Thursday, January 26, 2006

Security Interviews 2004/2005 - Part 3

Part 3 includes :

17. Eric Goldman - http://www.ericgoldman.org/ - 2005
18. Robert - http://www.cgisecurity.com/ - 2005
19. Johannes B. Ullrich - http://isc.sans.org/ - 2005
20. Daniel Brandt - http://google-watch.org/ - 2005
21. David Endler - http://www.tippingpoint.com/ - 2005
22. Vladimir, ZARAZAhttp://security.nnov.ru/ - 2005

Go through Part 1 and Part 2 as well!

Part of Asta's Security Newsletter
------------------------------------------

Interview with Eric Goldman, http://www.ericgoldman.org/

Astalavista : Hi Eric, would you, please, introduce yourself to our readers and share some info about your profession and experience in the industry?

Eric : I am an Assistant Professor of Law at Marquette University Law School in Milwaukee, Wisconsin. I have been a full-time professor for 3 years. Before becoming an academic, I was an Internet lawyer for 8 years in the Silicon Valley. I worked first at a private law firm, where most
of my clients were Internet companies that allowed users to interact with other users (eBay was a leading example of that). Then, from 2000-2002, I worked at Epinions.com (soon to be part of eBay) as its general counsel. As an academic, I principally spend my time thinking and writing about Internet law topics. Some of my recent papers have addressed warez trading, spam, search engine liability and adware. I run two blogs: Technology & Marketing Law Blog, where we discuss many Internet law, IP law and marketing law topics, and Goldman’s Observations, a personal blog where I comment on other topics of interest.

Astalavista : Teaching tech and Internet-savvy students on CyberLaw and Copyrights infringement is definitely a challenge when it comes to influencing attitudes, while perhaps creative when it comes to discussions. What's the overall attitude of your students towards online music and movies sharing?

Eric : Students have a variety of perspectives about file sharing. Some students come from a content owner background; for example, they may have been a freelance author in the past. These students tend to strongly support the enforcement efforts of content owners, and they view unpermitted file sharing as stealing/theft, etc. Other students come from a technology background and subscribe to the “information wants to be free? philosophy. These students come into the classroom pretty hostile to content owners’ efforts and tend to be fatalistic about the long-term success of enforcement efforts. However, I think both of these groups are the minority. I think the significant majority of students do not really understand how copyright law applies to file sharing. They learned how to share files in school and do so regularly without fully understanding the legal ramifications. Usually, their thinking is: “if everyone is doing it, it must be OK.? These students tend to be surprised by the incongruity between their behavior and the law. Even when we discuss the rather restrictive nature of copyright law, these students are not always convinced to change their behavior. Deep down, they still want the files they want, and file sharing is how they get those files. As a result, I’ll be interested to see how attitudes evolve with the emergence of legal download sites like iTunes. I suspect these sites may be retraining students that there is a cost-affordable (but not free) way to get the files they want. We’ll see how this changes the classroom discussions!

Astalavista : Where do you think is the weakest link when it comes to copyright infringement of content online, the distribution process of the content or its development practices?

Eric : With respect to activities like warez trading, consistently the weakest link has been insiders at content companies. Not surprisingly (at least to security professionals), employees are the biggest security risk. I do think content owners are aware of these risks and have taken a number of steps to improve in-house security, but the content owners will never be able to eliminate this risk. I’d like to note a second-order issue here. Content owners have historically staggered the release of their content across different geographical markets. We’ve recently seen a trend towards content owners releasing their content on the same day worldwide (the most recent Harry Potter book is a good example of that). I think the content owners’ global release of content will reduce some of the damage from warez traders distributing content before it’s been released in other geographic markets. So as the content owners evolve their distribution practices, they will help limit the impact of other weak links in the distribution process.

Astalavista : Do you envision the commercialization of P2P networks given the amount of multimedia traded there, and the obvious fact that Internet users are willing to spend money on online content purchases (given Apple's Itune store success, even Shawn Fanning's Snocap for instance) given the potential of this technology?

Eric : Personally, I’m not optimistic about the commercialization of the P2P networks. The content owners continue to show little interest in embracing the current forms of technology. I think if the content owners wanted to go in this direction, they would have done so before spending years and lots of money litigating against Napster, Aimster, Grokster and Streamcast.

In my opinion, without the buy-in of the content owners, P2P networks have little chance of becoming the dominant form of commercialized content downloads. So I think, for now, we’ll see much more content owners’ efforts directed towards proprietary download sites than cooperation with the P2P networks.

Astalavista : Were spyware/adware as well as malware the main influence factors for users to start legally purchasing entertainment content online?

Eric : We have some evidence to suggest otherwise. A recent study conducted at UC Berkeley watched the behavior of users downloading file-sharing software. The users didn’t understand the EULAs they were presented with, so they were not very careful about downloading. But, more importantly, the users persisted in downloading file-sharing software even when they were told and clearly understood that the software was bundled with adware. If this result is believable, users will tolerate software bundles—even if those bundles are risky from a security standpoint—so long as the software will help them get where they want.

Instead, I would attribute the comparative success of the music download sites to their responsiveness to consumer needs. Consumers have made it clear what they want—they want music when they want it, they want to listen to it in the order of their choosing, they want to pay a low amount for just the music they want (not the music they don’t), they want the interface to be user-friendly and they want to deal with trustworthy sources. Also, consumers have surprisingly eclectic tastes, so any music download site must have a large database that’s
diverse enough to satisfy idiosyncratic tastes. The most recent generation of music download sites have finally provided an offering that satisfies most of these key attributes. They aren’t perfect yet, but the modern sites are so much better than prior offering where the pricing was off, the databases were incomplete, or the sites were still trying to tell consumers how they should enjoy the music (rather than letting the consumers decide for themselves).

P2P file-sharing networks still serve a consumer need, but the content owners have succeeded some in increasing the search costs that consumers have to receive (such as by using spoof files). As consumer search costs using file-sharing increase, legal downloading sites with efficient search/navigation interfaces become more attractive.

Astalavista : How would you explain the major investments of known companies
into spyware/adware? Is it legal but unethical from a moral point of view?

Eric : I’m a little contrarian on this topic, so I may be unintentionally controversial here. From my perspective, we should start with a basic proposition: adware and spyware are not inherently evil. Like many other technologies, adware and spyware are good technology capable of being misused. Indeed, I think adware and spyware are an essential part of our future technological toolkit—perhaps not in the existing form, but in some form. We should not dismiss the technology any more than we should dismiss P2P file sharing technology simply because many users choose to engage in illegal file sharing using it.

Once we realize that adware and spyware are not necessarily bad and could even be useful, then it makes sense that major brand-name companies are working with adware/spyware. Adware and spyware offer new—and potentially better—ways to solve consumers’ needs, so we should expect and want companies to continue innovating. Let me give an example. I use Microsoft XP and it constantly watches my activities. Indeed, in response to my actions/inactions, I get lots of pop-up alerts/notifications….“updates are available? “you are now connected online? “we have detected a virus? etc. I want my operating system to be monitoring my behavior and alerting me to problems that need my attention. In fact, I’d be happy if Microsoft fixed problems that don’t need my attention without even disturbing me. Microsoft is aware of this and is working on technological innovations to be smarter about when it delivers alerts.

So from my perspective, Microsoft is in the spyware business. They have huge investments in spyware. I’m glad they are making these investments and I hope they find even better ways to implement their software. I think adware and spyware have been maligned because a number of otherwise-legitimate marketers have engaged in (and may continue to engage in) some questionable practices. These practices can range from deceptive/ambiguous disclosures to exploiting security holes. I remain optimistic that legitimate businesses will evolve their practices. We’ve seen movement by companies like Claria (eliminating pop-up ads), WhenU (deliberately scaling back installations by taking more efforts to confirm that users want the software) and 180solutions (cleaning up its distribution channels). This is not to say that we’ve reached the right place yet, but I like to think that the major adware companies will continue to improve their practices over time.

However, there will also be people who will disseminate software that is intended to harm consumers, such as by destroying or stealing data. We have to remain constantly vigilant against these threats. But they are far from new; we’ve had to deal with malicious virus writers for a couple of decades. In thinking about the policy implications, we should not lump the purveyors of intentionally harmful software together with legitimate businesses that are evolving their business practices.

Astalavista : Do you think the distributed and globalized nature of the Internet is actually the double edged sword when it comes to fighting/tracing cyber criminals and limiting the impact of an already distributed/hosted copyrighted information?

Eric : There’s no question that the global nature of the Internet poses significant challenges to enforcement against infringement and criminals. While this is mostly a problem, the need for cross-border coordination creates an opportunity for governments to develop compatible laws and legal systems, and there could be real long-term benefits from that.

Astalavista : What's your opinion on the current state of DRM (Digital Rights Management) when it comes to usefulness and global acceptance?

Eric : I know DRM is pretty unpopular in a lot of circles, especially academic circles. Personally, I don’t have a problem with DRM. I look at DRM as a way of determining the attributes of the product I’m buying. Consider the analogy to physical space. When I buy a car, most manufacturers give me some options to purchase. For example, I can upgrade the seat covers to the leather package if I’m willing to pay for that. The manufacturer could make that choice for me (and sometimes they do), but when it’s my choice, I can pay for what I value. DRM is a way of creating different product attributes in digital bits. In theory, with DRM, I can buy 24 hour viewing rights, 1 year viewing rights or perpetual viewing rights. Depending on my needs, I may prefer to pay less and get less, or I may want the perpetual rights and will happily pay more for that. Without DRM, we’ve relied on physical nature of the content storage medium, plus post-hoc copyright infringement enforcement, to establish those different attributes. DRM does a much more effective job of defining the product. Therefore, DRM gives the content owners new ways to create products that respond to consumer needs. Of course, consumers need to understand what they are buying when it’s controlled by DRM, but that’s a consumer disclosure issue that we’ve encountered in lots of contexts before.

As far as I can tell, consumers have no problem with DRM. Indeed, the comparative success of download sites like iTunes indicates that consumers don’t really care about DRM so long as they can get what they want.

Astalavista : In conclusion, I would really appreciate if you share your comments
about the Astalavista.com site and, particularly, about our security newsletter?

Eric : My first introduction to your site was when one of my articles was linked on the site. My traffic immediately took off like a rocket ship. I was very impressed with the quantity and
sophistication of your readers. Thanks for giving me an opportunity to speak with them.
------------------------------------

Interview with Robert, http://www.cgisecurity.com/

Astalavista : Hi Robert, would you, please, introduce yourself to our readers and share some info about your profession and experience in the industry?

Robert : I first started to get interested in the hacker/security aspect of computers in the 90's in high school where I had my first brush with a non 'windows/mac system' called 'VMS' (a VAX/VMS system to be exact). A yearlater I *finally* got access to an internet connection and to my amazement discovered that it was possible to break into a website with nothing more than your browser which was something I found to be rather interesting. This *interest* grew into a website I originally hosted on xoom (some free hoster I forget which :) that later became CGISecurity.com in September of 2000 where I've published numerous articles and white papers pertaining to website security. In 2003 I 'sold out' (get paid to do what you'd do for free ) and was hired to perform R&D; and QA on a Web Application Security Product where I am to this day. In 2004 I Co Founded 'The Web Application Security Consortium' with Jeremiah Grossman to provide an outlet for some projects that multiple people we knew where interested in participating in. A year later I created 'The Web Security Mailing List' as a forum where people can freely discuss all aspects of Web Security where I am currently the lead list moderator.

Astalavista : Recently, there's been a growing trend towards the use of automated code auditing/exploitation tools in web applications security. Do you believe automation in this particular case gives a false sense of security, and provides managers with point'n'click efficiency, compared to a structured and an in-depth approach from a consultant?

Robert : Scanners provide a good baseline of the common types of issues that exist but are not magic bullets. It shouldn't come to a surprise to you but many of these consultants use these automated scanning tools (Both freeware and commercial) in conjunction with manual review and simply verify the results. The skill of the person using any specialized product greatly impacts the end result. Someone with a good security understanding can save immense amounts of time by using such an automated product. If your organization doesn't have a 'security guy'
then a consultant may be the best solution for you.

Astalavista : Phishers are indeed taking a large portion of today's e-commerce flow. Do you believe corporations are greatly contributing to the epidemic, by not taking web security seriously enough to ensure their web sites aren't vulnerable to attacks in favour of online scammers?

Robert : Phishing doesn't *require* that a website be vulnerable to anything it just simply requires a look alike site exploiting a users lack of security education and/or patches. I wouldn't say they are contributing towards it, but I do think that educating your user (as best as you can)
is a requirement that should be in place at any online organization.

Astalavista : What are you comments on the future use of web application worms, compared to today's botnets/scams oriented malware? What are the opportunities and how do you picture their potential/use in the upcoming future?

Robert : In 2005 we saw a rise in the use of search engines to 'data mine' Vulnerable and/or suspect hosts. Some of the larger search engines are starting to put measures in place such as daily request limitations, CAPTCHA's, and string filtering to help slow down the issue. While these efforts are noteworthy they are not going to be able to prevent *all* malicious uses
a search engine allows. I think the future 'web worms' will borrow methodologies from security scanners created to discover new vulnerabilities that will have no patches available. While the downside of this is to slow infection rates and lots of noise, the upside is infecting machines with no vendor supplied patch available because the 'vendor' may be a consultant or ex employee who is no longer available. Worms such as Nimda infected both the server and its visitors making it highly effective and I expect this user/server trend to increase in the future. I also suspect a switch towards 'data mining' worms, that is worms that are trying to steal useful data. Modern day versions of these worms steal cd keys to games and operating systems. The use
of worms to seek and steal data from a server environment, or user machine is only going to grow as credit card and identity theft continue to grow. While investigating a break-in into a friends ISP I discovered the use of a shopping cart 'kit' left behind by the attacker. This kit contained roughly 8 popular online shopping carts that where modified to grab copies of a customers order, a 'shopping cart rootkit' if you will. I suspect some type of automation of either auto backdooring of popular software or uploading modified copies to start creeping its way into future web worms. In 2002 I wrote an article titled 'Anatomy of the web application worm' describing some of these 'new' threats that web application worms maybring to us.

Astalavista : Is the multitude and availability of open-source or freeware web application exploitation tools benefiting the industry, resulting in constant abuse of web servers worldwide, or actually making the situation even worse for the still catching up corporations given the overall web applications abuse?

Robert : This entirely depends on the 'product'. There are tools that allow you to verify if a host is vulnerable without actually exploiting it which I consider to be a good thing while some of these 'point and root' tools are not helping out as many people as they are hurting. In the past
few years a shift has started involving 'full disclosure' where people are deciding not to release ./hack friendly exploits but are instead releasing 'just enough detail' for someone to verify it. This 'shift' is something that I fully support.

Astalavista : CGISecurity.com has been around for quite a few years. What are your plans for future projects regarding web security, and is it that you feel the industry is lacking right now - awareness, capabilities or incentives to deal with the problem?

Robert : Actually September 14th will be the 5th year anniversary of CGISecurity.com. Right now I'm heavily involved in 'The Web Application Security Consortium' where we have numerous projects underway to provide documentation, education, and guides for users. I plan on expanding CGISecurity into a one stop shop for all 'web security' related documentation where you can (hopefully) find just about anything you could ever need. To answer the second part of your question I'd say all three with awareness (education) being the biggest problem. 

One of the things that the industry hasn't 'gotten' yet (in my opinion) is security review throughout an application's lifecycle. Sure developers are starting to take 'secure development' more seriously but as many of your readers know deadlines hamper good intentions and often temporary solutions (if at all) are put in place to make something work in time for release. This is why we need security review during all phases of the cycle not just during development and post production. I think that a much overlooked aspect of the development cycle is Quality Assurance. QA's job is to ensure that a product works according to requirements, identify as many pre release (and post release) bugs as possible, and to think about ways to break the product. I think that more companies need to implement 'QA security testing' as a release requirement as well as train their testers to have a deeper understanding of these 'bugs' that they've been discovering. You've heard the term 'security in layers' so why can't this process be implemented throughout most development cycles? Developers get busy and may overlook something in the rush to meet the release date which is why (before release)
they need someone double checking their work (QA) before it goes production.

Astalavista : In conclusion, I would like to ask you what is your opinion of the Astalavista.com's web site and, in particular, our security newsletter?

Robert : I first discovered astalavista in my 'referrer' logs when it linked to one of my articles. Since then I've been visiting on and off for a few years and only recently discovered the newsletter which I think is a great resource for those unable to keep up with all the news sites, and mailing list postings.
-------------------------

Interview with David Endler, http://www.tippingpoint.com/

Astalavista : Hi Dave, would you, please, introduce yourself to our readers and share with us some info about your experience in the industry?

Dave : Sure, I'm 6'1", a Leo, I like long walks on the beach, coffee ice cream,^H^H^H^H^H^H^H . . . oh, sorry, wrong window. I'm the Director of Security Research at 3Com's security division, TippingPoint. Some of the functions that fall under me include 3Com's internal product Security testing, 3Com Security Response, and the Digital Vaccine team Responsible for TippingPoint IPS vulnerability filters. Prior to 3Com, I was the director of iDefense Labs overseeing vulnerability and malware research. Before that, I had various security research roles with Xerox Corporation, the National Security Agency, and MIT.

Astalavista : What's the goal of your Zero Day Initiative, how successful is your approach so far, and what differentiates it from iDefense's one?

Dave : Over the past few years, no one can deny the obvious increase in the number of capable security researchers as well as the advancement of publicly available security researching tools. We wanted to tap into this network of global researchers in such a manner as to benefit the researchers, 3Com customers, and the general public. Our approach was the construction
of the Zero Day Initiative (ZDI), , launched on August 15, 2005. The main goals behind the program are:

a.) Extend 3Com's existing vulnerability research organization by leveraging
the methodologies, expertise, and time of others.
b.) Responsibly report 0day vulnerabilities to the affected vendors
c.) Protect our customers through the TippingPoint Intrusion
Prevention Systems (IPS) while the product vendor is working on a patch
d.) Protect all technology end users by eliminating 0day vulnerabilities
through collaboration with the security community, both vendors and
researchers.

The ZDI has had an incredibly positive result in only three months of activity, far exceeding our expectations. To date we have had over 200 researchers sign up through the portal, and received over 100 vulnerability submissions. We suspect that part of the early success of the program can be attributed to the wild launch party we threw at Blackhat/Defcon 2005.

The ZDI is different from iDefense's program in a number of ways. 3Com has invested considerable resources to ensure the success of the ZDI. As a result, ZDI contributors will receive a much higher valuation for their research. We provide 0day protection filters for our clients, without disclosing any details regarding the vulnerability, through our TippingPoint IPS, as opposed to simply selling vulnerability details in advance of public disclosure. Finally, we altruistically attempt to protect the public at large by sharing the acquired 0day data with other security vendors (yes, this includes competitors) in an effort to do the most good with the information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.

Astalavista : 0day vulnerabilities have always been a buzzword in the security community, while in recent years decision makers have started realizing their importance when evaluating possible solutions as well. What's the myth behind 0day vulnerabilities from your point of view,
and should it get the highest priority the way I'm seeing it recently?

Dave : Certainly not all vulnerabilities should be treated equally, including 0day. A typical vendor-announced vulnerability can be just as devastating as a 0day due to the trend of shrinking windows of time for exploit release. Obviously, for an organization or home user that doesn't stay up-to-date with security patches, a three-year old exploit for a patched vulnerability could be just as devastating as a 0day exploit. I think 0day vulnerability protection has begun to take more shape in security buying decisions simply due to the growing frustration and helplessness felt by users when vendors take a long time to patch these issues when exploits are widely circulating. In the last year alone, we saw several of the 0day browser exploits incorporated into spyware sites within one day of their disclosure.

Astalavista : Do you feel the ongoing monetization and actual development of security vulnerabilities market would act as an incentive for a ShadowCrew style underground market, whose "rewards" for 0day vulnerabilities will contribute to its instant monopoly?

Dave : I think there will always be an underground market, but I doubt it will ever have a monopoly for a few reasons. We know there is a thriving underground market today for 0days, especially browser vulnerabilities that can be used to inject Trojans and steal financial data. I think the main obstacle currently curbing the growth of the underground vulnerability-purchase
movement is a lack of trust. Since a security researcher doesn't really know the identity of an underground buyer, there's no guarantee he will get paid once he unveils his discovery. Also at the end of the day, many researchers want these vulnerabilities to be fixed and want to receive the appropriate recognition in the mainstream security community.

Astalavista : While you are currently acting as the intermediary between a vendor and researcher, do you picture the long-term scenario of actually bidding for someone else's research given the appearance of other competitors, the existence of the underground market I already mentioned, and the transparency of both? How do you think would the market evolve?

Dave : Good question. I hope the markets evolve in a way that encourages Vendors to put more skin in the game. It behooves these vendors to help protect their own customers more by rewarding outside researchers for security discoveries that escape internal QA testing. The only vendors I know of who currently do this are Netscape and Mozilla through their bug bounty
programs. I think a "0-bay" auction model could be viable if a neutral party launched it that was trustworthy as a vulnerability "escrow agent" and could guarantee anonymity and payment to researchers. There was some good discussion on the Daily Dave list of some of the issues raised by such an auction model.

Astalavista : Should a vendor's competencies be judged on how promptly it reacts to a vulnerability notification and actually provides a (working) fix? Moreover, should vendors be held somehow accountable for their practices in situations like these, thus eliminating or opening up windows of opportunity for pretty much anything malicious?

Dave : I've worn the hat of a security researcher, vulnerability disclosure intermediary, and most recently, a vendor. I now have a great amount of sympathy for all three groups. In general, vendors need to make a more concerted effort to reach out to security researchers in the vulnerability disclosure process. Many vendors don't seem to understand that most security researchers get no tangible benefit for reporting a security issue. More and more 0day disclosures it seems are also the result of a vendor-researcher relationship breaking down due to a misunderstanding over email or poor follow-up from the vendor. Ideally, vendors should also reward these researchers, if not with money, then other perks or recognition as a sign of appreciation. It's hard to judge all vendors the same on the amount of time it takes to patch a vulnerability. Some vulnerabilities legitimately take longer to fix and QA than others. Because there are no laws today that govern a vendor's security response, the market is going to have to be the ultimate judge in this arena. If enough potential customers are lost to a competitor because of poor security patch handling or a destructive worm, you can bet that more money will be budgeted into their security development lifecycle.

Astalavista : Having conducted security research for the NSA must have been quite an experience. Does the agency's approach on security research somehow differ from the industry's one, in terms of needs for sure, but in what way exactly?

Dave : No comment :-)

Astalavista : Can money buy creativity and innovation from an R&D's point of view?

Dave : Of course no amount of money can buy your way to really innovative research.Some of the most prolific research teams are built through visionary research directors creating a nurturing and non-restrictive environment, insulating the team from most corporate pressures and politics.

Astalavista : Thanks for your time!
-------------------------------------

Interview with Vladimir, aka 3APA3A http://www.security.nnov.ru/

Astalavista : Hi Vladimir, would you please introduce yourself to our readers, and share some info on your background and experience with information security?

Vladimir : OK. I'm 31, I’m married, and we have two daughters. For last 10 years I'm support service head for middle sized ISP in Nizhny Novgorod, Russia. As so, I'm not occupied in IT security industry and I'm not security professional. It's just a kind of useful hobby. And that's the reason why I use nickname though I have no relation to any illegal activity. Everyone who is interested can easily find my real name. In addition to my primary
job, I give few classes a week on computer science in Nizhny Novgorod State University.

I started on the Russian scene in the late 90s with the article on HTTP chats security. 'Cross site scripting' was quite new vulnerability class and the term itself arrived few years after. Later I began to publish some articles on the Bugtraq. Because my previous nickname taken from Pushkin's personage was not understandable abroad, I used gamer's nick '3APA3A', 'zaraza' in Cyrillic, it means infection. It also has a meaning of English 'swine' :). No, there is no relation with famous 3APA3A. ZARAZA virus, it was few years before.

I'm not 'bug digger', as one may think. Some bugs were discovered in the process of troubleshooting, while others were found in attempt to discover new vulnerability class or exploitation approach. And I’m proud to catch a few :)

Astalavista : What are some of your current and future projects?

Vladimir : Since 1999 http://www.security.nnov.ru
is the only project I'm constantly involved in. Sometimes, I patch old bugs and create new ones within 3proxy http://www.security.nnov.ru/soft/3proxy/.

Astalavista : How would you describe the current state of the Russian security scene? Also, what are you comments on the overall bad PR for, both, Russia, and Eastern Europe as a hackers' haven?

Vladimir : "hack" is an opposite to technology for me. The industry with technology is a conveyor, while the hack works only here and now. Hacking is the process of creating something to solve one particular problem without enough money, resources and, most important, without knowledge. In the best case it's something new for everyone and nobody to share knowledge and resources with you.

If you mean a lack of money, resources and knowledge - yes, Russia is hackers' heaven :)

We had interesting discussion on this topic with David Endler (from your Newsletter #23) Of cause you know how many viruses originated from Russia and you know some "famous" virus writing teams. Do you know any software written here? Well.. may be after some research you can find Outpost and Kaspersky Antivirus you have never used... That's all. You think. Lets look at the city I live. Many really interesting things from Quake II graphical drivers and Intel debugging and profiling tools to Motorola and Nortel firmware were written here. It's not largest city and Russia is large country. Same goes to Eastern Europe, India and China.

We have a lot of unknown programmers and few famous virus writers, that's the problem :)

The security scene in Russia is really hard question. Of course, there are few professionals, they are well-known buddies, who work for well-known companies. They publish their really useful books and write their really professional articles and receive their really good money. There are old-school hackers who do not speak Russian for few years. There are “underground" e-zines, none of them are living enough to spell correctly. There are "security teams" known by defacing each over and publishing up to 6 bugs in PHP scripts. Teenage #hax0r1ng IRC channels. And, of cause, guys who do their business with trojans and botnets and prefer to stay invisible.

That's all, folks. There is no scene. No place to meet each over. No Russian Defcon.

Astalavista : What are the most significant trends that happened with vulnerability researching as a whole since you've started your project?

Vladimir : Any new technology arrives as a hack, but grows into industry. It was with computers, software, network security and finally it happens with vulnerability research. This fact changes everything. No place left for real hacking. The guys on this scene became professionals. If you enter this without knowledge, all you can is to find some bugs in unknown PHP scripts.

Astalavista : Do you think a huge percentage of today's Internet threats are mainly posed by the great deal of window of vulnerabilities out there, and how should we respond to the concept of 0day by itself? Patching is definitely not worth it on certain occasions from my point of view!

Vladimir : Imagine a 100,000,000 of purely patched default configuration Fedora Core machines with users running their Mozilla's from root account. That's what we have in Windows world. Did you know that, 99% of Windows trojans/viruses/backdoors will not work if executed from unprivileged account? Life could be much more secure if only administrator with special license (like driver's one) might configure system and get penalties in case of virus incidents :)

Did you know that, most ISPs do not monitor suspicious activity from their customers and can not stop attack from their network within 24 hours? It's almost impossible to coordinate something between providers. There are non-formal organizations, like NSP-SEC, but it only
coordinates large providers from few countries. Coordination and short abuse response time
would be another step.

Astalavista : What is your attitude towards an 0bay market for software vulnerabilities? And who wins and who loses from your point of view?

Vladimir : On the real market both sides win. No doubt, the fact there is now a legal market for 0days is a good news for researches and end users, because it rises vulnerability price and establishes some standards. This "white" market is in it's beginning. There are only few players.

Who can value 0day Internet Explorer bug? First of all, Microsoft. But for some reason it does not. The second, IDS/IPS vendors and security consulting companies to make signatures and PR. Bugtraq posting is really good PR. If vulnerability is then exploited in-the-wild, it raises the article in Washington Post. It's even better PR.

Astalavista : Do you also, somehow picture a centralized underground ecosystem, the way we are currently seeing/intercepting exchange of 0day vulnerabilities on IRC channels, web forums. But one with better transparency of its content, sellers and buyers?

Vladimir : And, of cause, underground market is always ready to pay. Exploits are required to install a trojan. Trojan is required to create a botnet. Botnet is required for spamming, DDoS and blackmailing, phishing, illegal content hosting. It's definitely a kind of ecosystem with different roles and specializations and it's money cycle as a basement.

With some dirty games with 0day Internet Explorer vulnerability you can make a new car on the botnet market or (and?) just few thousands dollars with PR. Underground market is not
centralized and lies on private contacts. Forums and IRC channels you can find are the top of the iceberg. It makes it less vulnerable. I bet last WMF exploit was sold without any IRC channels and forums.

Astalavista : Can there ever be a responsible disclosure, and ow do you picture it?

Vladimir : According to Russian legislation, a vendor may not sell roduct without informing customer about any known defect or imitation on it. I bet different countries have similar legislations. I don't understand why it doesn't work with computer software. Vendor should either timely inform customers on defect in software or should stop to sell it.

Of cause, disclosing information without informing vendor is just stupid and non-profitable for everyone. From other side, a vendor has not eliminated vulnerability after few months and has
not informed customers there is nothing non-responsible in publishing this information. I never saw vendor who blames esearchers in non-responsible disclosure to stop selling defective product.

There were few attempts to standardize disclosure policy, FPolicy is the first one.

Astalavista : Can a vulnerability researcher gets evil if not reated properly, and what could follow? :)

Vladimir : Sure. Imagine a situation you want to get money rom vendor for vulnerability information you discovered. There is nothing bad in getting money for your work and
vendor should be interested in buying this information on the irst place. But it can be just a blackmail if not "treated properly".

Astalavista : In conclusion, I wanted to ask on some of your uture predictions for 2006 concerning vulnerability research, nd the industry as a whole?

Vladimir : One year is small period. Maybe we will see endors to buy vulnerabilities. "Vulnerability researcher" ay be scripted on somebody's business card and become profession by this way. "Vulnerability researching" as University course... No, let's wait for another 2-3 years :)

Astalavista : Thank you for your time!