pseudo-flaw.net

There are numerous stances that a researcher can take when disclosing a possible security vulnerability. The first is to do absolutely nothing -- simply hold onto it in the hopes that it can be leveraged in the future. Obviously, there is not much disclosure happening and the vulnerability will most likely never be addressed. Other, more public methods, are awareness, advocacy and grandstanding.

Awareness can come in many forms. The best form of awareness is to report the security vulnerability to the vendor and work with them to see that it is resolved. Most often, this can be done is a private and responsible manner. The information security landscape has changed in the last several years and most vendors are willing to accept and accommodate security bug reports.

Another way to raise awareness is to publicly post details of the vulnerability to blogs, mailing lists, and forums prior to notifying the vendor. That traditional "full disclosure" mentality may still have merit, but the time is long past when this is considered a truly productive method of information sharing. If that goal of security is to make people safer, publicly disclosing newly discovered or previously unknown exploits prior to a patch being made available is not furthering that goal.

Occasionally, though, recalcitrant vendors refuse to acknowledge privately reported security vulnerabilities or won't address publicly reported vulnerabilities and continue to ship exploitable products. In these cases, advocacy is an appropriate approach. This could involve simply creating an exploit for the vulnerability and releasing it. The example attack should do more than just the regurgitate the proof-of-concept in the original vulnerability. It should show a real world version of the attack and meet some defined goal. If those actions can be accomplished, more widespread dispersal of that information is appropriate, be it through forums, blog posts or mailing lists.

But, if a real-world attack cannot be constructed, the vulnerability is best left to drop until an exploit can be developed. Continued broadcasting of a questionable vulnerability is nothing more than grandstanding. Spamming mailing lists and making copypasta forums postings of half-baked ideas does not engender much respect from the community at large. To be a bit hackneyed, either "Put up or shut up", and if you can't, "quit while you're ahead".

Claiming to have some significant exploit and then refusing to release it because "it's too dangerous", rings quite hollow when it is discovered that the vulnerability was never reported to the vendor in the first place. It is also poor form to recycle vulnerability reports against a product when the vendor has addressed it in most recent supported versions. Taking a well-known, publicly reported vulnerability and hyping it in some sort of attention grabbing attempt is quite distasteful. These shallow stabs at fame-mongering are simply useless if they don't make positive contributions to the community dialog.

And sometimes, it is as much a matter of presentation as it is content. Making a conscious decisions to not take part in the established process and then later railing on that very same process does very little to improve ones professional image. A history of such behavior leads to reputation that is hard to shed, no matter how much quality or relevance some information has.

To put it plainly, if I have to ask "Is this bogus?" every time I see post on a given blog or from a particular individual, I will be much less likely to trust the source of that information over time.

The debate over whether or not Internet Protocol (IP version 4) addresses are personal information continues. As reported on New York Times Blog: Europe: Your I.P. Address Is Personal. It has been since commented on at Educated Guesswork (Uh, yeah IP addresses are identifying) and Adam Shostack added it to his Adam's Law of Perversity in Computer Security.

Let's review a few quick facts about IP addresses:

• IP addresses are not private
• IP addresses are not anonymous
• IP addresses do not uniquely identify a person
• IP addresses do not uniquely identify a computer

Granted an IP address may become identifying when it is stored in conjunction with other personal information, but by itself an IP address is not personally identifying information.

And to suddenly start talking about confidentiality and protecting your IP address (as if you own it) is simply ludicrous. By their very nature IP addresses cannot be private, because they are used to route data. Playing the privacy card for IP addresses is intellectually dishonest, and it detracts from real privacy arguments. It is disheartening to see so many people hopping on the "IP address is personal" bandwagon.

To quote LMH: It's called fanboyism, and it makes you kinda stupid.

A proof of concept (POC) has two inter-related parts: first comes the concept, then the proof. The obviousness of this seems to escape some people. After some of the absolute crap I've seen posted this weekend, a quick review seems in order.

• Concept: The concept is what is being posited. It is the essential idea that is being put forth.
• Proof: The proof attempts to show that core concept in fact holds for some non-trivial situation. A proof of something only marginally related to the concept is not a proof.

So, if you are attempting to show that a certain construct is vulnerable to persistent cross-site scripting (XSS), do not use a example that demonstrates reflective XSS. And vice versa. If you are attempting to show that some code is vulnerable to reflective XSS, don't use a proof of concept that includes values that could never originate from the user's web-browser.

If you are claiming some defect is a security vulnerability, your POC needs to show both the vulnerability and how it is security related. Not all bugs are security vulnerabilities.

No links because some of these people don't deserve any more credit than they already trying to get.

Enough said.

Finding a new vulnerability in widely deployed product is exciting. Very exciting. And a natural first instinct is to want to share that information and get credit for it. So, why not just cobble together some sketchy details and post it to Full-Disclosure, milw0rm or your web log? What could possibly go wrong?

Well, a couple of things actually.

First, someone else may have already discovered the issue and posted about it. A best practice is to search the archives for bugs reported against the product and see if any cover what you've found. Do a Google search with some relevant keywords. Avoid reporting about a older version when the most current resolves the issue.

Second, what you found may not be that important. Not every browser quirk, visual glitch or access violation needs to be broadcast to the entire world. Doing so is a waste of everyone's time. Love them or hate them, Microsoft's 10 Immutable Laws of Security are spot on when it comes to this. So, if your vulnerability falls in that gray area, what should you do?

The best possible approach is develop an exploit that does something interesting. Create a demonstration that shows how the problem can actually be abused. I can't understand the amount of the time and energy people expend complaining that a vulnerability is or is not exploitable. Release a demonstration and there won't be anything to argue about.

I only bring this up because the trend of bogus and/or worthless bug reports continues to grow. And those doing it for the fame and the glory just end up appearing like idiotic newbies. Which I would suppose is the exact opposite of what they wanted.

Honestly, who still runs Fedora Core 3? The default install has nearly 500MB of updates to download and that still leaves it dreadfully out of date. It was EOL'd in early 2006.

Maybe there is a good reason for it, but I'm just not seeing it.

What is with all the sky is falling stridency lately? From Gadi Evron's OS X is the new Windows 98 to PDP's dire predictions of data: and jar: protocol attacks, there seems to be an onslaught of apocalyptic posts without anything backing them up. Just throwing out random predictions is easy, but presenting actual metrics and actionable information is where the true value lies. Not that there aren't interesting data points and insightful content to be found, it is just buried under the grand-standing and the annoying self-righteousness. Unless some people dial it down a little bit, they risk not being taken seriously.