Saturday, January 05, 2008

ethical conflict in the webappsec domain

anyone remember back in 2005 when the folks at dvforge decided to give malware authors an incentive to create mac os x malware? well don't look now but something very similar has just happened with regards to xss worms...

yes, folks... robert hansen (aka rsnake), the founder and ceo of sectheory, felt it would be a good idea to hold a contest to see who could create the smallest xss worm... ok, so there's no money changing hands this time, but that doesn't mean the winner isn't getting rewarded - there are absolutely rewards to be had for the winner of a contest like this and that's a big problem because lots of people want rewards and this kind of contest will make people think about and create xss worms when they wouldn't have before...

would you trust your security to a person who makes or made malware? how about a person or company that intentionally motivates others to do so? why do you suppose the anti-virus industry works so hard to fight the conspiracy theories that suggest they are the cause of the viruses? at the very least mr. hansen is playing fast and loose with the publics trust and ultimately harming security in the process, but there's a more insidious angle too...

while the worms he's soliciting from others are supposed to be merely proof of concept, the fact of the matter is that proof of concept worms can still cause problems (the recent orkut worm was a proof of concept)... moreover, although the winner of the contest doesn't get any money, at the end of the day there will almost certainly be a windfall for mr. hansen - after all, what do you suppose happens when you're one of the few experts on some relatively obscure type of threat and that threat is artificially made more popular? well, demand for your services goes up of course... this is precisely the type of shady marketing model i described before where the people who stand to gain the most out of a problem becoming worse directly contribute to that problem becoming worse... it made greg hoglund and jamie butler household names in security circles, and it made john mcafee (pariah though he may be) a millionaire...

and just in case you bought into that argument that the idea was to distill the samples down to the pure essence of what a xss worm is without all that obfuscation muddying the waters, consider this: in every past instance of extreme code size optimization (which is a forgone conclusion in a contest to find the smallest anything) the final outcome has actually been made more obscure by virtue of the hacks and tricks used to squeeze out as many unnecessary bytes as possible...

how is it that the security industry has arrived at a state where the people in it promote the threats they're supposed to be helping protect against? how does making problems worse serve the greater good?

*update* - there's now a follow-up to this article here

0 comments: