Cenzic 232 Patent
Paid Advertising
web application security lab

The Chilling Effect

As I wind down to 33 posts left until my 1000th and last post, I thought I should spend a little time talking more introspectively about how our community has changed over the years.

When I got started in security I had around the 130th hacker website on earth. We were all linked together with the second webring ever made (for those of you who recall webrings), which is how I know. Incidentally webring was made by a guy in his basement as a college experiment. Bronc Buster got in touch with the guy, which is why we were the second. It was called the Fringe of the Web. Back then sharing knowledge was hard to do. Search engines didn’t exist (DMOZ was really it). No one really trusted one another. No one really knew much because there weren’t many help files or docs being published back then either. I think a lot of people felt like there was a strong possibility they’d land themselves in jail if they were too outspoken about security. For you to get any better you had to do the research yourself because there weren’t many people around to help (at least in my case there weren’t). That was especially true for me because what I was interested in wasn’t being a good sys-admin or network guy and all the docs were about operating system security, firewalls and memory corruption. People were pretty unhelpful with a lot of RTFM, even though the manuals hadn’t been written yet. Installing Debian on my Gateway2000 with my crapola Mitsumi CD ROM for which there were no drivers yet written was my burden alone to figure out. Instead I was interested in this whole newfangled web thing - which almost no one knew anything about. Defacements were the norm - cybercrime was myth reserved for wild eyed paranoids and movies. Let’s call this the dark ages of computer security.

Later the industry dramatically expanded, and instead of there being just north of a hundred sites talking about security, suddenly you’re seeing security related articles and blogs on mainstream press. There are tens of thousands of sites talking about it. There is more new code and ideas being passed around than ever before. No one really feared jail time anymore, which was the only major consequence of publishing code that anyone could come up with. Enter script kiddies and sites devoted to helping people learn about computer security. Cybercrime was just taking off, and everyone realized that this was turning into a business. Companies start acquiring security and we get cool titles like CISO and CSO and we even have our own certifications. We finally had use cases and anecdotes for everything we had been talking about for all these years. Linux starts being sold on commercial desktops. It was the hay-day of computer security. Let’s call this the enlightenment.

In the dark ages of computer security no one released code because they feared jail. In the enlightenment everyone released vulns because they wanted to make a name for themselves and prove their skill. So where does that leave us today? Let’s take an example of a hypothetical young web application and browser security guy (think me but just starting out) with no background or history in the industry. We’ll call him “Todd.”

Let’s say Todd releases a browser vuln that is useful against a good chunk of browsers, but it’s an architectural flaw and one that won’t be fixed for many years to come because if it is fixed it’ll break other things. It’s not a desktop compromise type issue, it’s just allows attackers to harm most websites in some obscure way (think the next version of CSRF or XSS or Clickjacking or whatever). Todd, not knowing what to do or who to talk to releases the vuln to make a name for himself and to help close down the hole, because he thinks that’s the right thing to do. Here are some possibilities:

  • The Vendor is pissed at Todd for releasing the vuln and not telling them first - especially since there’s no fix. You evil vulnerability pimp you!
  • The press asks the simple question, “Why did you release this when you knew there was no fix?” to which Todd has no good answer except he thought he was doing the right thing by letting people know - and then the press mis-quotes him.
  • The blackhat community is pissed because they have been using something similar (or not) but either way they know this cool trick has a limited lifespan now thanks to Todd. More importantly they’ll try to hack Todd for releasing it. There will be much fist shaking and cursing of Todd’s name the day the vuln gets closed too.
  • The elite crowd are annoyed because they don’t think Todd should have gotten any publicity. The elite kernel level bug is way sexier (and it may very well be) and takes more skill (quite possible as well), but Todd knows nothing about the politics of the industry - he’s just interested in his stuff. They may try to hack and drop Todd’s docs to shut him up. There’s only so much limelight to go around, after all. Incidentally, I don’t think most guys who work on these types of vulns are like this, but it only takes a few to deter someone new like Todd.
  • There’s a slim chance someone might offer him a 9-5 job - as long as the vendor isn’t one of their clients.

Now let’s take the flip side - what if he wants to sell it:

  • The vendor won’t pay for an architectural bug - only full machine compromises please!
  • The blackhats won’t pay for it, because it doesn’t give them a shell.

So where does that leave Todd? It’s not in his best interest to release the vuln, because of the externalities of negative pressure, and no one is buying either. How does Todd make a name for himself? More importantly, how does he survive? Why on earth would Todd give up his vuln for free? He knows he could do some major damage with it, but the elite aren’t impressed so he doesn’t even get clout. Perhaps there’s a slim chance the vendor might hire him in gratitude? That’s a long shot and a waste of a great find for the chance at a 9-5 in the boiler room. Instead why wouldn’t Todd say screw it entirely and either stop doing the research and find something else to do or become bad and make some real cash? The chilling effect is in full swing. We are quite squarely headed towards another information security dark age. Sure there are a lot of good documents (if dated) on the web still. The bulk of advisories are from vendors these days, so you’ll still be up on yesterday’s news and patch management will be your life. Private conversations will always continue, but it won’t ever be like the enlightenment again unless something changes. I spoke with two large vendors about this and they acknowledged their part in it and that indeed they offered no good solution for someone like Todd who hadn’t already established himself - except the vague hope of some consulting arrangement.

I spoke with one guy who buys vulns and I asked him who his buyers were, out of curiosity. I was expecting him to say some large software retailers, but he said, “No, no, not at all. Most of my buyers are consulting companies.” I was confused. It turns out that there are a slew of consulting companies that will fail a pen-test with a client, but they can’t show the client that they found nothing, so they’ll whip out a ready-made 0day, impress the client and then they can go on the speaking circuit about their amazing find. Call me naive but it never even occurred to me that this industry could be that messed up. If you see someone speaking at a conference about some memory corruption flaw but they can’t seem to explain their own vuln the way you’d expect them to - you may have found one of these consultants.

I think this is important because as my tenure comes to a close in the blogging world, I feel like there are a lot of very talented people who will never get to see their day in the sun and as an unfortunate consequence of this vulnerability market some talentless people will. I know several people have completely packed up and decided to get out of the industry entirely because of how things are shaping up. I fear that the way things are headed it will be harder and harder for someone to rise to the top, without retribution from their peers. There is a whole new generation of people who are lining up to replace guys like me who are joining a very corrupt and preservationist industry. They may not have thick skin and may not survive what is in store for them. I’ve talked to over a dozen security folks who tell me the same story. These individuals worry about the security community’s reaction to anything these individuals say publicly more than they worry about actual bad guys committing crime. Is it too late to fix, or is it even worth fixing? Or would you argue that this is the best it’s ever been? I’d be curious to hear what people think.

13 Responses to “The Chilling Effect”

  1. AppSec Says:

    Is it really broken?

    Or is it the natural evolution of an industry?

  2. RSnake Says:

    Nothing is ever irreparably broken. I think there’s a lot of well intentioned people in this industry that could right nearly any wrong if they chose to. I don’t care about the fame or drama anymore because I’m personally done, but I know I would deeply care if I were just getting started. I’d love for those kids to get a chance without being squashed prematurely. In whatever way the industry evolves it should allow for the next generation to shine - no matter what their interests may be. We’re all better off with the diversity of skillset, knowledge and interest. I’m not at all saying webappsec is the most important part of the industry, btw. I think this also effects other people in other areas as well. I feel terrible when a no-name dude who barely speaks English and has a hard time selling himself gets no clout for some memory corruption bug that must have taken months to perfect just to be outdid by some asshole like me. That’s not fair either.

  3. Stuff Says:

    I think you are correct in most of what you say. It bothers me that the cool/sexy stuff in security is basically exploiting/extending the problems instead of fixing them.

    I liken it to Movie Stars/Rock Stars/Sports Stars versus Teachers/Firemen/Policemen/Soldiers etc. The first group get all the glory, all the money, all the “fun” while the second group perform a much more important function, but get squat for doing it.

    The security industry is all about self fulfilling perpetuation. If we don’t teach people how to build, design, code and architect solutions securely, we can keep finding exploits, vulnerabilities and having a fun old time. We can keep showing how leet we are by blowing holes in things and then letting others pick up the pieces as we rollick off to our net “con”.

    It’s sad that as a security industry, we empower the guys who if they aren’t making the issues worse, are certainly NOT making it any better and are getting rich off it continuing to stay in the state it is.

    while the big money is in attack,exploit, disclosure etc etc.. not in defense, architecture, building, secure coding, we will keep seeing the trend of SecFame = Blow up someones shit in a fabulous way.

  4. RSnake Says:

    @Stuff - you could probably chalk that up to raw human behavior. I did a few experiments somewhat early on where I’d talk about a vulnerability immediately followed by another post about security on the blog. I did it over and over, and every time, without fail, the vulnerability got more traffic, more comments and more interest. I don’t blame people for being interested in vulns. It’s the same reason we don’t have more magicians. It’s fun to see the trick, it’s boring to deal with the mechanics. I will admit that I too profited off of exploits.

    I’m hardly guilt free in any of this - including in how I’ve treated other researchers in the past. I’ve also heaped value on minutia about something I care about when all the while there is something else amazing going on elsewhere in the industry. I don’t want other people making my mistakes, if it can be helped.

  5. Bob Says:

    Rsnake,

    I agree that purchasing 0-day and publically presenting it as your own is wrong, however a consulting company does not ‘fail’ at a pentest because they use 0-day. Agreed that if your testing a local authority, with $0 security budget, and you require 0-day then you probably need a skills injection.

    On the other hand, for clients with a higher threat level 0-day is entirely reasonable. If a consultancy decides to outsource finding 0-day then so be it, at least they have the ability to replicate the higher threat actors.

    Cheers,

  6. RSnake Says:

    @Bob - I didn’t say they failed because they used the 0day. From what he told me they failed the pen-test and then whipped out the 0day to save face.

  7. Cryptovirus Says:

    I can relate quite closely to what you are saying here - as someone who has been helping Invision Power patch up their flaws while at the same time (slight lag) releasing them on my forums for publicity, I feel quite two-faced.

    Todd could, of course, go the route of responsible disclosure - with the proper amount of secrecy, everyone will be happy.

    - The company will be happy it was able to patch it’s vuln quietly.

    - Todd will be able to release the vuln publicly as something that was in the previous version but is now patched, so may be released without inviting the blackhat ire.

    - The blackhats…well, maybe they won’t be so happy. Let’s call it karma. But they won’t target Todd personally since they don’t know it was he who released it to the company.

  8. Cryptovirus Says:

    Correction:
    The company will be happy it was able to patch *its vuln quietly.

  9. Jarrod Loidl Says:

    @Cryptovirus - That only works in the instance where Todd releases a vulnerability that can be fixed. In Rsnake’s example, its an architectural weakness with no easy fix. :(

    @Rsnake - I’m curious, did the guys you spoke to who said they’re leaving the industry state whether they were remaining in IT or were they moving onto something completely different?

    I speak to a lot of security professionals in my country and it seems that in some circles there’s a lot of bitching and negativity and I think to some extent, its a legacy of “elitism” that has never left us from that dark age period you describe.

    While learning security has never been easier, with the information so commoditised or at a point where it is far more socially acceptable to share this information, we still have a ’subculture’ (for want of a better term) of people who are disinclined to share and infact are afraid of new blood coming in who threaten their position on the totem pole.

  10. RSnake Says:

    @Jarrod - In the two specific cases I had in mind (where I knew them well enough to ask) both of them said they were getting out of computer security entirely. Their reason they gave me were that they simply didn’t want to get hacked. Perhaps they have things in their past that they didn’t want uncovered, fetishes, secret lovers or perhaps they wanted to keep their family safe. I don’t know the exact reason - I didn’t feel comfortable asking those sorts of questions.

    I concur that it is a lot of the old guard that tends to not want to share information for whatever reason, but it’s not just them. I’ve seen plenty of mid-level people do the same. Their tricks are theirs and they don’t want to give them up lest everyone have their abilities. I’m guilty of that to some extent myself - I’ve definitely got a few tricks up my sleeves that I have saved for a rainy day or because it’s too hard to explain or because I just don’t think the world would be a better place if I talked about it, etc….

    Of course NDAs always get in the way too - lots of secrets are passed under NDAs, and there are plenty of holes that will never get discussed as a result. I’m certainly not saying I know the answer, I just know where it’s trending if we don’t do something about it. But in case there was any confusion on the matter, the reason you are seeing less vulns disclosed isn’t because things are so much safer now than they were 5 years ago. That’s a bit worrying.

  11. albino Says:

    I agree entirely about Todd’s dilemma. I’m not so sure about the dark ages generally though; I think ZDI and its competitor(s) offer a relatively new incentive for hunting down 0days, even if they only care about shell-gaining exploits.

    Regarding your last comment, it’s pretty scary when even security professionals have trouble stopping themselves getting hacked.

  12. austin Says:

    troublesome indeed. i am something of a beginner to security myself. your site is one i have bookmarked for new information. i do tend to read the exploits more than the security posts but for a different reason. the exploit posts give a real life example. security posts give more of a best practice for a nebulous problem. not sure if thats you specifically but more for security blogs in general.
    seeing a certain exploit, figuring out how it works, figuring out how it might mutate in the future, then finding fixes for this (or making my own) is much easier for me to handle than the more nebulous “this could be a problem, you should probably disable such and such and not use such and such lest a problem of this nature be developed in the future”

    when i discover an exploit its usually web based, as that’s my job and that’s what i need to secure, and i usually report it to my boss and work on a fix. and i may also talk about it on the net with the fixes i have made for it. but i have never discovered a massive architectural flaw. i know of some, but none have been discovered by me.

    either way, i will be sad to see this site wont be here for reference anymore. first milw0rm, now this. i guess i do see what you mean, the old generation is leaving and our generation isnt taking over.

  13. Sasha van den Heetkamp Says:

    It has become a grim community. It has become an image industry; literally a show business, with few exceptions. Shallow and prepackaged. Stripped from joy. Personally I think security should never have become an industry as it is today. With the exception of consultation and pentesting.

    I never understood that criminals (that hack) became mainstream. It is pointless. What if burglars became mainstream, all of a sudden it is “COOL” to be a burglar? what kind of values are that? I think the strife for fame, recognition and publicity (whether wanted or unwanted) destroyed it all. But it goes to show how ridiculous it all has become.

    Hacker conventions, another ridiculous idea. What kind of burglar goes to a burglar convention? Seriously. Where’s pride in affirming yourself you rob others for personal gain, tell me.

    Ever heard about a burglar that broke into the house of another burglar and trashed the place while yelling: Look! you are vulnerable! Even when I put the best bolts on my door, chances are, if someone jacks a bulldozer he still can prove his point.

    Nothing can be 100% secure, get over it fast. It’s that simple, and one day you might thank me for such simple advise.

    To me it’s all about intentions, and they are either good or bad. Personally I never wanted to join this industry, and still don’t want too. Got no motives for it. I like tinkering, playing, and make adjustments to something to do what I want it to do. Modifying a service, piece of code, appliance or network that limits my freedom should (was) the whole point.

    The rest is intellectual horse-shit; top down, instead of bottom up. Well guess what, you cannot know everything about everything. Those blind spots will haunt you forever. Accept and move along, create or modify, don’t destroy. Drifting… but still watching out for sharks…

    ;)