Wednesday, January 09, 2008

follow-up on the ethical conflict in the webappsec domain

well, it's been several days now and there have been a number of reactions (such as the comment thread for the article i originally linked to or christofer hoff's reaction to my previous post on the subject)...

i wanted to post a follow-up to address robert hansen's reaction to my post and i was actually planning on posting it sooner but now i'm glad i didn't because i get to throw in material from mike rothman as well...

i'm going to start with mike, actually, since i can at least link to what he wrote (though past experience trying to comment on his blog has been less than stellar - ie. the comments seem to get lost)... mike posted his reaction in today's daily incite and although he thinks he knows what my argument is about he actually gets it rather spectacularly wrong...
Kurt thinks that this is going to uncover an attack that wouldn't have been discovered otherwise and that's a bad thing.
no, i think that the contest is going to a) create new threat agents (ie. worms - that is the point of the contest after all) and b) popularize this class of threat...

creating threats, increasing the total number of threats out there is not something white hats are supposed to be doing... that contributes to the problem, not the solution...

popularizing the threat means that the bad guys' adoption of this class of threat agent will speed up, in other words the arrival of xss worms and other web-based malware (which are probably an inevitability given our current trend towards web-based computing) happen sooner...

both of which ultimately benefit mr. hansen...

That we shouldn't trust these researchers because they think like hackers.
no, we shouldn't trust them because they act like bad guys... creating malware and/or requesting the creation of malware is fundamentally not a white hat activity because it contributes to the malware problem (the way dropping litter on a littered street contributes to the litter problem)...

My point is that in all likelihood they are working on smaller footprint and more innovative XSS attacks and they are going to figure stuff out.
indeed they may well do so, but they sure as hell shouldn't receive help from us in order to get there...

So we need to engage in similar tactics to understand the attack surface and protect our stuff.
similar tactics? defense is not the same as attack, they don't use the same tactics - and even if it were appropriate to use tactics similar to the bad guys (and there's a serious question of how we differentiate ourselves from the bad guys if we do), the bad guys are NOT doing their research in the public sphere... they at least have the good sense to use darknet channels to avoid helping us... that is the tactic we should be copying...

How will we defend ourselves if we aren't doing similar research?
by analyzing threats rather than creating new ones... there is no real reason to expect the malware we write and the malware they write will be similar enough for defenses against our own malware to automatically work against theirs as well...

Kurt's entire argument is based on the assumption that the bad guys aren't going to figure the stuff out anyway.
and once again, spectacularly wrong... my argument is based on the principle of not being part of the problem... it doesn't matter if they figure this stuff out on their own or not, we shouldn't be helping them...

But playing the ostrich game and hoping the problem goes away doesn't work very well.
playing dumb and ignoring the unintended consequences of your own actions doesn't work very well either...

moving right along to robert hansen's reaction (which, for previously described reasons, i'm not comfortable linking to so the quotes will just have to be good enough):
Clearly, and admittedly most of these people have no background in the issue and have never read this site
and then there's me who both has a familiarity with worms and reads the site...

as there is lots of samples of existing worm code in lots of places on the Internet now. Just because they don’t know about it doesn’t mean it’s not there.
and just because it's out there doesn't mean you should add to it...

I’ve always said, you don’t understand a problem until you see it and play with it.
playing with malware and creating new malware are not on the same level...

If working to help the understanding of worm propagation makes me evil, so be it.
understanding may be the ends but those ends don't justify the means... not everything done under the banner of a laudable goal is alright...

I’d rather be evil and be able to help solve problems than be good and be useless at solving the problem
though i've never personally referred to mr. hansen as evil, his current path will make the problem worse, not better, and it most certainly won't solve the problem... worms are not a solvable problem...

Will this empower bad guys? I’d be nieve to say there’s no chance of that.
in truth some of the bad guys will gain at least as much knowledge from this experiment as the good guys will... further, the knowledge this produces will be directly usable by them, not us... the contest is advancing the art of xss worm creation (creating new threat agents is the job of the attacker, not the defender), with the intention that the results will be usable in a second stage of research into xss worm mitigation...

For people who liken me to an anti-virus company writing viruses,
i think the closest anyone came to making that comparison was me, but what i actually compared mr. hansen to to was an anti-virus vendor motivating others to create malware that would ultimately benefit that vendor... and i made that comparison because, with the exception that mr. hansen isn't an anti-virus vendor, that's exactly what's going on...

I’d like to point out the fact of the matter which is that I don’t get paid to consult with browser companies on browser security
fine, the browser companies don't pay him, but the companies hoping to avoid getting hit by xss worms (among other things) do... the more popular that threat becomes, the greater the chance such companies will get hit and therefore the greater the demand for his services...

To date I also have never been paid by any company who has ever been hit by an XSS worm.
yeah "to date"... that's because the number is still relatively low... but as i said, he does get paid by companies hoping to avoid that fate...

Also, unlike an anti-virus company, I don’t have a security product in development.
instead he has services and a brand and who knows what he'll be able to leverage that into in the future... jamie butler wasn't part of an anti-stealthkit company when he was writing and popularizing stealthkits - it wasn't until later that he became the CTO of a government funded anti-stealthkit startup aiming to solve the problem he helped create...

Think the bad guys are going to stop their own research if we stop talking about it?
no, i just think they won't get a helping hand anymore... or has the idea of not being part of the problem gone out of fashion?

But through it all, I’m 100% confident that this will lead to previously non-published/understood results about worm propagation
and i'm 100% confident that he will hasten the onset of the web-based malware problem by popularizing it as he does...

Time to start working on solutions, rather than trying to keep the research quiet.
said as if those two things were mutually exclusive... they aren't...

and of course there were numerous comments in support of mr. hansen's actions... from christofer hoff:
I found it rather interesting that Kurt took the tact that he did. I think his point regarding the potential for misuse of code generated as a result of the contest is plausible but unlikely.
it was also the lesser of the two issues i was bringing up... however, since the bad guys have shown that they are in fact willing to use proof of concept code written by the good guys (see: bootroot) it's still something one should take seriously...

Honestly, PoC code for any sort of exploitable vulnerability has the potential for misuse, so I’m not convinced this is a corner case that deserves the flambe treatment it’s getting.
apparently i'm going to have to get used to saying 'except these are worms, not just exploits' (because i already said it a couple times on hoff's own blog)...

However, I found it a bit of a reach to accuse you of ethical violations and seeding the world with Malware so you could profit from the results as part of a giant conspiracy theory.
i didn't say he was seeding the world with malware, i said he was increasing the xss worm's mindshare... this contest does increase the raw number of xss worms, but it's worst impact is that it captures the imagination of more bad guys and makes them more apt to jump into this problem space sooner...

It’s clear that many of those posting their opinions fail to recognize which side of the fence you sit and the contributions toward making the world “better” you have made.
the side of the fence on which he intends to sit and the one he winds up on are not necessarily the same thing... the road to hell is said to be paved with good intentions after all... whatever contributions he may have made, they have to be taken in context of how they were made...

from digi7al64:
Also in response to this from Dr. Vesselin Bontchev who stated “Respectable security researchers don’t encourage the creation of malware by running contests for it!”. Sir, I don’t believe that a single entity of peers should be solely those with the knowledge to determine who and when the general public should be “allowed” this type of information.
and the reason s/he (sorry, but the pseudonym does not convey a definite gender) believes that is because s/he is either naive, believes malware research is the same as vulnerability research, or is ignorant of malware research/creation history...

malware materials belong in the hands of the public about as much as infectious biological disease samples do...

from someone calling themselves spyware:
Hiding the problem instead of stopping it? What are we, scared? Afraid for the consequences? Act NOW and you are safe.
this person is obviously someone who believes xss worms can be stopped once and for all (thereby making one 'safe')... that's not going to happen unless xss itself can be wiped out (which doesn't require worm research much less worm creation) or unless the entire web regresses to purely static content...

the ability to support malware such as worms and viruses an inherent property (rather than a flaw that can be corrected) of any system where sharing is allowed, where that sharing is transitive (what i share with you, you can share with others), and where data can be interpreted as program code... nothing in the particular implementations or even in larger patterns one sees in groups of implementations of xss worms is ultimately going to be able to stop xss worms once and for all - only stopping xss itself or all active content stops those things which allow xss worms to be...

from the very briefly named xs:
Education should never be considered unethical.
education at the expense of others may well be unethical depending on the nature of that expense...

and from robert (presumably a different robert than mr. hansen who prefers to go by the pseudonym rsnake):
Security Through Obscurity has never been a good approach,
relying on obscurity for your security is not a good approach, but there are plenty of things for which removing obscurity does not help you...

for example, you would not benefit if your personal details (full name, mailing address, telephone number, financial information, etc) became less obscure...

and that's where things stood the last time i checked... nobody (and i mean nobody) seems to get the argument about the contest leading to the threat class entering the mainstream sooner... mr. hansen came closest when he disingenuously tried to refute the argument that he stood to gain from the problem becoming worse... but the real head scratcher, the thing that i've found most frustrating of all is how people like to apply vulnerability research logic to malware research issues... i'm actually tempted to write a new post specifically about just that...

4 comments:

Anonymous said...

"but the real head scratcher, the thing that i've found most frustrating of all is how people like to apply vulnerability research logic to malware research issues... i'm actually tempted to write a new post specifically about just that..."

Good idea as that seems to be where your lack of understanding lies.

Furthermore, by your logic, your publicizing of the contest is, itself, a "black-hat" action.

kurt wismer said...

oh boy, an anonymous critic...

"Good idea as that seems to be where your lack of understanding lies."

and you're incapable of explaining/demonstrating in what way precisely that i lack this understanding because?

i suppose because that's just an ad hominem attack..

"Furthermore, by your logic, your publicizing of the contest is, itself, a "black-hat" action."

a) going by the comparative number of links, very few people are aware of my post...
b) publicizing the ethical quagmire the contest represents and popularizing the class of threat itself are wildly different things
c) unlike mr. hansen, i absolutely have nothing to gain by the class of threat becoming more popular...

Tim MalcomVetter said...

Kurt,

I'm appreciative of your comments. I wish I could have read them around the time I also commented on the XSS worm contest. Simply put, his contest created an ICBM with a rubber warhead. Now we can all sit back and see if somebody figures out how to add the nukes while we calculate if the benefit really outweighed the risk of "not knowing".

Yeah, yeah ... emperor ... no clothes. We got it. Thanks. It's just more of the same from the "security researchers".

kurt wismer said...

@securology:
i'm not going to follow along with the nuke analogy because it's a little too loaded, but i think you've got the right idea...

basically the only way the bad guys aren't going to use the material from this contest is if every one of them who is now or will ever be interested in this kind of malware already has access to better materials (in which case one wonders how useful the research really was)...