On Releasing PoC/’Sploit Code For Near Zero-Day Vulns
One of my responsibilities as security cruise ship entertainment director is to distill the most complex things down into bite-sized digestible nuggets of chewy informative goodness whilst ensuring a good time is had by all.
It is in this spirit that I offer this gem regarding the release of PoC/Exploit code by supposed "whitehats" immediately after the disclosure of a nasty vulnerability. This post is random, of course, and is in no way a reference to any current event.
This quip was brought to you via Twitter which managed to stay up and functional long enough for me to tweet it:
POC code for near-zero day ‘sploits is like SPAM advertising penis-extending drugs…the only dick it’s helping is the one writing it…
That is all.
/Hoff
Categories: Jackassery
Brilliant…utterly brilliant
Your Twittering ability far exceeds your poetic talent though
Paul
Two questions for you Hoffster!
1) So I assume you feel this same way about every POC or exploit code that comes out?
2) Now that exploit code for what is not a terribly complex vulnerability is out, does this make us all that much more at risk?
I dunno…this vulnerability is not amazingly difficult to weaponize…so I'm not sure we were diverting much risk just because someone hadn't publically released exploit code.
It's always easy to tear things down.
Building things requires more effort.
@LV I believe in responsible disclosure for reasons that are motivated by making things better for reasons that are appropriately balanced for all parties. This is, of course, wishful thinking.
Thus, forced to take a polarized perspective based on the fact that people can't act like adults, then I would suggest that published exploits that follow immediately after the release of a vulnerability (regardless of the availability of a patch) are a bad thing.
Publishing the exploits did ZERO good. It did not make (based on released figures) people patch faster and only increases the likelihood of attack in a shorter window.
On your second point…this is a terrible corner case upon which to build an argument for what can only be described as obvious reasons. Andy Jaquith tweeted a great summary of the attitudes related to this issue wherein he said "The information wants to be free, somebody was gonna do it anyway" arg only justifies amoral acts. Time to call spades spades."
Diverting risk versus buying time are two different issues. If the former (by your argument) is difficult to mitigate, the latter sure would have been a nice alternative…
As to @Michael's point, I agree.
/Hoff
@hoff: your comment is not only irresponsible but also insulting. The only writer that is being a dick here is the blogpost writer
@Ivan:
It was intended to be insulting, but which part of my post was irresponsible? And for clarification, to whom am I responsible and for what? I thought you could get away with anything on the Internet.
If I call this research, doesn't it grant me immunity?
I mean, gosh, I just re-posted a twitter funny, it's not like I released an exploit for a serious vulnerability and made it available worldwide to a bunch of script kiddies that could put a weaponized attack tool in someone's hands more easily or compress the time-to-patch window.
You mean *that* sort of responsibility?
See, the difference is I know I'm a dick and don't pretend like I'm saving the Universe and hide behind some self-appointed noble mission convincing myself that by releasing attack tools, I'm actually making things more "secure."
But before you turn this around in some sort of full-disclosure Jedi mind trick, you should know (as I stated above) that I think ethical security research is good, valuable and needed, but it's just like in the movies…when the shit gets out of the lab and hits the street, people turn into the un-dead and start eating babies.
We can't have that. That's bad. Save the babies, Ivan, save the babies!
I'm going on vacation and I've stated my position. So before I turn into an even bigger dick, I'm going to go to sleep.
Don't bother arguing with me. Seriously, I'm a nobody and I know it. Your not going to hurt my feelings by disagreeing with me.
Continue picking on Mogull, he's much smarter, better looking and more important than I'll ever be.
Thanks for your comment.
/Hoff
Ahah, I am not the one to accuse of singing ¨we are the world¨, your Live Aid argument is not in me, some people in security – vulnerability "researchers" included- do not just do it out of a supersized ego and the self-righteousness that you'd like to pin on them, get over it. I do not pretend to be saving the babies, the whales or the penguins all I am saying is there are legitimate purposes for exploit code and making it available to the public is not equivalent to handing it to skript kiddies or SPAMing millions of users worldwide.
Rich may be smarter and better looking but he doesn't take brazilian dance lessons and then pretends to be a tough guy.
Besides, I am less than nobody I post comments in nobody's blog.
Good, so we agree on the fact that there are legitimate reasons for building exploit code and making it available to the public. The difference is *when* and *how* which are the two points you continue to conveniently avoid on purpose.
Since you don't like generalities, please go ahead and provide empirical statistics that prove that tools like metasploit and the corresponding exploit code furnished is used mostly by "good" guys versus "bad" guys.
…and the recursive "you show me the converse first" answer is not an acceptable one.
As to your last two statements, you're 1/2 right.
/Hoff
Apologies on not following this thread, I've been sooo busy. 🙁 Of course, this is where forums are so much more apt than various comments and blog posts being splintered all over…
Have you ever seen a puzzle or had a challenge, and then tried to be the first one to solve it? Not everyone views a computer exploit as negatively as some evil zombie-making virus that could kill mankind. Some see it as a simple challenge, puzzle, solution. Not saying that's right, but as long as not everyone thinks alike, someone somewhere will release code for a vuln that is simple enough like this…no matter how 'white hat' they consider themselves. And no amount of wrangling the security researchers together under some ethical umbrella will work.
The "when" and "how" of releasing exploit code or details enough to create exploit code, I would posit, are not possible to agree upon.
When: I don't even know how to answer this question. Should it be released before, at the same time, just after, 2 months later, 6 months later, when some entity determines that 80% of those affected are patched…? Any stipulation on how long to wait will fail, unfortunately. And certainly bad guys don't abide by such expectations. My only conclusions would be: never or whenever. I choose "whenever" as I don't think I want to forever be upset because "never" will never happen.
How: I think this can be more formalized, but it certainly cannot be all-encompassing. There will be people who just don't care and will release whatever whenever and however they want, even if it is just to dump it on FD and move on. There will be plenty others who won't know the right way to release exploits. I would find such an endeavor to be less amusing but just as frustrating as herding cats. Anything else is the beginning of making security research more elitist, or less accessible for the grassroots people who have given us much to build upon.
That's me, though. I guess I look at it as something that is just not going to be widely possible just like it hasn't been for the last 20 years. So I'd rather spend energy on things more possible. 🙂
(btw Hoff, if I thought so horribly of you and your opinions, I wouldn't read your blog let alone bother to post. And it's ok to disagree)
And back to work…
@Hoff: Do you realize that your stance is completely unfair? I will explain why bear with me for a few lines I will get to your request for empirical statistics later on.
You are asking me to prove that the users of Metasploit (or similar tools) are not criminals and at the same time you are telling me that it is not acceptable for me to first ask you to prove that they are criminal. These are not symmetrical requests and I agree that they shouldn't be.
My initial assumption on this mater is that all users of Metasploit (and similar tools) are not guilty of committing a crime unless proven otherwise. *You* are required to prove otherwise, I am not.
The burden of proof is on your end and there is good reason for it, that reason has less to do with my personal bias or stance and a lot more with the way modern societies apply the laws (and we are talking about criminal activities here are we not?).
Nonetheless, lets analyze your request a bit further: You ask for empirical statistics that prove something. To which I will say that I can't definitely prove (in the formal sense) that "something" with empirical statistics.
However, what I could do is provide a falseable theory about that "something". That means that it must be possible for you or anybody else to determine on the basis of factual data that my theory is false. To facilitate this, my theory should avoid the use of ambiguous concepts such as "used mostly by" or moral judgment ("good guys" vs. "bad guys") unless I disambiguate them. I am assuming that you agree that's how an empirical discipline that pretends to be rooted in modern science should present its theories.
So how about this statement:
"Less than 10% of the users of Metasploit use the tool for criminal purposes."
Note that I've disambiguated "used mostly by" to mean 90% of users and replaced an ambiguous moral dichotomy (users are either "good" or "evil") with disambiguation by application of the rule of any law that deals with "computer crimes".
Still, I cannot prove the above statement to be true but I could prove it false if I knew the number of unique users of Metasploit and the number of security incidents that have been tracked and directly linked to use of the tool or its exploits.
According to The 451 Group as of July 2006 there were 48,000 registered users of Metasploit (http://blogs.the451group.com/opensource/2006/08/28/metasploit-30beta-2-and-new-msf-website-launches/) and I would assume that there are at least 2 or 3 times as many users today considering that 2 years have passed, that Metasploit ships by default in a handful of Linux distributions and that it is also quite likely that there are as many unregistered users as registered ones, but lets be conservative and just stick to 48,000 users.
I am yet to see a incident report or forensic analysis that directly links a security breach to the use of Metasploit by any given number of unique users. This shouldn't be so hard to find or to determine: out of the box Metasploit does not cover its tracks and most big-vendor security firms do track down exploitation in the wild to specific malware artifacts yet as of today and to the extent of my knowledge no smoking gun indicates that at least 4,800 unique users of Metasploit are criminals.
To be fair, the closest thing to that is Andrew Jaquith's December 2005 blogpost where he showed one instance of correlation (not causality) between the release of a Metasploit exploit and a spike in visible network port scans (not actual penetration incidents) of the vulnerable service in the wild. Unfortunately Andrew derived causality from one particular instance of event correlation (he could had also correlated the spike with the release of the advisory 3 days earlier rather than with the release of the Metasploit plugin but he choosed not to do so) and ended up with 4 general conclusions using flawed logical reasoning (a flawed form of inductive reasoning): http://www.securitymetrics.org/content/Wiki.jsp?p…
Since then I haven't seen any attempt at a serious study or analysis that supports your hypothesis that Metasploit exploits are mostly used by criminals.
Incidentally, in the case of the DNS exploits recently released for Metasploit. Have you actually read the code?
@Ivan:
I reckon I already know the answer to this question, but how did you decide that my query asking you for data supported a hypothesis?
I suppose it would be fair to infer that, but that's the annoying part of this divide because despite passionate opinions, there's too much religion and not enough science.
I simply wanted to gain deeper perspective on how you perceive tools like Metasploit are used and by whom. What you've shown me is that as supposedly flawed as my basis/bias is, yours is no better.
You simply don't know and honestly, neither do I.
Let's move on here, because we're missing the important bits.
For the third time, I'm going to point out something you continue to ignore, which is a point that really deserves your eyeballs. I said:
>> Good, so we agree on the fact that there are legitimate
>> reasons for building exploit code and making it available
>> to the public. The difference is *when* and *how*
As LonerVamp addressed, "when" and "how" are the departure points here, not "if." Painting discussions into corners is good for illustration, but it's distracting us from the real issue.
As to reading the code, I looked at first set but not the follow-on release.
We *may* be at the point where this is the *beginning* of what I think is a very interesting set of discussions, now that we're done teasing Brazilians…
A bunch of us are going to get together @ BH, get shitfaced and, um, discuss this. It'd be swell if you come. 😉
/Hoff
P.S. I found this Oracle 0-day article serendipitous for discussion's sake: http://blogs.zdnet.com/security/?p=1581