Stop Insinuating Things About Mehta’s Snort Finding
Thomas Ptacek | October 29th, 2005 | Filed Under: Disclosure
I feel silly sticking up for Neel Mehta, who doesn’t need any help from me, but to clear something up: just because ISS published the advisory doesn’t mean that Mehta was forced to research Snort. I would be surprised if Mehta doesn’t have a huge explicit say in what his targets are, and it is clear to everyone in the industry that he has a total implicit say, since he’s a team MVP.
The process of moving a finding from vendor disclosure to public advisory usually takes a long time. The timeline here seems to be:
Prior to October 13: Find vulnerability
October 13: ISS Notifies CERT
October 13: CERT notifies SourceFire
October 13-18: SourceFire, CERT, and ISS Coordinate Advisory
October 18: Advisory Published
This unusually fast turnaround is a credit to the SourceFire team; on the other hand, Snort is open-source, so once the fix is committed there’s an incentive to publish formally, before black-hats notice.
I don’t condone CERT’s involvement here, but for a totally different reason than Bejtlich. Bejtlich sees it as evidence that ISS went out of their way to throw an elbow at SourceFire. But CERT, ISS, and SourceFire coordinated the advisory and didn’t release it until SourceFire patched; that’s the same process as would have occurred without CERT. And that’s my problem with CERT: I don’t see the value they add, apart from acting as an unneeded dampener in the disclosure-publication process. Maybe someone can clear that up for me.
In any case, coordinating an advisory is a huge pain. My company handles it for me. Neel’s handles it for him. I think it’s safe for me to put words in his mouth and say that Neel would rather be getting real work done, or for that matter be getting eaten by a bear in British Columbia, than to be on the phone with CERT and SourceFire for a week.
Finally: nobody has made any case for why “opposition research” (Jaquith’s term) is anything other than helpful to the community as a whole. Snort is widely deployed and perfectly fair game, by which I mean, people who take the time to improve its code are doing the community a service, regardless of what you think their motives are.
John Ward
October 29th, 2005 7:12 pmThomas,
Usually I agree with Bejtlich, but in this particular case I have to agree with you. First, Snort is open source software. Being open source software, it is subject to peer review from individuals outside of Sourcefire. That and that alone indemnifies Neel from any wrong doing. If it had been me that discovered the vulnerability, I doubt anyone would be placing blame on my comapny. Second, I don’t see Sourcefire crying foul anywhere, so I see no reason for anyone else to do it either. Three, while a grey area profession, security researchers primary function is to find vunerabilities in widely used software, and Snort does fall under that category. And finaly Neel worked on this for ISS, as such it is ISS responsibility to notify the vendor since they are the principle security company regardless of Neels reputation. It would be the same as me going to one of my companies customers and notifying them of an issue with their account. Its not my responsibility to notify individuals of anything, we have departments that deal with that. Personally, I feel this is a whole lot of hubub for nothing.
Pete
October 30th, 2005 9:44 pmWhy on earth should people be forced to “make a case” against helpfulness? If it was really just help, couldn’t they decline the favor? No, the onus is on bugfinders (finding a buffer overflow really isn’t research anymore) to offer their service and wait for a request - that’s how “help” works.
Anonymous
November 5th, 2005 3:26 amPete - some buffer overflows ARE still research. See eEye’s latest involving array index manipulation, which isn’t entirely “new” but certainly ain’t your daddy’s overflow. The programming errors, analysis, and attack techniques are getting more complex and sophisticated.
On CERT:
1) CERT has high name recognition in certain circles and can have more cachet and influence than even Neel and ISS. This can be very useful when you run against a recalcitrant vendor.
2) CERT has extensive experience in handling major disclosures that affect dozens of vendors.
3) If you care about critical infrastructure and believe that CI people should get early warning, then CERT is a good way to go.
4) Previous comments apply to NISCC as well.
Steve Christey
Leave a reply