Home > Application Security, Marketing, Vulnerability Research > Grab the Popcorn: It’s the First 2008 “Ethical Security Marketing” (Oxymoron) Dust-Up…

Grab the Popcorn: It’s the First 2008 “Ethical Security Marketing” (Oxymoron) Dust-Up…

Xsswormfap_2
Robert Hansen (RSnake / ha.ckers.org / SecTheory) created a little challenge (pun intended) a couple of days ago titled "The Diminutive XSS worm replication contest":

The diminutive XSS worm replication contest
is a week long contest to get some good samples of the smallest amount
of code necessary for XSS worm propagation. I’m not interested in
payloads for this contest, but rather, the actual methods of
propagation themselves. We’ve seen the live worm code
and all of it is muddied by obfuscation, individual site issues, and
the payload itself. I’d rather think cleanly about the most efficient
method for propagation where every character matters.

Kurt Wismer (anti-virus rants blog) thinks this is a lousy idea:

yes, folks… robert hansen (aka rsnake), the founder and ceo of
sectheory, felt it would be a good idea to hold a contest to see who
could create the smallest xss worm
ok, so there’s no money changing hands this time, but that doesn’t mean
the winner isn’t getting rewarded – there are absolutely rewards to be
had for the winner of a contest like this and that’s a big problem
because lots of people want rewards and this kind of contest will make
people think about and create xss worms when they wouldn’t have
before…

Here’s where Kurt diverges from simply highlighting nominal arguments of the potential for
misuse of the contest derivatives.  He suggests that RSnake is being
unethical and is encouraging this contest not for academic purposes, but rather to reap personal gain from it:

would you trust your security to a person who makes or made malware?
how about a person or company that intentionally motivates others to do
so? why do you suppose the anti-virus industry works so hard to fight
the conspiracy theories that suggest they are the cause of the viruses?
at the very least mr. hansen is playing fast and loose with the publics
trust and ultimately harming security in the process, but there’s a
more insidious angle too…

while the worms he’s soliciting from others are supposed to be merely
proof of concept, the fact of the matter is that proof of concept worms
can still cause problems (the recent orkut worm
was a proof of concept)… moreover, although the winner of the contest
doesn’t get any money, at the end of the day there will almost
certainly be a windfall for mr. hansen – after all, what do you suppose
happens when you’re one of the few experts on some relatively obscure
type of threat and that threat is artificially made more popular? well,
demand for your services goes up of course… this is precisely the
type of shady marketing model i described before
where the people who stand to gain the most out of a problem becoming
worse directly contribute to that problem becoming worse… it made
greg hoglund and jamie butler household names in security circles, and
it made john mcafee (pariah though he may be) a millionaire…

I think the following exchange in the comments section of the contest forum offers an interesting position from RSnake’s perspective:                   

Re: Diminutive XSS Worm Replication Contest

            

Posted by: Gareth Heyes (IP Logged)

      

Date: January 04, 2008 04:56PM

      

@rsnake

This contest is just asking for trouble 🙂

Are there any legal issues for creating such a worm in the uk?

————————————————————————————————————

 

Re: Diminutive XSS Worm Replication Contest

 

            

Posted by: rsnake (IP Logged)

      

Date: January 04, 2008 05:11PM

      

@Gareth Heyes – perhaps, but trouble is my middle name. So is danger.
Actually I have like 40 middle names it turns out. 😉 No, I’m not
worried, this is academic – it won’t work anywhere without modification
of variables, and has no payload. The goal is to understand worm
propagation and get to the underlying important pieces of code.

I’m not in the UK and am not a lawyer so I can’t comment on the
laws. I’m not suggesting anyone should try to weaponize the code (they
could already do that with the existing worm code if they wanted anyway).

So, we’ve got Wismer’s perspective and (indirectly) RSnake’s. 

What’s yours?  Do you think holding a contest to build a POC for a worm a good idea?  Do the benefits of research and understanding the potential attacks so one can defend against them outweigh the potential for malicious use?  Do you think there are, or will be, legal ramifications from these sorts of activities?

/Hoff

  1. January 5th, 2008 at 13:59 | #1

    it will be interesting to see comments… i wonder if people will focus on the minor aspect of the actual samples generated by the contest, or if they'll see the bigger picture of increasing the threat's mind-share amongst bad guys…
    either way though, security folks asking the public to create more malware ought to be leaving a bad taste in people's mouths…
    oh and why, precisely, do you consider ethical security marketing an oxymoron?

  2. January 5th, 2008 at 14:29 | #2

    why do you suppose the anti-virus industry works so hard to fight the conspiracy theories that suggest they are the cause of the viruses?
    Really? I still have my doubts.

  3. January 5th, 2008 at 15:07 | #3

    @Kurt:
    "why, precisely, do you consider ethical security marketing an oxymoron?"
    My answer is something along the old adage of:
    You can have something fast, cheap or good. Pick any two.
    Substitute "fast, cheap or good" with "ethical, security or marketing" and you'll have your answer 😉
    /Hoff

  4. January 5th, 2008 at 21:20 | #4

    We need fewer worms and better protection, unless you are fishing. But then again if we didn't have worms we wouldn't need protection would we?
    It would be much more productive to have a contest where the end result is actually effects the industry in a positive fashion rather than negatively.

  5. January 6th, 2008 at 03:29 | #5

    Last question first: I'm sure there will be some attempt at legal retribution for this sort of thing, if only by people who have it in for hackers anyway.
    Do the benefits outweigh the potential damage? I don't specialize in this line of work, so I couldn't say for sure.
    I guess to my mind, this is sort of like inviting the whole world to collaborate on coming up with a new nuclear weapon. We alrready got some (they're verry nice), and if you think you really need to understand all the permutations of one to defend against them, then bully for you. Problem is, as soon as you get a new one created, you'll have to start defending against it real fast. (Yes, I saw RSnake's argument that it'll have no payload, just like a new kind of intercontinental missile by itself has no payload. But that won't last long.)
    Is the winning code going to be published? I don't see how it couldn't be. So that would be like putting your new, award-winning ICBM plans on the Internet for everyone (al Qaeda) to enjoy. I can imagine a lot of people being upset by this, which is why they now have laws against in in a couple of well-known countries. I can see it inching towards treason in the minds of some.
    The final issue is that our method of defending against worms these days is based mainly on pattern-matching, so you're encouraging the creation of new patterns — which creates more work for all AV/AM writers. I'm guessing they won't appreciate this very much.
    If you ask me, I just think this has more roots in juveniles showing off with knives than anything else. But then again, I'm old and tired.

  6. January 6th, 2008 at 07:29 | #6

    @hoff:
    "You can have something fast, cheap or good. Pick any two.
    Substitute "fast, cheap or good" with "ethical, security or marketing" and you'll have your answer ;)"
    y'know it saddens me to think that not only is the security industry forgetting the need to take the ethical high road but that they may actually be forgetting it exists…
    'f-prot for dos is free for personal, non-commercial use' was an example of ethical security marketing in it's day…

  7. January 6th, 2008 at 14:06 | #7

    @ shrdlu –
    I'm sure the bad guys won't stop researching this same material just because the ones who deal with it publically stop talking about it. If they find this stuff out first and we have to 'start defending against it real fast', well we won't have the ability to do so.
    @ All –
    These entries to the contest might be able to be weaponized later, but does that mean we should have pocketed research on electricity because it could be used to electrocute people?

  8. January 7th, 2008 at 06:04 | #8

    I would be more worried if all these submissions went to RSnake directly, with no promises to publish any of the submissions. Putting them all in the forum thread does remove some of my doubt on his intentions. I disliked the same thing with WabiSabiLabi…you're potentially giving a small, questionably ethical group access to some otherwise unknown exploits. RSnake putting these in a thread is really no different, in my mind, to exploits in milw0rm.
    These are to be POC codes, but I almost can't imagine an XSS POC worm being written to something like MySpace without being tested in some scale. Encouraging that behavior could be dangerous or unethical. The difference between POC worms from becoming the next cyber disaster is merely a few clicks… And what about responsible disclosure? I may not necessarily be against full disclosure, but will any targets of these POC worms be notified before some kiddie yoinks the code, weaponizes it, and unleashes it on the target? Perhaps this isn't a huge issue since this is being done on a forum…any kiddie could post it and be in the same boat, contest or no contest.
    I don't agree with kurt about not trusting a security person who writes malware. Pentesters regularly write exploit code to get their job done. This largely goes into the realm of intent, which is hard to pin down, especially as people change. I agree that the question should be entertained, just like going to a locksmith to have a key copied…a locksmith who then knows your home address…and trusting them not to make a second copy and use it to break into your house. I think kurt has a point, but it's not a road I would go down as an argument. 🙂 It's way too dimly lit!
    In the end, this does still fit the site's audience and profile to have such a contest with people sitting around trading worm POC. Contest or no contest, they do it anyway. I personally just have to shrug and let it go. It is a short hop from doing this in a public forum to doing this somewhere more secretive; the research will happen wherever it happens. Should RSnake encourage it? Perhaps, and he certainly has a reason to stay up on web app sec and keep lots of experts close at hand in the forums and on his site. Kudos to him in that regard!
    It might be interesting to have a contest where these people put up these POC worms, then a second half of the contest people try to block or stop them. BigBadWormX3! Oh, and John B. just stopped it with a tricky filtering combination! Difficult to pull off, yes, but maybe ultimately more fulfilling to people outside his audience.

  9. January 8th, 2008 at 06:10 | #9

    @kyran:
    "I'm sure the bad guys won't stop researching this same material just because the ones who deal with it publically stop talking about it."
    that doesn't mean we should help them learn about it…
    "If they find this stuff out first and we have to 'start defending against it real fast', well we won't have the ability to do so."
    find what stuff out first? how to implement an xss worm? do you really think being the first to come up with a particular implementation helps in the general case? let's expand that out to a larger and more established scope – would the anti-virus industry benefited from sitting down and trying to come up with all the possible conventional worm implementations before the bad guys did? no, because there are a countably infinite number of possible implementations and you'd have to go through all of them in order to be sure you beat the bad guys to the punch…
    "These entries to the contest might be able to be weaponized later, but does that mean we should have pocketed research on electricity because it could be used to electrocute people?"
    well, that's an incredibly bad analogy… for one thing electricity research was largely carried out in secret and it was impractical at the time for the public to build any electrical device comparable to the ones bell and tesla were working on… and that said, i'm sure those who witnessed bell electrocute an elephant on stage questioned whether the research was warranted…
    if we're going to use analogies to justify a contest promoting the creation of self-replicating malware, however, how about this one instead – would you like to see the center for disease control inviting the public to create new germs for the purposes of research?

  10. January 8th, 2008 at 07:06 | #10

    @lonervamp:
    "I would be more worried if all these submissions went to RSnake directly, with no promises to publish any of the submissions. Putting them all in the forum thread does remove some of my doubt on his intentions."
    ??? except that making them public makes *his* intentions a minuscule consideration next to the vast number of other people's intentions you now have to worry about…
    "RSnake putting these in a thread is really no different, in my mind, to exploits in milw0rm."
    except that these are worms, not just exploits…
    "I don't agree with kurt about not trusting a security person who writes malware. Pentesters regularly write exploit code to get their job done."
    again, these are worms, not just exploits… no sane pen-tester writes self-replicating malware for use in the field… further, no ethical pen-tester shares the tools he writes with every tom, dick, and harry on the internet because the exploits he writes are not the benign sort that only demonstrate a vulnerability's existence (and before anyone tries to trot out examples to the contrary, i will say that those who are sharing non-benign exploits with all and sundry are categorically not ethical)…
    "This largely goes into the realm of intent, which is hard to pin down, especially as people change."
    when you're dealing with unrestricted access to the public it is a forgone conclusion that there will be some with malicious intent… that is because unrestricted access to the public includes *everyone* and unfortunately there are a few bad apples out there…
    "Should RSnake encourage it?"
    should any 'white hat' encourage malware creation? do they still qualify as white hats if they do?

  11. Chris
    January 9th, 2008 at 12:28 | #11

    How is this significantly different from "How to 0wn the internet.." or "Secure your site by breaking into it"?
    I may be looking backward thru rose-colored glasses, but I seem to recall a lot of hand-wringing over Farmer and Wenema giving a missile launcher to a 12-year old, etc, with not end of the world as we know it arising.
    In other words, I'm fine with this contest.

  12. January 10th, 2008 at 07:18 | #12

    @chris:
    "How is this significantly different from "How to 0wn the internet.." or "Secure your site by breaking into it"?"
    google doesn't seem to be a fan of the second one (no hits) but "how to own the internet in your spare time" did not actually contain code, rather it described existing worm techniques and technology and how (in high level terms) they could be optimized… further, it didn't involve or endorse the writing of worms… finally, the basic type of worm they spoke about was already an established class of threat at the time…
    those seem like rather significant differences to me…

  13. Chris
    January 10th, 2008 at 12:34 | #13

    @Kurt:
    I guess I don't care about the difference between providing a specification and a sample implementation, where most of the work is being clever enough to do the spec in the first place. http://www.porcupine.org/satan/admin-guide-to-cra… is the paper Google missed ;^)
    I may have missed Rsnake advocating the creation of malicious worms. In the latter example, Wenema certainly advocates breaking into systems (that you are authorized to break into, in order to secure them better).

  14. January 11th, 2008 at 03:51 | #14

    @chris:
    "I guess I don't care about the difference between providing a specification and a sample implementation, where most of the work is being clever enough to do the spec in the first place."
    chris, it's the difference between helping the select few that already know what they're doing, and helping every type of bad guy all the way down to script kiddies…
    "I may have missed Rsnake advocating the creation of malicious worms."
    he advocated the creation of proof of concept worms… i think what you missed was the fact that "proof of concept" does *not* equate to "not a problem", as the recent orkut worm (which was a proof of concept) outbreak demonstrated…
    "In the latter example, Wenema certainly advocates breaking into systems (that you are authorized to break into, in order to secure them better)."
    but did it advocate writing malware? advocating doing pen-testing to find security flaws in your own system isn't really problematic, but it also doesn't really require the writing of malware with the possible exception of exploit code (which is a special case of malware that cannot exist without the vulnerability you're trying to do something about)…

  15. March 5th, 2009 at 19:56 | #15

    Ha, this is a great idea, IMO.

  1. No trackbacks yet.