Monday, March 19, 2007

Criminal Intent

InfoSecSellout (who lives up to his name by posting Google Adwords on his blog while criticizing security consultants for being sellouts) posted a great story -- Conversations with a Blackhat. I'd like to highlight a few of his comments.

I recently had the opportunity to share some drinks and interesting conversation with a group of self confessed "bad guys"... These guys make a living in various ways but it seems that spamming, phishing, and carding are their main source of income and of course, once they are done with a zero day exploit they will go ahead and make a few dollars selling it to the highest bidder...

[T]hese guys, and most like them, are against Full Disclosure. Their reason for this is also very obvious, Full Disclosure takes away their opportunity to use exploits that they have been previously able to use...

[They said] "there should be laws to prevent people from releasing exploit code on the Internet." This is obviously a self serving statement as the people already breaking the current laws are not going to care about breaking some new ones and this would take care of their problem with Full Disclosure...

[They also said] "A law like this would take the information away from the actual smart people and leave the retards who feel that having alphabet soup behind their name gives them some sort of self and professional worth watching the vault."


All of this rings true to me, and I can't find a plausible way to argue against it. (It's similar to the argument over firearms in the US. If possessing guns is illegal, only criminals will have guns.) If possessing exploits is illegal, only criminals will have exploits. There will be no way to test if vendor patches work. There will be no way to test if new code possesses older vulnerabilities, or if "security products" (e.g., host IPS and/or AV) introduce previously patched vulnerabilities. There will be no way to understand how exploits work to detect and/or prevent them. Criminals would roam freely while the world sits dumb and blind. (We're not that far away from that situation now, but it would be worse in a world without free information on exploits.)

I always like reporting on real threats, because without these insights we're playing soccer-goal security.

For a timely example of the full disclosure debate, check out Chris Shiflett's publication of a vulnerability in Amazon.com's infrastructure. If you need to understand Cross Site Request Forgeries I recommend this post.

5 comments:

InfoSec Sellout said...

Hey! What is wrong with the google ads? I made an entire $.23 last month.

Richard Bejtlich said...

Heh -- sellout!! :)

one.miguel said...

Yeah, but making guns illegal to own make people feel better! Probably the same with the idea of outlawing exploit code. The only place I've ever seen anyone write about outlawing exploit code (or that they are already illegal) are in mac fanboy websites when they were decrying the mac wireless exploits. Seriously, is there ANYONE CREDIBLE calling for making full disclosure illegal?

Richard Bejtlich said...

I expect some heat from Pete L at some point...

Anonymous said...

Last time I checked, consultants weren't sellouts...just willing to take a risk that falls outside other people's comfort zone. However, don't fault folks for running AdSense on their site...gotta pay the bills somehow (although blogspot is free, others always aren't). At least AdSense is a legitimate service that doesn't throw popups and popunders. Besides, last time I checked, folks presenting and teaching at conferences wanted a return on time spent sharing their ideas as well :-).