The Chilling Effect

Friday, August 20, 2010

Cross-Posted from Robert "RSnake" Hansen's Blog:

As I wind down to 33 posts left until my 1000th and last post, I thought I should spend a little time talking more introspectively about how our community has changed over the years.

When I got started in security I had around the 130th hacker website on earth. We were all linked together with the second webring ever made (for those of you who recall webrings), which is how I know. Incidentally webring was made by a guy in his basement as a college experiment.

Bronc Buster got in touch with the guy, which is why we were the second. It was called the Fringe of the Web. Back then sharing knowledge was hard to do. Search engines didn’t exist (DMOZ was really it).

No one really trusted one another. No one really knew much because there weren’t many help files or docs being published back then either. I think a lot of people felt like there was a strong possibility they’d land themselves in jail if they were too outspoken about security.

For you to get any better you had to do the research yourself because there weren’t many people around to help (at least in my case there weren’t). That was especially true for me because what I was interested in wasn’t being a good sys-admin or network guy and all the docs were about operating system security, firewalls and memory corruption.

People were pretty unhelpful with a lot of RTFM, even though the manuals hadn’t been written yet. Installing Debian on my Gateway2000 with my crapola Mitsumi CD ROM for which there were no drivers yet written was my burden alone to figure out.

Instead I was interested in this whole newfangled web thing - which almost no one knew anything about. Defacements were the norm - cybercrime was myth reserved for wild eyed paranoids and movies. Let’s call this the dark ages of computer security.

Later the industry dramatically expanded, and instead of there being just north of a hundred sites talking about security, suddenly you’re seeing security related articles and blogs on mainstream press. There are tens of thousands of sites talking about it. There is more new code and ideas being passed around than ever before.

No one really feared jail time anymore, which was the only major consequence of publishing code that anyone could come up with. Enter script kiddies and sites devoted to helping people learn about computer security. Cybercrime was just taking off, and everyone realized that this was turning into a business.

Companies start acquiring security and we get cool titles like CISO and CSO and we even have our own certifications. We finally had use cases and anecdotes for everything we had been talking about for all these years. Linux starts being sold on commercial desktops. It was the hay-day of computer security. Let’s call this the enlightenment.

In the dark ages of computer security no one released code because they feared jail. In the enlightenment everyone released vulns because they wanted to make a name for themselves and prove their skill. So where does that leave us today? Let’s take an example of a hypothetical young web application and browser security guy (think me but just starting out) with no background or history in the industry. We’ll call him “Todd.”

Let’s say Todd releases a browser vuln that is useful against a good chunk of browsers, but it’s an architectural flaw and one that won’t be fixed for many years to come because if it is fixed it’ll break other things. It’s not a desktop compromise type issue, it’s just allows attackers to harm most websites in some obscure way (think the next version of CSRF or XSS or Clickjacking or whatever).

Todd, not knowing what to do or who to talk to releases the vuln to make a name for himself and to help close down the hole, because he thinks that’s the right thing to do. Here are some possibilities:

  • The Vendor is pissed at Todd for releasing the vuln and not telling them first - especially since there’s no fix. You evil vulnerability pimp you!
  • The press asks the simple question, “Why did you release this when you knew there was no fix?” to which Todd has no good answer except he thought he was doing the right thing by letting people know - and then the press mis-quotes him.
  • The blackhat community is pissed because they have been using something similar (or not) but either way they know this cool trick has a limited lifespan now thanks to Todd. More importantly they’ll try to hack Todd for releasing it. There will be much fist shaking and cursing of Todd’s name the day the vuln gets closed too.
  • The elite crowd are annoyed because they don’t think Todd should have gotten any publicity. The elite kernel level bug is way sexier (and it may very well be) and takes more skill (quite possible as well), but Todd knows nothing about the politics of the industry - he’s just interested in his stuff. They may try to hack and drop Todd’s docs to shut him up. There’s only so much limelight to go around, after all. Incidentally, I don’t think most guys who work on these types of vulns are like this, but it only takes a few to deter someone new like Todd.
  • There’s a slim chance someone might offer him a 9-5 job - as long as the vendor isn’t one of their clients.

Now let’s take the flip side - what if he wants to sell it:

  • The vendor won’t pay for an architectural bug - only full machine compromises please!
  • The blackhats won’t pay for it, because it doesn’t give them a shell.

So where does that leave Todd? It’s not in his best interest to release the vuln, because of the externalities of negative pressure, and no one is buying either. How does Todd make a name for himself? More importantly, how does he survive? Why on earth would Todd give up his vuln for free?

He knows he could do some major damage with it, but the elite aren’t impressed so he doesn’t even get clout. Perhaps there’s a slim chance the vendor might hire him in gratitude? That’s a long shot and a waste of a great find for the chance at a 9-5 in the boiler room.

Instead why wouldn’t Todd say screw it entirely and either stop doing the research and find something else to do or become bad and make some real cash? The chilling effect is in full swing.

We are quite squarely headed towards another information security dark age. Sure there are a lot of good documents (if dated) on the web still. The bulk of advisories are from vendors these days, so you’ll still be up on yesterday’s news and patch management will be your life. Private conversations will always continue, but it won’t ever be like the enlightenment again unless something changes.

I spoke with two large vendors about this and they acknowledged their part in it and that indeed they offered no good solution for someone like Todd who hadn’t already established himself - except the vague hope of some consulting arrangement.

I spoke with one guy who buys vulns and I asked him who his buyers were, out of curiosity. I was expecting him to say some large software retailers, but he said, “No, no, not at all. Most of my buyers are consulting companies.”

I was confused. It turns out that there are a slew of consulting companies that will fail a pen-test with a client, but they can’t show the client that they found nothing, so they’ll whip out a ready-made 0day, impress the client and then they can go on the speaking circuit about their amazing find.

Call me naive but it never even occurred to me that this industry could be that messed up. If you see someone speaking at a conference about some memory corruption flaw but they can’t seem to explain their own vuln the way you’d expect them to - you may have found one of these consultants.

I think this is important because as my tenure comes to a close in the blogging world, I feel like there are a lot of very talented people who will never get to see their day in the sun and as an unfortunate consequence of this vulnerability market some talentless people will. I know several people have completely packed up and decided to get out of the industry entirely because of how things are shaping up.

I fear that the way things are headed it will be harder and harder for someone to rise to the top, without retribution from their peers. There is a whole new generation of people who are lining up to replace guys like me who are joining a very corrupt and preservationist industry.

They may not have thick skin and may not survive what is in store for them. I’ve talked to over a dozen security folks who tell me the same story. These individuals worry about the security community’s reaction to anything these individuals say publicly more than they worry about actual bad guys committing crime. Is it too late to fix, or is it even worth fixing? Or would you argue that this is the best it’s ever been?

I’d be curious to hear what people think.

Vulnerabilities Webappsec->General
Post Rating I Like this!