[ISN] Researcher for whom exploit code means freedom of speech

From: InfoSec News (isn@private)
Date: Fri Jan 16 2004 - 06:04:07 PST

  • Next message: InfoSec News: "[ISN] Gartner Forecasts Greater Potential For Cyberattacks"

    Forwarded from: William Knowles <wk@private>
    
    http://www.smh.com.au/articles/2004/01/14/1073877889610.html
    
    By Sam Varghese
    January 15, 2004
    
    Georgi Guninski is a man who is respected on vulnerability mailing
    lists. The Bulgarian security expert - and this is one instance when
    the word can be safely used - has spread himself wide when it comes to
    security but all of his vulnerability posts merit attention.
    
     From kernel bugs to browser holes, Guninski has found them all. His
    advisories are terse and to the point but cause a predictable degree
    of consternation when they are put out. His own favourite discovery is
    a race condition in the OpenBSD kernel.
    
    While many formerly independent researchers are slowly going over to
    the corporates, and in the process losing their ability to freely
    reveal details about flaws in proprietary software, Guninski has kept
    the faith. Indeed, his advice to other researchers is precisely that:  
    "Keep the faith."
    
    He is passionate about full disclosure and the posting of exploit
    code; he feels this is often the only way to get software vendors to
    patch buggy programs.
    
    There is logic behind his rationale - according to him, some vendors
    wait six months before issuing a patch when a flaw is reported to
    them; on the other hand, in one case when an exploit was released in
    the wild (without the bug which it was exploiting being reported to
    the vendor), and military computers got broken into, the same vendor
    issued a patch in double quick time.
    
    Guninski is often accused of being a publicity seeker but dismisses
    such talk by saying that it is merely put out by companies "and their
    puppies" who do not like him. To his credit, he does not favour this
    side or that - his own site has a long list of the vulnerabilities
    he's found and be it in open source or proprietary software, he sticks
    to his principles of disclosing things in full.
    
    To those who try to offer the excuse that software will always be
    buggy, Guninski has one piece of advice - go and get a job at
    McDonald's.
    
    He was interviewed by email.
    
    How did you come to be interested in computer security? Was it in the
    family or were you one of those little nerdy boys who's always dying
    to find out how things work?
    
    Not the family. I have always had an unexplainable passion for
    computers. And I am more interested to find how things don't work or
    work in "strange" ways than to find out how just things work ;).
    
    
    How is Bulgaria in terms of technology, compared to countries in the
    west?
    
    There are talented people in Bulgaria, but the country is poor and
    people migrate.
    
    
    What led to your first IT job?
    
    Karma. See below.
    
    
    >From your CV, it looks like you are mostly a self-taught researcher.  
    Is this right or was there some guru who guided you?
    
    No one guided me. Sure, I have learned a lot from the internet. One my
    favorite quotes is: "Education is an admirable thing. But it is well
    to remember from time to time that nothing that is worth knowing can
    be taught. - Oscar Wilde"
    
    
    How come you didn't take up a career in finance or turn to teaching
    after studying international economic relations?
    
    I have always been interested in computers, never been really
    interested in business or finance. Here is a joke quote from Terry
    Prachett with some truth in it (translated from Bulgarian, don't
    remember the exact book). "From conversation between two witches -
    'You don't choose your profession, the profession chooses you'."
    
    
    What was the first major vulnerability you discovered?
    
    An AIX (Unix operating system by IBM) buffer overflow.
    
    
    How long was it before you gained acceptance within the security
    community?
    
    I can't answer this question, the community should answer.
    
    
    Many people in the security industry accuse you of being a publicity
    seeker? What's your response?
    
    This is false. I have not profited from publicity and I haven't sought
    publicity for a long time. Buggy software is out there and killing the
    messenger does not help anyone. Truth is, some companies and their
    puppies does not like me and they use false arguments to discredit me.  
    I will enjoy posting from (an) anonymous account as much as I do now
    and if the time comes I'll do it.
    
    
    What is your stand on the release of exploit code on mailing lists?
    
    Exploit code should be released if the author wants. I consider
    exploit code "freedom of speech". There are some trends to try to stop
    publishing exploit code - I am disturbed by these trends to try to
    steal rights from the citizens. Exploit code is not the problem. The
    problem is buggy software. And I am not buying the "writing software
    is difficult, software will always be buggy" argument - those who
    think they cannot write good software better get a job at McDonald's.
    
    
    What do you think is a reasonable period for a researcher to give a
    company before releasing details of an exploit?
    
    This is up to the researcher. He decides. The exploit is his property,
    so he can do whatever he wants. It depends to whom is reported also.
    
    
    You say that you prefer to work in open source projects? Why?
    
    I just like open source. And I am selective about who profits from my
    skills.
    
    
    What do you consider your favourite vulnerability - the one which
    really made you feel good when you discovered it?
    
    I classify my bugs in two categories:  a) the ones which are
    discovered by examining the source code b) the ones which are
    discovered "by chance" or by an irrational way.
    
    My favorite ones are type b). I consider a) craftsmanship, which is
    not very interesting. Don't have a favorite one, but quite like the
    OpenBSD race condition bug.
    
    
    How do you see the future of security research evolving? And the
    future of the internet?
    
    About security - quote from Bon Jovi: "It's all the same, only the
    names will change". About internet - expect a decline of Microsoft
    products on the internet.
    
    
    Has your choice of career affected you personally? Or socially? Many
    geeks say they are unable to get a date - how about you?
    
    I am not very sociable, but believe I have a good social life. I don't
    complain about it.
    
    
    If you had a chance to do it all over again, would you choose the same
    career? Whatever answer you give, why?
    
    I doubt that one can escape his karma. I probably would have done it
    the same with small changes.
    
    
    Any other interests apart from IT?
    
    I like going to parties and bars. I have an amateur interest in
    mathematics.
    
    
    If someone wanted to start out as a security researcher, what advice
    would you give them?
    
    Be careful. Very careful.
    
    
    Any famous last words?
    
    Keep up the faith.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence 
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================ 
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jan 16 2004 - 09:26:52 PST