[ISN] Interview with Rain Forest Puppy

From: InfoSec News (alerts@private)
Date: Mon May 07 2007 - 22:19:23 PDT


http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/

May 1, 2007

Antonio `s4tan` Parata, software security researcher and member of the 
ush team interviews Rain Forest Puppy, famous bug hunter, specialized in 
web application assessment. It’s a pleasure for us to publish the full 
interview, in this case talk is not cheap.

Antonio “s4tan” Parata (ap): Hi Rain Forest Puppy, many thanks for this 
interview. You are considered one of the fathers of web security and the 
inventor of the SQL injection attack. Anyway in the year 2003 you 
decided to publicly retire from the security field (to get more infos 
http://www.wiretrip.net/rfp/txt/evolution.txt). Can you briefly sum your 
decision?

Rain Forest Puppy (rfp): My decision to retire from the public eye was 
based on a lot of reasons; overall, the amount of resources & energy 
required to release and maintain advisories and tools was just getting 
to be too large. It wasn’t fun anymore–and why pursue a hobby if you’re 
not enjoying it?

Plus, the security industry was becoming commercialized. Advisories and 
exploits are now bought and sold; performing security research in the 
first place can land you in legal waters. The intellectual value of the 
security research performed has been reduced to a single severity 
rating, which…if not high enough…causes the entire research to be 
dismissed. I really enjoy security from the intellectual angle; to me, 
it’s all just a big mental challenge…a puzzle, if you will. So when the 
creativity and intellectual aspect of it started to fade away, I decided 
to go with it.

As for being the “father of web security”, there were many people 
working on web security prior to me (for example, see Lincoln Stein’s 
classic WWW Security FAQ). And I didn’t invent SQL injection. I may have 
been one of the first to publicly explain it in tutorial fashion, but it 
existed for as long as SQL itself existed; it was just that few people 
saw the security implications of it. But that may be because SQL wasn’t 
ubiquitous like it is today, so it had limited impact in limited 
circles.

ap: 4 years elapsed and the web changed radically. Phrack is dead, Owasp 
testing guide raised, the web is filled with blogs and the web 2.0 
buzzword is on everybody lips. How did your thought change in these 
years and what do you think about nowadays security world, who works in 
it and researchers?

rfp: Well, the good news is that there is an increased awareness for the 
need for security. That’s a good thing. Even consumers are starting to 
understand the need for personal firewalls and the need to be vigilant 
when online.

The flip side of that awareness is that people now care when they have 
security–or more importantly, when they don’t. Combined with the 
litigious society we’ve become, and now you have the very real threat of 
someone pursuing legal action against you for informing them they have a 
security problem. Now that security can be linked to tangible dollar 
losses, and security regulation violations can have drastic impacts, 
I’ve witnessed first-hand companies who felt it better to be in the dark 
and cover up any signs of security issues rather than having those 
security problems disclosed and thus being forced to deal with it. It’s 
the Enron approach to security.

But, like I said in my Evolution essay (a.k.a. rant), security is now a 
big-time commercial business. There’s money to be made in having it, 
improving it, breaking it, exploiting it, etc. That’s probably the 
biggest change. Although, I suppose I’m part of the problem, having a 
security-related day job. :)

ap: At the moment are you working for a security company or are you an 
independent consultant?

rfp: I work for a security company. In fact, at the beginning of this 
year, I started working for a security software vendor. Prior to that, I 
worked at the same small security services company for 7 years, 
performing pen-tests, web app assessments, source code reviews, etc.

ap: What do you think about companies like gleg (http://www.gleg.net/) 
or iDefence (http://labs.idefense.com/), parties that make part of their 
profits from the selling of 0day exploits?

rfp: Well, I have mixed feelings. Part of it is how you frame it too… 
saying iDefense and 3Com sell 0day is only half right. Sure, they inform 
people of those 0day problems. But, they also handle the overhead of 
dealing with the vendor, coordinating advisories, etc. All that stuff 
takes time and resources, and can be particularly frustrating if you 
happen to deal with a vendor who doesn’t understand the security 
disclosure process (see my previous answer about Enron-style security 
silliness). So, being someone who likes to find bugs, and wants to do 
the right thing (i.e. inform the vendor) but doesn’t necessarily like 
the hassle of dealing with the vendor, iDefense & 3Com seem to be a 
win-win situation: they deal with the vendor, and you get paid for your 
research time (and the dwindling of low-hanging fruit and increased 
complexity means more research/time is required for each bug).

Part of my answer to this question ties into the next question…

ap: You are the creator of rfpolicy 
(http://www.wiretrip.net/rfp/policy.html), globally recognized as the 
policy to follow for the vulnerability disclosure. What do you think 
about mailing lists that practice full disclosure like FD 
(http://lists.grok.org.uk/full-disclosure-charter.html)?

rfp: In the end, it all comes down to the motive of the researcher:
    
* Trying to make the world a more secure place
* Trying to make a buck
* Trying to impress their friends/peers

Each of those has it’s own response. If you’re truly trying to make the 
world a safer place, then the only way to do that is to pursue a fix 
(and that typically means dealing with the vendor/author); if, for some 
reason, the discussions with the vendor are going horrible and you’ve 
exhausted all other options, then full disclosure to the public is a 
last-ditch effort to at least get the warning out.

If you’re trying to make a buck, well, sell it to the highest bidder. 
There’s been a lot of media reporting in the last 6 months about 0day 
black markets, and iDefense/3Com occasionally hold specials where you 
get paid extra for certain types of vulns (remote Vista bugs in 
particular).

If you’re trying to impress your friends/peers, then just run straight 
to the disclosure lists/venues. You’ll have your five minutes of fame 
until the next bug comes out. Hopefully though, you won’t pursue a 
security job down the road with a company who has negative feelings 
towards full disclosure…your efforts to build your ‘cred and impress 
your friends now may backfire later when you look to start doing it 
professionally. Remember, the Internet archives everything these days…

What probably bugs me the most is that a lot of people have the “trying 
to make the world a more secure place” facade, even though that’s not 
really their true intention. I call it the “MS. America ‘World Peace’” 
phenomenon, after all the pageant contestants who say they want world 
peace because that’s what they’re supposed to want in this age of 
political correctness. If a researcher truly wants to make the world a 
more security place, then they need to attempt to get a solution to 
their problem, and that usually means making some attempt to work with 
the vendor.

The moral to my long-winded answer: full disclosure is a tool, not a 
solution. Use it wisely, and where appropriate. If you truly want to be 
part of the ’security solution’, then offer a (realistic) solution when 
you have a problem to disclose. Be responsible. We control our own fate: 
if we run around like Internet Anarchists, then laws and regulations are 
going to tighten and make things more difficult. If we act responsibly, 
we may be able to continue with what we’re doing as-is.

But you can’t have it both ways.

ap: What policy to apply in the case of public site vulnerability 
research? Should the researcher avoid it completely, apply the rfpolicy 
or the full-disclosure way is viable too?

rfp: Funny, because I was just mulling this over recently. It’s one 
thing to have a security problem in something you control, such as a 
device or a piece of software installed locally. There’s the potential 
for you to enact a workaround or introduce another mitigating control.

Public websites are another matter. The only one who can fix the problem 
is typically the web site. There’s no mitigating strategy users can 
usually do other than forego use of the site. You think everyone is 
going to cease to use MySpace because they have an XSS hole? No way.

So thinking that it’s better to tell the world about a security problem 
in a public site than to tell the site owners is being part of the 
problem, and not the solution. Again, full disclosure is a tool, and is 
a worst-case/last-ditch scenario after all else fails.

ap: You are the author of the libwhisker library 
(http://www.wiretrip.net/rfp/lw.asp), widely used to create assessment 
perl scripts. What do you think about nowadays products related to web 
application assessment? What about some open source software (like 
parosproxy or nessus) changed to closed-source?

rfp: I have to choose my words carefully, because I very recently 
started working for a security software vendor. :)

Having had open source projects, I will say this: it is very hard to 
bootstrap a development community, and achieve the same level of polish, 
quality (as in QA), and implementation thoroughness as a commercial 
product. This isn’t necessarily because commercial software vendors are 
better coders; the dynamics are just different.

Open source coders are usually working on their own donated time. That 
means contributions are often catch-can and best-effort. Open source 
(when not sponsored by a commercial entity) are typically limited in 
resources (with time being the critical one).

Commercial companies, on the other hand, don’t necessarily have a 
constraint on resources and time, because they can be bought. And they 
are bought with the money used to purchase the software. However, 
because the software is purchased, they have the additional obligation 
of making sure it satisfies the user and the user’s experience. That 
usually means better UIs and usability, full feature sets, and 
thoroughly implemented features with all the bells and whistles a normal 
user would expect for that type of product.

If anything, I would say the bar is set higher for commercial products, 
because purchased software has certain additional expectations and 
obligations to live up to. If you grab a free suite of open source 
software, and something in it is broken or it doesn’t implement some 
basic functionality which you deem fundamentally necessary… well, your 
only recourse is to submit a bug report or feature request. It’s free, 
and because of that, there’s not necessarily an obligation to satisfy 
you as a user. But if a commercial software package is broken, or it’s 
missing something fundamental, you can ask for your money back, or make 
a request to the vendor to fix it with a reasonable expectation that 
they will. If they don’t, you have recourse with entities such as the 
Better Business Bureau (in the US).

Given all of that, I have made a few observations on how open source 
relates to commercial products:
  
* Commercial vendors don’t draw from a different, exclusive pool of 
  uber-developers. Good, smart developers can exist on both sides of the 
  fence; in fact, often times they play both sides. So the concept that 
  commercial vendors magically have better coders that are more capable 
  of solving a problem or being innovative is a fallacy. An open source 
  project can be just as innovative as anything a commercial company 
  pushes out; the difference is that the commercial company can usually 
  push it out farther and wider.
    
* The really good/innovative open source projects often go on to either 
  form a commercial entity, or gain commercial sponsorship. This almost 
  makes open source a research incubator and proving ground for new 
  ideas (which, IMHO, is great). The good ones take off and develop into 
  large entities (Apache, Samba, MySQL, etc.) and the rest live out the 
  remainder of their lives on SourceForge. :) But once an open source 
  company gets commercial backing, there then becomes the requirement to 
  satisfy the conditions of that commercial backing…so the sponsorship 
  usually provides resources in exchange for better meeting the 
  obligations/expectations that come with traditional commercial 
  software.

  In that sense, sponsored open source sits on the fence between normal 
  open source and commercial software, probably getting the best (and 
  worst) of both worlds.
    
* I made indication of it in my previous answers, but despite open 
  source being free and best-effort, many users still hold it to a 
  commercial product expectation of quality, implementation 
  thoroughness, etc. This is where I think a lot of problems arise. Yes, 
  open source software should be as good (or better) than commercial 
  software, even though it is constrained by resources. But we all know 
  that’s usually not the case…something as simple as a clean UI and 
  better documentation is all it takes to give something a 
  commercial-level appeal/feel. My personal experience with open source 
  is that these are the areas where they most often tend to lack.

So, going back to your original question about security tools: the 
security industry is such a hot topic, that everything is in such a 
state of flux, that it’s hard to say. Established open source tools have 
migrated to commercial backing (nmap, Nessus, ParosProxy, etc.).

There’s a lot of tools which are the byproducts of commercial research, 
and/or being used for marketing purposes (all the great Foundstone 
tools, HTTPrint, etc.) Some of these have no identical/suitable 
commercial counterpart. And yet there are many commercial tools which 
don’t have effective open source counterparts (I haven’t seen a good 
open source static source code analysis tool yet on par with Coverity, 
Fortify, or Klocwork). There’s no open-source equivalent for what 
AppScan and WebInspect fully do.

In the end, I’ve developed my own personal approach. All I care about is 
whether the tool works and/or gets the job done. I’ve spent so much 
wasted time trying to get a screwdriver to do a hammer’s job, and vice 
versa. I really don’t care if a tool is open source or commercial; I let 
the job dictate the tool, and not the other way around. Of course, there 
are certain artificial restrictions on this (like price limitations), 
but in general, I think there are some things that currently only exist 
in free & open source tools, and there are some things that currently 
only exist in commercial tools.

So use both wisely and get the best of both worlds. :)

ap: What’s your method to keep yourself updated on security news?

rfp: There’s just too many sources of information these days to digest. 
I have a very large RSS feed list I try to keep on top of, and I keep 
tabs on a few traditional mailing lists. I find that, if something is 
big enough, it will usually trickle down onto the security mail lists or 
one of the popular security blogs, which tips me off and I do further 
research on it from there.

So I suppose a good analogy is: rather than waiting to hear about stuff 
from the horse’s mouth (especially when there are many horses), I wait 
to see what interesting things the manure handlers heard or found after 
it passed through the horse. :) (note: I can neither confirm nor deny 
the intentional comparing of manure to the information content on some 
of today’s blogs…)

ap: Which books have you read lately? Is there any book that has to be 
recommended anyway?

rfp: I currently like “Developing More-Secure Microsoft ASP.NET 2.0 
Applications” by Dominick Baier. Rather than being a ’security 101′ 
approach filled with lots of overhead most seasoned security 
professional already know, this book is almost like a collection of 
technical tips and insights into little topics, all with security 
relevance. I like to think it fills in the remaining small gaps that the 
seasoned pros might have.

Nowadays though I really don’t read books in the traditional 
manner…there’s just too many coming out. And to make matters worse, 
they’re expensive and often don’t contain material that satisfy me. So I 
use O’Reilly’s Safari, which lets me search for specific topics across a 
whole library, and just download PDFs of the chapters I need. It’s more 
efficient and cost-effective. Occasionally I’ll check out the 
bookstore’s selection for books that aren’t hosted by Safari, but Safari 
has a good selection overall.

ap: Is your life style Infosec related even in your spare time or do you 
have extra IT&C hobbies?

rfp: A lot of things have changed since I faded out of the public eye in 
2003. At the height of my ‘RFP days’, I was a bachelor spending all day 
doing security work, and then all night doing security 
research…sometimes not even sleeping. Now I have a family, and I give 
all my spare time to them; so my security-related pursuits tend to be 
limited to just work-hours, with the occasional evening or weekend for a 
special security project.

ap: Will the Infosec community have a chance to see you back to the 
scenes like in the past?

rfp: Well, there’s two ways to look at that question. When you consider 
the qualifier “like in the past”, then no. Don’t expect wiretrip.net to 
start spewing out new advisories or tools. But will the Infosec 
community see me involved in it? Sure. Actually, I never left. I still 
post to the security venues, I still publish, I still work with vendors 
to get things fixed, etc. I would say I’m still very active in the 
security community–but in a way that has nothing to do with the name 
RFP.

ap: Thanks rfp for the interview!

rfp: Thanks for the thought-provoking questions!



__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon May 07 2007 - 22:28:10 PDT