad press. Vendors who fail to acknowledge this policy as de facto standard could be handled mercilessly by both the community and the legal system, with clear basis in community standard.

In addition to debunking false vendor claims of “irresponsible disclosure”, this standard could also be used to establish community precedent that vendors have an obligation to promptly fix vulnerabilities. Any that choose instead to publicly demonize researchers should face a taste of their own medicine — in the form of lawsuits — for this slanderous conduct.

It is time that the vulnerability disclosure debate moved from special interests into the open community, because it is only then that we can hope for a standard of truly responsible disclosure that offers customers real protection and forces some degree of accountability upon commercial vendors for the effects of their ineffective security processes.

Share

Japan to Stage Mock Cyberattacks

I can already picture it, in a few years people will conduct, like they do – or should do – today for fire drills, cyberattack drills were they will test the durability and readiness of of their employees and company for a cyberattack.

Until that happens, the Japanese government has decided that it will forceask a few public and private companies to play part in an exercise to see how well prepare they are for an Internet based attack.

These exercises are planned to:
“… experts will check computer security by gauging the time and work necessary for the participants to normalize their networks”.

Haa? what will they be checking? I would check whether they were able to penetrate them or not, not whether they were able to normalize their networks. Normalized means that they were penetrated, but were able to regain control, they should be investigating how they gained control in the first place!

Anyway it would be interesting to see what are the results from this exercise, whether it will become more a routine for the Japanese government/companies, and whether it will be endorsed in other countries.

Share