WhiteAcid’s Tale
For those of you who don’t know him, Sid, or WhiteAcid has been a frequent poster to the boards and has contributed several tools to the webappsec space, including the POST forwarder tool and the community cookie logger. Recently he found a vulnerability in BeThere’s (his ISP) customer routers, allowing compromise of a lot of people’s home networks. Yes, that’s bad. WhiteAcid’s full disclosure was actually posted here. There’s also a news article at the Register about it.
This was an interesting case from a full disclosure perspective. WhiteAcid was able to demonstrate the issue, and informed the public, to get his ISP off their butts to fix the issue. Granted, it’s not a way to make friends, but their reaction was interesting. First came a cease and desist, then they booted him off their network. Basically, they threatened legal action against him. Here’s a snippet of an email to me from him about this (edited slightly for read-ability):
As for why… Finding the flaw was sort of accidental and once I had it I had to release it. I’ve always thought Full disclosure was a good way to do things, the best way to get companies off their lazy behinds and in gear, that’s why I posted everything publicly. I don’t regret any of it, in fact, if anything I only regret censoring at my ISPs request.
I know a lot of people have said I shouldn’t have released the passwords, that that was pointless. But I felt I should give out all the information, bad guys can get the password easily anyway. Besides, had I not released the password, virus (a friend of mine) may never had bothered writing the perl script (which he commented to the blog) which would fix the flaw.
This was interesting because their reaction was not to immediately alert their customer base of the flaw, but rather to kick WhiteAcid off their network. I’ve seen this sort of behavior more times that I can count. Companies feel that by putting the crook behind bars their unlocked door no longer matters and the bank is now secure. Not only that they spend countless hours in legal fees, PR headaches, dealing with authorities, etc… and none of it makes them any more secure.
In this case, especially given their reaction, I would doubt that many researchers will release anything about their state of security - not to say they will be more secure - far from it. All they did was make themselves a target. Would I stay with their ISP given this information? Doubtful, since they are more interested in their public image than customer security. Clearly, they have a lot to learn about damage control.
April 19th, 2007 at 10:19 am
WhiteAcid has a tail? And here I thought humans had evolved to the point of only having a vestigial tailbone.
Will WhiteAcid tell us the tale of his tail? How long he’s had it, what he does with it, etc.? How does he sit? What happens when he goes through airport security?
Curious minds would like to know.
April 19th, 2007 at 10:29 am
This would be me: http://www.powerforkids.com/images/tail/tail2.gif
My tail is excellent to speed up my typing and my multitasking, making me a real life core 2 duo.
April 19th, 2007 at 10:30 am
Alas, my phonetic typos! Ahh… I’ll fix it.
April 19th, 2007 at 11:23 am
Bahaha. the address is still tail.
That made me lol.
April 19th, 2007 at 11:29 am
Spellcheck makes me lazy, and doesn’t help the fact that I switch words out that sound the same sometimes when I’m typing too fast. So yes, yuck it up! I could change the URL, but then people would find a dead link if they used the old URL.
April 19th, 2007 at 12:32 pm
This is almost as bad as what happened to Valve, the Counter Strike gaming company, the other day. Apparently someone found a vulnerability in their “cafe”, was able to gain shell access, and was then able to grab all the credit card numbers, collected data, and also the financial information relating to Valve. Then someone made a post on the official support forums about it, it was deleted less than 5 minutes after it was posted, and the user was told not to post it, and that they’d handle it.
Unfortunately Valve still has yet to disclose this information to the unknowing users they possess, but the data is still publically available in a Winrar sample file. Sounds like another case of people more worried about their image than actual security.
April 19th, 2007 at 1:40 pm
My gmail account was banned right after I posted my Gmail hack.
Nevertheless I got some friends there so it was reactivated…
April 19th, 2007 at 11:57 pm
“I’ve always thought Full disclosure was a good way to do things, the best way to get companies off their lazy behinds and in gear”
That’s an incredibly naive view. We’ve all had the frustration of dealing with a large company, and seeing our bug reports disappear into a black hole. However, just think of a couple things:
- For every legitimate security issue that is reported, there are literally thousands of clueless idiots submitting garbage. Typically these are in all caps with liberal use of exclamation points.
- Even large companies have finite resources. Some security issues have to be put on the back burner while others are attended to. By forcing them to make a quick and dirty fix, you may just be making the problem worse.
- There are people on the other end. It’s easy to vilify a large company as a faceless entity. But for every public disclosure, you’ve just paged some on-call engineer in the middle of the night who has to spend the weekend writing an immediate patch to something that might have been fixed in the next code push. Fine, that’s what they get paid for, but is it any surprise they think you’re a dick and want nothing to do with you?
My advice to you is this: Be a responsible security professional. Cultivate relationships with security teams and work toward the common goal. It’s not adversarial.
Don’t just be another random crank sending angry email and don’t go for short-term message-board props. If you show respect and responsibility, the other side will respond in kind.
I suppose that’s if you want to work in the field. If you’re looking for big ups from script kiddies, disclose all you want.
April 22nd, 2007 at 1:55 am
ah, so it was you whiteacid, i heard about the news, but great to hear that it was one of out fellow slackers member
April 24th, 2007 at 6:52 pm
The name of the guy who wrote the perl script to patch this gives me an interesting idea. Why not do a scan like kuza did to find all the possibly vulnerable users and send them a “virus” to fix it?
April 24th, 2007 at 9:33 pm
@Spikeman
There are a couple of reasons I’d advise against doing it, firstly:
There are 14k+ Users with telnet running, a lot of them are vulnerable - that’s a lot of time and a lot of traffic.
Given the company’s reaction to what Sid di - I wouldn’t touch it, I’m not about to try and help a company who’s as likely to sue me as anything.
And its likely the company would rather the issue still be there so that it can more easily administer its routers, because they don’t care about their customer’s security - and so they’ll probably be pissed off if someone did that.