-----BEGIN PGP SIGNED MESSAGE----- Inhale. >Moderators: Pass if you will. I think this seriously impacts the whole > industry. > Vuln-dev isn't really my turf, and I can think of better things to do on a Friday night, but I feel a strong urge to respond to this post. I've spent nearly a year thinking about the whole full disclosure vs. anti-disclosure thing. I've considered different viewpoints, was once a supporter of full disclosure myself, etc. I'll share what I've learned in all that time, if only to shed some light on what I consider most exploit developers would be feeling when they read that thread. As I am quite fond of saying, failure to grasp the difference between the security community and the underground community* is where most of the confusion regarding these issues stems from. You can't understand what's going on by applying the perspective of one community to the events and people of the other. You say it affects the "whole industry." I assume you mean the commercial security industry, because the vast majority of Net users aren't affected if exploits aren't disclosed (exploits, not vulnerability information -- pointless to argue the latter here). Nor is the underground community. Which raises the question: why were you seeking the exploit in the first place? * When I speak of the underground, it's with the exclusion of the so-called "script kids." I am referring to those individuals known to dedicate countless hours of their lives to vulnerability research and exploit coding. Some may consider themselves part of the security community, but it's been my experience that most of the exploit coders identify with the underground community, perhaps tacitly. > > This email was written after I contacted a prominent "exploit collector" and > asked for the new SSH exploit. He asked me "how much are you willing to pay, I > selling 'sploits now". I said "You wanna WHAAT?". Afterwards I thought about Assuming you were speaking to the actual author of the exploit, and that he wasn't merely being a smartass, what's wrong with demanding payment for said exploit? The security industry sells penetration tests using the work of exploit coders on a daily basis. Why should the developer of the exploit, who's probably gone to the most excruciating lengths to research/discover the vulnerability and create a well-functioning exploit, contribute to an industry that uses circular logic to generate hype and fear in the public (for increasing market gain). The only regret I have in someone not disclosing vuln info is the open source developers not getting the support they deserve. But there you go: the commercial security industry ruins it for the rest of the world. Full disclosure of vulnerability information fixes security holes. Fair enough. I won't bother arguing that. What exactly does the release of exploits accomplish though? Security $$ Penetrator: You're vulnerable to XXX Client: I don't believe you! Security $$ Penetrator: Ok, here's my proof of concept Security $$ Penetrator: See? Client: Oh! We better patch. Here's your payment. Give me a fscking break. Not even the worst of people are that thick. I think what really happens is that script kids are armed, and this gives security professionals many case studies to choose from and threats to identify in their risk assessments. And some guy wanting money for an exploit is evil. Yah ok. > it, and here are some comments/predictions as to what is happening in the > industry. > > At present a vulnerability is usually disclosed in the following way: > > * L33t Hacker finds problem in vendor ABC's product > * L33t Hacker writes to ABC Partly correct, but no hacker I know writes to ABC. Your use of 'L33t' makes me feel queasy, btw. Considering that these people have fed the security industry for so many years, I think they deserve a less intimidating title. > * ABC takes some time, builds a patch write an advisory and give credit to L33t > Hacker Wow. Maybe they should start handing out stickers too! > * ABC release advisory to bugtraq, SF, packetstorm etc. > * Security firm 123 implement patches for brain dead clients. How about L33t Security firm? I thought they just ./penetrate from a command line and send their clients the patch developed by the vendor. I hear the more sophisticated penetrators use tools with funky GUIs and essentially point-and-click their way into fortune. Security professionals don't need exploits. They can construct policies, craft firewall rulesets, advise on best practice, etc. The obvious counter-argument to this is that signature-based IDS developers need exploits to "analyse." How true is this? Think about signatures that are triggered on pecularities specific to exploitation rather than the exploits themselves. If an IDS developer can't separate the exploitation indicator from the exploit, the product is basically worthless. If the sshd exploit in question is the one for the sshd vulnerability published by Bindview months ago, the information is there already and patches/upgrades are plenty. You don't need the exploit. Bugtraq doesn't need the exploit. Unless, of course, you really need to keep the script kids alive and food on the penetrators' tables. Then again, we all know how considerate Bugtraq is of the private work of another. Case in point: telnetd vulnerability. The researchers provided all the vulnerability information to Bugtraq, but their exploit for the vulnerability was copyrighted and said it wasn't to be distributed on Bugtraq. There was ABSOLUTELY NO REASON why it had to be. Even if the copyright notice wouldn't hold out in a court of law, COMMON COURTESY states that it should have been respected. All you did was stop the future publication of vulnerability information by many talented people. > * L4t3 Hacker writes exploit for problem > * Exploit is seen on hack.co.za, packetstorm etc. > * Assessment/Pen-test firm 456 test for the problem. > > Obviously things does not always goes this way. L33t Hacker might write an > exploit from the start. Exploit writers are usually after fame, wanting to see > their names in lights on a MS advisory. In the above mentioned process the one Funny. Most exploit writers today have learned their lesson from disclosing in the past and are now working on ways to protect their work from falling into the wrong hands -- not just the "script kids," but the clueless security gluttons who exercise as much skill as the script kids they forever bang on about in their media interviews. Current work involves developing ways to encrypt exploit binaries. One of the best sshd exploits that leaked is password-protected. What you and the Newsbytes journalists don't realize is that this was written by a skilled coder MONTHS ago. > people/firms that makes money from the bug are Security Firms 123 and 456. The > L33t Hacker gets fame, not fortune. Hacker L4t3 also gets some fame - in some > cases even more than L33t. > > Then someday, Hacker L33t and L4t3 decides that they are not in it for fame, > but for money. So, they open a security firm (many examples e.g. L0pht, Max > Vision, RFP, many more). The problem now is keeping the exploits flowing while RFP? False. He is an advocate of full disclosure, for whatever reason. His advisories aren't plastered with company logos and whatnot. As far as I know, he works in the computer industry (so?) and maintains computer security as a hobby. And even if he is/were paid as a penetrator, he's a far stretch in skill and ability from all the clueless monkeys who run nmap and exploits without any respect for the developers themselves. Max Vision sells penetration tests (or did), but gave something back by maintaining that snort attack signature database. L0pht is the classic epitome of sell-outs. The website now redirects to the @stake website (maybe you can still buy t-shirts somewhere) and HNN was slaughtered (not that I care) when @stake bought the crew. Not relevant here anyway, since @stake only pumps out care-factor-zero, last-drop-in-the-sponge crap like PalmOs vulns... > having to write reports, sit in meetings, wear a tie, doing budgets, and > speaking to brain dead clients. So, in many cases, it does not work out. > Hackers usually don't have a lot of patience with brain dead clients, hates > writing report, and can't even balance their own budgets. They see that they > only spend 10% of their time writing 0-day exploits...while that was > the reason they signed up. Ask any "ethical hacker" - its tricky making money > and keeping the brain occupied. > > So, while Security Company 123, 456 and 789 are making money, hackers L33t and > L4t3 are unemployed and frustrated by the fact that others are reaping the > rewards of their 0-day exploits that took 3 months to code. These two contact > Hackers r3L4t3 and r3l3a5h and they form the "cyber underground association", > and they sell 0-day exploits. They start off by selling exploit directly to the I'm having a hard time trying to understand your leet speak and its purpose here. Out of curiosity, did you type like that when you asked the exploit coder for his exploit? He'd have seen you coming from a mile away. It's not the leet speak itself that's annoying; it's the fact certain excitable people seem to think it's funny or portrays the underground as a bunch of immature e-punks. Not a good way to bite the hand that feeds you. The fact you even had to ask for the sshd exploit tells us a lot about you. Is it so hard to grasp the concept that there are people out there who don't give a shit about making a profit (fame OR fortune)? Most of the exploit coders who release soon learn their lesson and then resolve by trying as best they can to keep their code in the hands of close friends only. Yes, readers, there are people in this world who have humbled themselves and remain unblemished by desires for artificial and, at best, transitory recognition. Most people posting to Bugtraq seek profit at worst, or academic fame at best (i.e. showing off). Yes, readers, there are vulnerabilities floating around beneath the public surface that would send Bugtraq and its kin on a frenzy if discovered. Brings new meaning to having the latest software releases and such -- it's likely you can still get owned with a hole you've never heard about. Maybe if computer security weren't so commercialized, the discoverers of these holes would share their findings with the "community." Anyway, who wants an Internet that is bolted down and under the patrol of the government? This is the unseen ancillary path of full disclosure. > client and it goes like this: > > * CUA find a problem in vendor ABC's product > * CUA codes the exploit > * CUA let the word spread that they selling it > * 10 script kiddies buy the exploit at $100 > * Script kiddie l0s3r puts it on his website > * Security firm 123 and vendor ABC get it, build patch (and the usual) > * Script kiddie l0s3r's site gets DDOS-ed by CUA > > CUA made $1000 from the exploit. Security firm 123 made $25 000 from it. Some > networks are comprised by the kids, security firms/vendors takes the heat; an > assessment was done on the network a week ago and it was certified as "safe". > The whole IT security industry takes a knock. Everyone lose. CUA gets together, Who cares if the security industry takes a knock? Less laundering in the world and the public would likely be better off. > have a meeting, decides on new strategy. It goes like this: > > * CUA finds a problem in vendor ABC's product (no guessing who ABC is) > * CUA codes the exploit > * CUA contact "Exploit dealer @m1c$" - a well connected person in script kiddie > country. > * @m1c$ sells the exploit only to selected few - at $500 a pop. He sells 10 > copies. > * @m1c$ makes $2500, CUA makes $2500. > * One of that selected few was in fact working for Security firm 456. > * Knowing that CUA is killing the trade, and wanting the fame, 456 employee > rebrands the exploit to say 456-inc. and sends if off to Bugtraq (or puts it on > their webpage) > * Everyone gets the code on SF > * 456-inc. gets DDOS-ed. > > The other 9 selected few are typically people that will spend $500 on an > exploit, knowing that they can compromise a network that have $5000 worth of > credit cards or the likes. They are thus your black hat dudes - the criminal > type. The industry takes a knock - again, and in a bigger way. Security firm > 123 and 789, not willing to pay for the code are booted out of several > contracts, as their client's networks were compromised. > > CUA has another meeting. Somehow they are not seeing the $10000s that they > expected. They make a new plan - bigger and better than before. They will > bypass the dealer and only sell to people they know. It goes like this: > > * CUA finds yet another bug in ABC's software, codes exploit > * CUA sells exploit to 25 selected people at $1000 a pop. > * Exploit is actually sold to many foreign agencies and a few terrorist > * Exploit is also sold to n0h@ck, an undercover FBI agent. > * CUA is taken to court and convicted under the 2002 Terrorist Bill thingy > * End of CUA > * Oh and the FBI gets DDOS-ed > > Think about it for a while. At $1000 an exploit, who are you going to attract? > People that will pay that amount of money must surely be in a situation that > will make it worth their while. Dealing with these people will be dangerous for > sure. You sure have put a lot of thought into this matter... > > Non-disclosure will spark paying for exploits. Paying for exploits would be the > same as paying for arms. Paying for exploits would make them illegal in no > time. It would very much hurt the industry - the whole security industry - from > the software vendor to the security vendor to the "ethical hackers", and all It won't hurt the hard workers who actually find 90% of the "big" vulnerabilities, write an exploit, and keep the exploit in the hands of a trusted few. It won't hurt the masses who suffer the fatal consequences of this exploit in the hands of swarms of script kids. "Ethical hackers" ? What the hell is an ethical hacker? Those half-assed "ethics" articles sure do poison the mind! In fact, they're one of the main causes of the slave mindset that 95% of the underground has which causes it to work with the security industry, without payment, in the name of noble duty! Also a reason why many so-called hackers don't hack -- go figure... While people are building lexicons to make sense of the silly lingo, debating pointless "hacker vs. cracker" or "whitehat vs. blackhat" nonsense, there are people out there who turn a blind eye to all of this and just do their own thing, striving to reach their technical goals. These are the people who actually write the exploits and they couldn't care less if the security industry, in all its shame and fraudulent philanthropy, was blown back into the Stone Age. > the way, the client/end user or firm will be taking the fall. Even the exploit The end users are already taking the fall, but I won't elaborate further on that -- not here. > writers will have a hard time. They are never going to make real money from > their "product", will live in fear for their customers, and will take constant > heat from their law enforcement agencies. A bigger challenge is to write the > code AND make money in an honest way, AND keeping sane in the process, and I > believe it can be done. The more underground the industry goes, the more heat You seem to think the security industry and exploit writers belong to one big community. Such is not true. The security industry won't go underground. People happily write exploits without making money. Trust me. And the ones who write exploits to make money deserve the money, whether they work for a security company or demand money from security professionals (and is there really a difference?) Again, the underground community is not the security industry, and never was. I find it amazing how many people have not realized this by now. Maybe you won't be so shocked next time someone requests money for an exploit. After all, you only use it to make money, no? > it will take from government and law enforcement. The more open the industry > is, the more transparent it is, the more acceptable it would become. And now I > hear people saying - full disclosure is the reason behind script kiddies, the > reason behind worms that cost us millions. Well lets quickly think about just > that. [snip] Exploit developers are now onto the fact that the security industry has raped them over the years. Concerted efforts are being taken, both technical and legal, to finally put a stop to the abuse of private research that has been exhibited by the security industry in the past. Enjoy the current situation. It won't last... > > Regards, > Roelof. > > ------------------------------------------------------ > Roelof W Temmingh SensePost IT security > roelofat_private +27 83 448 6996 > http://www.sensepost.com http://www.hackrack.com - -- Anonymous Paradox <anonpdoxat_private> Sewer Maintenance Specialist - SMS+ / TWIT http://www.oneworldorder.org -----BEGIN PGP SIGNATURE----- Version: Hush 2.0 wl0EARECAB0FAjvTlUEWHGFub25wZG94QGh1c2htYWlsLmNvbQAKCRAIQJiskx91ZlXs AJ9trlzGUJoBYGbr7Fj9U7CSwejt7QCgpAl1kvceWTMKVGiPgOMe6Aadlrk= =bv3b -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 09:07:46 PDT