Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Jeremy Rauch | June 12th, 2007 | Filed Under: Apple, Disclosure

[Interesting Discussion In Comments -daveg]

Its no secret: I’ve advocated “responsible disclosure” for years. I don’t buy that vulnerability research, and discourse about findings, is why there are so many security problems. Keeping our heads in the sand won’t improve the situation.

Apple’s recent release of Safari for Windows spurred people in our community to start looking for its flaws. Great. I say Safari, for all its good qualities (it’s quick, looks nice, and claims to render more accurately than other browsers), hasn’t benefitted from the scrutiny IE or Firefox gets. If people spend time looking at it, finding vulnerabilities, and reporting them back to Apple, we could have something here. That a large portion of its open sourced makes it all the better.

I’ve been finding vulnerabilities for over 10 years. I’ve been frustrated by vendors that resist patching flaws. And I’ve seen serious flaws go unfixed, due solely to vendor apathy, on numerous occasions. I can see how that could make someone question the “responsible” side of disclosure. Are we wasting our time “playing nice” with vendors?

One of the things we codified when we started Matasano was a disclosure code of ethics. Part of it applies today. In spite of the bad vendor experiences we’ve all had, individually and as group, we felt strongly that to research vulnerabilities without keeping vendors in the loop wasn’t something that we could participate in.

In fact, we’ve gone one step further. We won’t release information without a vendor patch being available. We’re just not comfortable deciding how you should manage your risk. I’d like to keep thinking that disclosure is about making software safer, and not just about ego and marketing.

And that’s why, after my blog hiatus/hibernation/avoidance, I’ve decided to post again.

I say, have all the hostility you want towards Apple. Apple may have done Dave Maynor wrong. Dave may be justified in carrying a grudge. I don’t know all of the facts there, and at the moment, it doesn’t look like any of us will. But I hope Dave, and all the other people taking shots into the barrel of fish that is Safari, are going to do their best to deal responsibly with Apple. I’ve found the Apple security folk I’ve met to be well intentioned and concerned, even if they are severely overburdened and understaffed.

But Dave, if you’re not going to keep Apple in the loop, and you are going to harbor secret Safari vulnerabilities that only your company and your customers and whoever your customers talk to and whoever ever manages to break into those customers may be, can I ask a favor? Can you post what your code of ethics is? A lot of us would like to know. We could show a spectrum, from Errata on the “left”, through MoXB, to eEye on the “liberal”, Matasano on the “centrist”, ISS on the “conservative”, and Cisco on the “right wing”.

Viewing 48 Comments

    • ^
    • v
    This is one thing i've been saying for ages, this industry needs to grow up and show maturity. The whole holding a grudge is so 1998 and damages the work that other companies do when trying to work in a professional relationship with companies to solve security issues.

    Maynor is yet again proving that whilst he might he reverse engineering skills, he is lacking in good common busines sense. One day Apple might open the door as did MS did with security, who do you think they wont work with?

    Take Ms at the mo, we have most of LSD as part of the core security team, does anyone remember any childish spats between any LSD member and MS?

    What comes around goes around
    • ^
    • v
    Maynor's simple disclosure policy sounded fair and ethical enough to me when I read it on his blog earlier today.

    If Apple's security team is so "severely overburdened and understaffed" that they won't even listen to outside security researchers doing the work they couldn't do, Maynor's limited service is still arguably providing more value to the community than they are and should be considered ethical on those grounds.

    Getting sucked into someone else's nightmarish way of doing business is a basic occupational hazard. Maynor is justified in defending himself against that especially if it drains time and energy needed to continue performing his research effectively. Avoiding goon squads and spin doctors is just basic time management. The emotions, grudges, and immaturity that you imply - even if they do exist - become largely irrelevant from this perspective.
    • ^
    • v
    @eastwind:

    Only flaw with that logic is that lots of people have reported vulnerabilities to Apple and did not go through what Maynor went through. We have reported vulnerabilities to Apple in the past and no good squads and spin doctors have harrassed us.

    Help me to understand how you think his limited service is providing more value to the community? How are these vulnerabilities going to get fixed? Finally, being more valuable doesn't make you more ethical. Those have little to do with each other.
    • ^
    • v
    I'm not sure why hurt feelings should influence your ethics.
    • ^
    • v
    Apparently the one point missing is that vulnerability disclosure is not just about the researcher and the vendor talking to each other but about how each one of them talk to the vulnerable population. UIn this case i see very little value in how Maynor "talked" to those affected by the bugs he found: using a blogpost that provided scarce details, no fix or workaround information, explicitly stating that he is not interested in talking to the vendor about it and providing no way to replicate th3e findings and analyzing the results. Yes, I can run a fuzzer by myself but how do I tell that I've found the same bugs that Maynor did? ands how to i independently assess the exploit ability and/or critically of the bug or bugs?
    Its a lame excuse to attribute this useless security "contribution" (sorry, but I can't call it research) to the fact that he's in bad terms with the vendor.
    @jeremy: where do we fit in your spectrum? anarchists? tree huggin greens? eh
    • ^
    • v
    From where I sit as someone who can recommend doing business with one security vendor over another, Maynor's childish antics make these sorts of choices much easier. Thanks to their "as we feel like it" disclosure policy, its easy to see that Errata just isnt a company I'd ever invite to an RFP, much less recommend.
    • ^
    • v
    I have reported vulnerabilities to Apple on behalf of two different companies over the last two years eEye Digital Security and Juniper Networks.

    This has ranged from issues in Quicktime and iTunes to the more recent remote root in mDNSResponder discovered by Mike Lynn.

    Based on this and my work with other vendors on vulnerabilities and disclosure I feel I am qualified to comment.

    I have seen an improvement in Apple's response. While I can remember sending them frustrating emails on issues a year ago, the last time I worked with them they were pretty responsive and worked very closely with us.

    Are they perfect? Of course not, no one is. But they have shown improvement and is that not the point of working with vendors in a responsible manner? Helping them improve both their software and their process around dealing with their vulnerabilities?

    While it is easy to have "hurt feelings" and want to punish a vendor in the end it is those that act the most responsibly that will help foster change for the better.
    • ^
    • v
    @Dave G
    I totally agree the logic is flawed if you extrapolate it to every researcher. It says as much about Maynor as it does about Apple. You're right on ethics-value. The limited service is that people know to stay away from Safari for the time being - fixing the bug is a secondary priority at this point since the software is already out there.

    It's starting to smell like a messy breakup where both parties in the relationship (researcher/company) feel they are being abused by the other party. Maybe one party didn't realize they were even dating. Maybe the other party is social engineering the situation for all it's worth.

    So I'm starting to cave into the gist of the other comments here. Not sure what solution there is here. Maybe forgiveness and better communication in the future. Flowers? Dr. Phil? :)
    • ^
    • v
    One of the complicating issues here is that Apple has threatened to keep the iPhone platform closed. If apple carries out this threat developers wishing to explore a cool, expensive toy they now own may need to exploit vulnerabilities like those Maynor claims to have found. Apple is choosing to put Safari in the trusted code base of a platform that works against its owners. Doing so could be deemed to remove Apple and Safari from the set of good faith actors worthy of responsible disclosure.

    Researchers might not disclose flaws to authors of malware which works against the owner of the system it infests.

    Curiously if Mach was under the GPLv3 rather than a BSD style license, the community would be safe from this kind of closed platform problem.
    • ^
    • v
    @Thomas Ptacek
    It’s funny how my policy regarding unethical vendors (not just Apple) just gets trivialized as me “holding a grudge”. To be honest, reporting vulnerabilities to Apple or vendors like Apple is just simply bad business on my part. If Matasano did work for a vendor and then they didn’t pay would you work for them again? That’s not an exactly the same situation but if in the past Apple chooses to deal with people in an unethical way that could damage my business or brand, where is the business case for working with them? I am sure at the end of the day everybody would like to have a big security research love fest but it’s not possible, we run a business.

    @DaveG
    Lost of people report vulnerabilities to Apple and have the same problem. For a recent case looking at how the mDNS bug got trivialized by Apple.
    • ^
    • v
    @Dave Maynor:

    That isn't the same problem that you had with Apple. It actually isn't even in the same realm. As I understand your issues with Apple, you claim:

    1. Threatened you legally.
    2. Denied that you found something
    3. Didn't credit you with a patch

    Please tell me which of these issues applies to Mike Lynn's find. For mDNS, the worst thing you could say is that they use language that isn't explicit enough.
    • ^
    • v
    Dave: which is it? Is vulnerability info "special, privileged" information that vendors and researchers have an obligation to handle diligently for the good of end-users, or is it "just info"?

    We think the former: it's special, and handling it imposes obligations on everyone. So, we don't get to hide information from users just because a vendor pisses us off.

    You seem to think the latter now: it's just info, and if Apple pisses you off, you're under no obligation to do anyone any favors. Ok! Can you stop talking about ethics, then? When you play by "their rules", you concede the rest of the argument to them. Don't worry, we'll keep up the principled stand on disclosure for you while you quietly mine the world's software for secret vulnerabilities.
    • ^
    • v
    @ Thomas
    "Ok! Can you stop talking about ethics, then?"

    On the contrary, please begin talking about ethics!

    You've just laid out two opposing positions on a question of ethics. Things can then get interesting when you start presenting ethical reasoning in support of those two positions.

    Your statement above could at least be interpreted as "you don't agree with me, so you forfeit your right to present arguments in support of your opinion." I'm guessing you don't mean that...
    • ^
    • v
    I don't mean to be derisive towards Dave. Dave knows I disagree with him, but he can still buy me a beer at conferences. I'm pointing out that Dave is trying to have it both ways: claiming that it's his prerogative to share or not share Apple findings he generates, while at the same time claiming that Apple has an obligation to handle his findings "correctly".
    • ^
    • v
    @Thomas Ptacek:
    Gee Tom, if I didn’t know any better I would say you are interviewing for a PR position with the Bush administration in the way you spin things. You completely ignore the fact that with the majority of vendors we behave exactly as vendors like ISS does. We will report vulnerabilities and let them fix them, but unlike you we never release details on the vulnerabilities, no one has convinced me yet that doing so even after a patch is released makes anyone safe. What is the difference between you releasing details with the patches and people actually applying the patches? If you ask me, you are a little trigger happy on releasing details.

    Then there is us. We give everybody a chance. You make it sound like I woke up one day wearing a pink dress and heading to a cotillion and I just up and decided to throw a hissy fit and blacklist Apple. If you remember correctly, I gave them a chance, I deemed they handled the situation unethically, and because of that Errata Security does not offer free QA services to vendors. To be honest at the end of the do no matter how much you dress up what we do we are glorified QA.

    I don’t doubt for a second Apple didn’t spend adequate QA time on Safari 3 expecting people like me to rip it apart and do it for them. http://larholm.com/ Sounds like other people are unhappy as well.
    • ^
    • v
    Thomas,
    "I’m not sure why hurt feelings should influence your ethics."

    They absolutely should. They test whether you really stand by your ethics, or whether you just say something that sounds good, until it's inconvenient to actually live by them.
    • ^
    • v
    MikeP:
    I keep missing something. If a company acts unthical towards me why is my business decsion not to have any relantionship with them not standing by my ethics?

    I'm not releasing code that puts anybody at risk, i'm not selling the exploits, so where is the ethics violation?
    • ^
    • v
    Debating disclosure ethics is so 90's, people.

    I wrote a bunch more after the above sentence. But in this case experience is telling me that discretion is the better part of valor. Anyone (whom I know) who brings up this subject near my at blackhat is going to get an earful.
    • ^
    • v
    @david maynor:
    Because you AND Apple do not live in a bubble. What you do with the bugs you find may affect real people besides just the abstraction of a company named "Apple", even people that do not work for such company. You did not help ME -a vulnerable Safari user- with your pseudo-disclosure, you did not provide me enough details to help me fix my Safari by myself or workaround the bug, you did not help Apple fix the bug either (even tho. they may not care about it)... so, who are you trying to help? maybe I got it all wrong and you are not trying to help anybody, just showing off your m4d f00zz1ng sk1lz to land a f4t consulting g1g?
    I do not question your ethics (or the lack thereof), I question your acts. The way you disclose the bugs you find does not help me and I don't see how they help the security community at large. In fact I think it hurts the community, specifically the vulnerability research community. So in sum: In my role of vulnerable user you are not helping me, in my role of security professional you are hurting my profession. What would you do in such a situation?
    • ^
    • v
    @ivan
    I helped you. I gave you a valid reason not to use that browser because Apple developers did such a poor job creating and testing it. I may not have helped you in the way you wanted, but I gave you fair enough warning that the bugs were so easy to find that it puts you at serious risk.

    As a security professional how am I hurting my profession? If anything I am holding companies accountable for bad software design practices. Apple put you at risk, not me. You think I am the only person that can run a fuzzer? You think that people who make a living finding and selling these bugs would offer you a warning to not use that software?

    I love people who throw stones with out a basis. Wasn’t it your company that dropped 0day on Thanksgiving a few years in the Microsoft Wins service? I remember that clearly as I had to reverse the process, find the bug, and help ISS write protection for it. That bug then ended up in a botnet being actively used to exploit innocent people. Save you’re long winded speeches for someone that doesn’t view you as a vulnerability hustler trying to clean up with cries for “peer review” and making research “legit”. Tell you what as soon as a bug I release ends up in a botnet, then feel free to criticize me, until then just sit in your ivory tower.
    • ^
    • v
    Without knowing the details about the "Thanksgiving WINS Massacre", but with the experience of ruining Christmas for a famous Unix company in the '90s, I'm going to opine that it's better a finding come out on Thanksgiving Day than never (in public) at all. At least it got fixed.

    I also have the honor of having found and published one of the '90s SANS top 10 vulnerabilities (I'm not naming which). It predates botnets, but surely would have landed in one. It doesn't keep me up at night, brother. Tell me, do you think HD Moore needs to apologize for Metasploit, or do Mark Dowd and Neel Mehta for their X-Force work? You don't believe the argument you're making. Make an argument you do believe.
    • ^
    • v
    Kudos for Dave Maynor. You are totally right not dealing with apple, by doing so you would expose yourself and your business, as it happened in the past. Companies have to have a clear disclosure policy, so researchers know what they are getting into when they disclose. Its just not worth it to disclose something and then maybe ending up in a legal dispute, or your reputation ruined, you will just be a fool by doing so, even if your ethics tell you that is the right way, no one in there right mind will go ahead and go forward if that could harm you.
    If apple doesnt have a clear disclosure policy, hten they arent being ethical, and you are wise in staying away from them.
    • ^
    • v
    @david maynor
    You should inform yourself a bit better. My company did not release any 0day _EVER_. You simply did not do your homework. The WINS bug was originally disclosed on the website of some other security researcher weeks if not months before we released the IMPACT exploit to our customers (not a 0day, not a blogpost, not a gutless "security "advisory, not a screenshot nor video nor a media mktg campaign: *real* code valuable for our users). The bug was already in the public domain in the same manner that you are so fond of using: someone bragging about having broken MSFT warez, showing a screenshot on a website without further details and having had no contact with the vendor.
    The original post was on May,2004. It was also published on a different website by yet another party on June 11, 2004 claiming that he had an 0day exploit for it since May. Further details were posted in this last website on November 26, 2004. We did our analysis, wrote, QA'ed the exploit and shipped it to our customers in November 25, 2004.
    The situation, in fact, is not that different from the one you may have created with the disclosure of your Safari findings.
    All we did was: research the bug, write and QA the exploit, ship it to our customers and talk to the vendor to explain all of what I just said with substantiated evidence. _WE_ had to talk to the vendor, bear the heat and explain all of the above because of somebody else's irresponsible acts.
    THAT IS WHY IF FEEL THAT WHAT YOU DID IS DAMAGING TO THE COMMUNITY. I'VE BEEN THERE AND SEEN IT HAPPEN.
    Now, regarding "the bug that ended up in botnet activity" that you so lightly talk about... which one is that? The one that, as I just explained, we did not find nor advertised in our website (WINS or Safari) or the one that ended up being used by the Witty worm? You may view me anyway you like, but I am not the one herding 0day, selling vulnerability info or bragging about my findings without giving anyone -but maybe my buddies and paying customers- details. I don't sit in an ivory tower, I work day in and day out in company that is intimately related with vulnerability research, I've been personally involved in every single advisory that my employer has published since 1996 and there haven't been one about WINS. Furthermore, to the extent of my knowledge there haven't been ANY bug disclosed by my employer that ended up as part of an botnet or worm.
    BTW, I don't recall you contacting me or anybody associated with my employer asking for details or explanations about the WINS bug that we did not disclose back when you were so busy at ISS. Had you done that back then, you could have learned the truth about it.
    As for Thanksgiving: sorry, I don't live in the US so I wouldn't know when it is not ok to release a product update for our entire worldwide customer base. Just in case, please do not make any more blog posts about your 0days next Monday... you see, next Monday is a holiday down here in Buenos Aires. And although English is not my native language I am perfectly capable of spelling the word "legitimate" correctly.
    • ^
    • v
    @Ivan you said:
    We did our analysis, wrote, QA’ed the exploit and shipped it to our customers in November 25, 2004.

    Huh. I have weaponized code and exploits available through our Hacker Eye View service. I have mitigation strategies in the form of Snort rules and NASL scripts for our customers. How did your Impact exploit help customers fix any problems? I don’t recall Impact providing IDS rules or scanner checks…

    So it sounds like we do the same thing you do, even more by offering actual ways our customers can protect themselves, but somehow I am making the world less safe place. You just lost all creditability in my eyes in any argument regarding this subject but feel free to yell at me more for following the same business practices you yourself follow, make fun of my spelling, and use all caps; things like that really make your argument valid.
    • ^
    • v
    @Thomas Ptacek
    Where do you see me asking for anybody to apologize for anything? Ivory Tower Ivan, or ITI (I will only refer to him as that now), wants to point fingers about how I am making the world a less safe place. I believe if he wants to release weaponized code that ends up in a botnet that is his business decision. I just don’t want to get lectured on responsible disclosure by him when we protect our customers in the same way, if not more, than what he does for his customers. That would be the equivalent of getting lectured by Andrew Dice Clay about not cursing.
    • ^
    • v
    @david maynor

    No, we don't do the same thing. We provide details about the bugs that *we* discover (which as I explained was not the case of your misplaced WINS example), we contact the vendors and give them details, we publish our findings to everyone at the same time: paying customers and non-paying customers (ie. everybody else), we don't even attempt to profit from our customer base with the bugs we found, we don't sell them that information as a service, we do not herd 0day, we do not claim findings and then show videos as the means of proving our findings, we show technical details and code or we don't show anything, we don't sell "analysis services", we sell software, yes our software includes exploit code for known, publicly disclosed bugs, it does not include 0day (even tho it would make it much more profitable), we even give out defensive software FOR FREE. Not an IDS signature, a fully fledged HIPS for Windows. That's mitigation for everyone not just for those that pay us (which seems to be what you indicated as desirable with your NASL scripts and snort rules).
    We do not have two, three or four different standards for how to conduct ourselves in the industry.

    Our business practices are absolutely not the same of yours no matter how hard you'd like them to be.

    Finally, Dual Standards David (DSD, I'll call you that for as long as you call me ITI, seems fair to both of us), you got it all wrong, I don't want to point fingers at you because I think "you're making the world a less safe place", I am upset because you are (or at least I feel that you are) hurting my profession and not helping _me_ solve a security problem that you found and that affects _me_. I don;t speak on behalf of the world, I only speak on my behalf and of those that I work with.
    You are entitled to do whatever you want with your business and I won't pass an ethic judgment on your actions but if I think that what you do does not help me and may put at risk my profession (and a hundredth co-worker's careers) I will say so.
    • ^
    • v
    David, the name calling is silly drops this argument down to the kindergarten sand-pit.

    Throwing stones at ivan begs a little test:

    Vendor-A found a bug in OpenBSD. Despite the vendors initial "this is just a DoS" reaction, solid research carries on and the bug is proven to result in remote code execution. Vendor-A releases the advisory when the patch is available and even publicly credits the OpenBSD team.

    Vendor-B follows an immensely (over) hyped conference talk (even if it wasn't their doing) with a blog splurb of an advisory with 0 information (but with comments to the trade press)

    i guess u can guess why Vendor-A doesn't agree that A & B are two peas in the same pod...
    • ^
    • v
    We're really losing perspective on this.

    We have to stop pretending that researchers and vendors have the right to determine disclosure practices. It's really the responsibility of the *users* who are most affected to speak out and tell *us* what they want.

    On one side is Dave, who doesn't believe in releasing code since that can help the bad guys. It's a reasonable position- before exploit code appears, unless there's a quick workaround, code will probably help the bad guys more than the good guys. Most end users don't have the resources to use detailed vuln info, they want patches and defensive tools/signatures. Dave also doesn't want to work with vendors who he's had negative dealings with in the past.

    On the other side is Ivan, who believes that by giving customers code to test their systems and harden, they are better secured. All vendors should be notified of vulnerabilities and information only released in public with real code. Again, a totally reasonable position.

    But the real world seems far grayer, and after years of watching this debate it's frustrating to see how little is contributed by those most affected- the users. We need more user participation, and have to stop letting the disclosure debate be completely defined by vendors and researchers.
    • ^
    • v
    Do you propose taking a poll, and abiding by it?
    • ^
    • v
    A poll won't give us totally accurate results, but it sure as heck is a good start. Any online poll is too easy to game. It also depends on the results- will we see a clear trend? Or just as much debate as in the research community.

    Either way, we won't know until someone tries.
    • ^
    • v
    @crash
    I am in total agreement, I'd just point out that if we want the users to make an informed and rational decision both researchers and vendors should provide accurate information and should make the disclosure process transparent to external observers. As it is today, most users have not clue whatsoever of what *really* happens during the period that ranges from discovery to public disclosure of a bug (including all the sordid details of the communications between vendors and researchers)
    • ^
    • v
    so, yes, we all know your disclosure ethics on vulnerabilities and how exploits fit into the equation.

    but what is your disclosure policy on new threats? think CWE, not CVE. how do novel weaknesses become disclosed? if it is even possible to disclose them responsibly, how does a security researcher go about doing so?

    what is the Matasano policy on these sorts of disclosures?
    • ^
    • v
    David, that wasn't aimed particularly at you, but since you asked... my kneejerk reaction is that you start a relationship with the company when you release statements about their products. You may not care to further the relationship any (say, by giving them or anybody else more details about what you found), but you do have *a* relationship at that point.

    I don't know if you're standing by your ethics, I'm not trying to judge you or them right now. I was just responding to Thomas's statement in a general manner.
    • ^
    • v
    Our “over hyped” vendor talk brought attention to a vulnerability class that not many people have heard of or thought about resulting in scores of bugs fixed.

    What I should have done, which seems to be the general feeling here, is protect everybody by dropping 0day and claiming I am helping to fix the problem. You forgot that in your comparison, how many of vendor A’s exploits were used to attack innocent people versus vendor B. There seems to be a false sense that patches are applied instantly when they come out which everyone knows is not true. So dropping working PoC with an advisory is leaving tons of people vulnerable.

    Also there is this critisim that I am not helping people fix a problem. How is a PoC going to assist with that? When vulnerabilities like these appear the best way to prtect yourself is to stop using the affected applications. Does any here really thing releasing PoC for the problems will make end users craft a binary patch to protect themselves, no, of course not.

    I think the MOST important thing is people don’t get owned, call me old fashioned. I am still holding out for the belief there are lots of ways to get problems fixed without dropping exploit code that can be used by both good guys and bad guys.
    • ^
    • v
    This is an interesting topic that has been debated for years, and this discussion does not seem to have moved the agenda along any further.

    I have disclosed vulnerabilities under a variety of different policies, proprietary/closed/responsible/full. In all cases, independent third party verification has been possible either through vendor credit or source release.

    Maynor has had a heated past with Apple. As such it is only natural to expect more from him than unverifiable claims of 6 vulnerabilities. If neither we nor Apple can verify these claims ourselves and no other independent third party can vouch for the claims then that is all they are - unverifiable claims.

    I don't hold a grudge against Apple, yet I still released the first 0day exploit code for Safari 3. I doubt that I will now have any problems getting a proper and swift response from Apple on my remaining Apple vulnerabilities, all of which will be released under a responsible disclosure policy quite similar to the one Matasano abides by.
    • ^
    • v
    @Dave Maynor:

    I think the criticism here isn't that you haven't dropped exploit code. It is that you have publicly stated that you have vulnerabilities in Safari and that you aren't going to help Apple's customers by reporting the vulnerability because you got into a fight with Apple.

    Can I ask what specific information is being made available via Hacker Eye's View on this?
    • ^
    • v
    @Dave Maynor:

    If you're not going to "offer free QA services" to Apple, nor share anything that you find, why are you looking at their code at all? Why publish the warning at all if you don't want to be involved? From the outside, what you did looks a lot more like an attempt to cast a bad light on a company that you have a rocky history with rather than actually improving public safety.
    • ^
    • v
    As a "user" (meaning corporate customer of various security services), allow me to repeat that how a vendor presents themselves to the public has something to do with this whole question. The vendors who come off as "part of the problem", whether that be by releasing 0days or airing their dirty laundry in public, are not vendors who I could consider contracting for any security services at all.

    "We" customers don't care who is the 1337est of them all in terms of bugs found and weaponized. What it comes down to is the perception that people who do things which might cause harm to cant be trusted.

    Probably my experience in various aspects of security (not as a bug hunter) colors my opinion, but it is what it is.
    • ^
    • v
    @DaveG
    I can’t help but notice you continue to attempt to trivialize my disclosure decision to “I don’t report bugs to Apple because I got made at them”. There is more than just Apple on the list and I, according to all my customers, have a valid business reason for what I do.

    @Outside Party
    I have to look at Apple products because they affect my customers.

    @Chris_B
    Based on what you are saying you must be pissed at vendors like Core who find their exploits in botnets or Matasano who release in-depth details on vulnerabilities on the day the patch is released before assuring every vulnerable person has applied them.

    Please tell me how I put anybody in danger of being compromised?
    • ^
    • v
    @David Maynor

    None of your response addresses my comment. Let me try and put it a bit more clearly: I dont want to do business with a company that has you as a prominent figure because you come off as a PR problem.

    Its not you personally, I generally dont want to deal with a QA service or advisory service that makes the sordid details of their business relations with others a matter of public record.

    Is any of that unclear?
    • ^
    • v
    Are you serious? Do you use any advisory or QA service? If so you signed a PO with them and you didn’t bother to ask about their disclosure policy? That’s kinda short sighted.

    I think it is about me, you just can’t admit that because it completely takes the wind out of any argument you have. For all the posturing you have done you seem to support organizations that actually put people at risk yet you reserve your scorn for an organization that refuses to help criminals or put users at risk. So it can’t be any business practice we have that makes you dislike my company you as you said, you just dislike me. That’s fine, I don’t like you either but just admit it instead of trying to hide behind hollow arguments and contradicting yourself.
    • ^
    • v
    @Chris_B
    Also we don’t weaponize vulnerabilities because we are 31337. Our value to a company is the ability to tell them without a doubt what threats are real and what threats amount to marketing hype. In order to do that we develop a working exploit for every Hacker Eye View report we create. If we can’t get code execution or it will only be reliable in a lab type environment we inform out customers of that. On the flip side if a vulnerability is trivial and does not take much effort to make reliable we tell them that as well. Since we aren’t a vulnerability clipping service we create original exploits for every HEV we write we can speak with authority about the actual impact to an enterprise.
    • ^
    • v
    David, Chris *just said* it was about you. =)
    • ^
    • v
    Also, for what it's worth, we've released a total of two (2) advisories since our inception, one of which was for a vulnerability that had an exploit in the wild prior to our release.

    But, thank you for positioning us as the full-disclosure zealots. I feel like we take much more shit from the researchers for not releasing findings than we do from customers for releasing too much.

    Why would an enterprise care whether you're a "clipping service" or not? Does an exploit "hand crafted by David Maynor" have more value than one written in Poland? I recommend that you guys try to differentiate on things that have value to customers, not on things that gratify your team.

    Unless your exploits are engraved. I'll take two!
    • ^
    • v
    @Tom
    Wow, believe it or not everything Errata does is not about my ego. My ego has nothing to do with out decision not to disclose vulnerabilities to Apple, ego is not a factor in our choice to create new exploits from scratch. The reason we do it is simple, to understand the vulnerability in-depth, to understand any possible mitigating factors, additional vectors, and even possible evasions that could affect security tools. In addition to supplying customers with all the information we can find to protect themselves, we also use this information in our product tests. This is not the kind of information you can get from just doing a write-up on a publicly available vulnerability.

    A lot of publicly available exploits suck (not including Metasploit, they rock but they don’t cover everything) so in order to really understand the impact to an environment we have to construct high quality ones. SO its not about the “crafted by David Maynor” angle, its about the “we understand the threat from the ground up” angle.
    • ^
    • v
    I'll take two!
    • ^
    • v
    @David Maynor

    I don't dislike you, I don't even know you. This is business not personal. If you dislike me, well thats on you.

    My employer does make extensive use of QA services and does pay for several reporting and research services. We have a reasonably good (IMNSHO) security experts group who as far as I've seen is quite able to differentiate vendor hype from potential threats to our business environment. We also have a rather long set of terms and conditions to which we subject every vendor before we sign any contracts.

    We try and do a reasonable amount of due diligence before we go to T&C though. Part of due diligence is estimating the risk that a company will end up affecting reputational risk. Once again, from a business perspective, you look risky.

    I hope this is clear enough and that you understand I'm speaking with my work hat on. Maybe someday we'll run into each other and can work out whether we get along personally. If you are at Black Hat Japan, lets have a drink there.
    • ^
    • v
    Yea, you all have it wrong. Non-disclosure is the way to go. Don't tell anybody anything. Not the vendors, not the public, not your so-called "peers", *NOBODY*. Keep the sploits to yourself. Use them when it benefits you. Send the PoC's and exploit details to the appropriate vendors after you've owned all the money grubbing whitehat "security professionals" you can with your 0days.

    pr0j3kt m4yh3m 1nd33d.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus