17.
Eric Goldman -
http://www.ericgoldman.org/ - 2005
18.
Robert -
http://www.cgisecurity.com/ - 2005
19.
Johannes B. Ullrich -
http://isc.sans.org/ - 2005
20.
Daniel Brandt -
http://google-watch.org/ - 2005
21.
David Endler -
http://www.tippingpoint.com/ - 2005
22.
Vladimir, ZARAZA –
http://security.nnov.ru/ - 2005
Go through
Part 1 and
Part 2 as well!
Part of
Asta's Security Newsletter
------------------------------------------
Interview with Eric Goldman, http://www.ericgoldman.org/
Astalavista
: Hi Eric, would you, please, introduce yourself to our readers and
share some info about your profession and experience in the industry?
Eric : I am an Assistant Professor of Law at
Marquette University Law School
in Milwaukee, Wisconsin. I have been a full-time professor for 3 years.
Before becoming an academic, I was an Internet lawyer for 8 years in
the Silicon Valley. I worked first at a private law firm, where most
of
my clients were Internet companies that allowed users to interact with
other users (eBay was a leading example of that). Then, from 2000-2002, I
worked at
Epinions.com
(soon to be part of eBay) as its general counsel. As an academic, I
principally spend my time thinking and writing about Internet law
topics. Some of my
recent papers have addressed warez trading, spam, search engine liability and adware. I run two blogs:
Technology & Marketing Law Blog, where we discuss many Internet law, IP law and marketing law topics, and
Goldman’s Observations, a personal blog where I comment on other topics of interest.
Astalavista
: Teaching tech and Internet-savvy students on CyberLaw and Copyrights
infringement is definitely a challenge when it comes to influencing
attitudes, while perhaps creative when it comes to discussions. What's
the overall attitude of your students towards online music and movies
sharing?
Eric : Students have a variety of
perspectives about file sharing. Some students come from a content owner
background; for example, they may have been a freelance author in the
past. These students tend to strongly support the enforcement efforts of
content owners, and they view unpermitted file sharing as
stealing/theft, etc. Other students come from a technology background
and subscribe to the “information wants to be free? philosophy. These
students come into the classroom pretty hostile to content owners’
efforts and tend to be fatalistic about the long-term success of
enforcement efforts. However, I think both of these groups are the
minority. I think the significant majority of students do not really
understand how copyright law applies to file sharing. They learned how
to share files in school and do so regularly without fully understanding
the legal ramifications. Usually, their thinking is: “if everyone is
doing it, it must be OK.? These students tend to be surprised by the
incongruity between their behavior and the law. Even when we discuss the
rather restrictive nature of copyright law, these students are not
always convinced to change their behavior. Deep down, they still want
the files they want, and file sharing is how they get those files. As a
result, I’ll be interested to see how attitudes evolve with the
emergence of legal download sites like iTunes. I suspect these sites may
be retraining students that there is a cost-affordable (but not free)
way to get the files they want. We’ll see how this changes the classroom
discussions!
Astalavista : Where do you think
is the weakest link when it comes to copyright infringement of content
online, the distribution process of the content or its development
practices?
Eric : With respect to activities
like warez trading, consistently the weakest link has been insiders at
content companies. Not surprisingly (at least to security
professionals), employees are the biggest security risk. I do think
content owners are aware of these risks and have taken a number of steps
to improve in-house security, but the content owners will never be able
to eliminate this risk. I’d like to note a second-order issue here.
Content owners have historically staggered the release of their content
across different geographical markets. We’ve recently seen a trend
towards content owners releasing their content on the same day worldwide (the most recent Harry Potter book is a good example of that). I think the content owners’ global release of content will reduce some of the damage from warez traders distributing content before it’s been released in other geographic markets. So as the content owners evolve their distribution practices, they will help limit the impact of other weak links in the distribution process.
Astalavista
: Do you envision the commercialization of P2P networks given the
amount of multimedia traded there, and the obvious fact that Internet
users are willing to spend money on online content purchases (given
Apple's Itune store success, even Shawn Fanning's Snocap for instance)
given the potential of this technology?
Eric :
Personally, I’m not optimistic about the commercialization of the P2P
networks. The content owners continue to show little interest in
embracing the current forms of technology. I think if the content owners
wanted to go in this direction, they would have done so before spending
years and lots of money litigating against Napster, Aimster, Grokster
and Streamcast.
In my opinion, without the buy-in of the content
owners, P2P networks have little chance of becoming the dominant form of
commercialized content downloads. So I think, for now, we’ll see much
more content owners’ efforts directed towards proprietary download sites
than cooperation with the P2P networks.
Astalavista
: Were spyware/adware as well as malware the main influence factors for
users to start legally purchasing entertainment content online?
Eric : We have some evidence to suggest otherwise. A recent
study
conducted at UC Berkeley watched the behavior of users downloading
file-sharing software. The users didn’t understand the EULAs they were
presented with, so they were not very careful about downloading. But,
more importantly, the users persisted in downloading file-sharing
software even when they were told and clearly understood that the
software was bundled with adware. If this result is believable, users
will tolerate software bundles—even if those bundles are risky from a
security standpoint—so long as the software will help them get where
they want.
Instead, I would attribute the comparative success of
the music download sites to their responsiveness to consumer needs.
Consumers have made it clear what they want—they want music when they
want it, they want to listen to it in the order of their choosing, they
want to pay a low amount for just the music they want (not the music
they don’t), they want the interface to be user-friendly and they want
to deal with trustworthy sources. Also, consumers have surprisingly
eclectic tastes, so any music download site must have a large database
that’s
diverse enough to satisfy idiosyncratic tastes. The most
recent generation of music download sites have finally provided an
offering that satisfies most of these key attributes. They aren’t
perfect yet, but the modern sites are so much better than prior offering
where the pricing was off, the databases were incomplete, or the sites
were still trying to tell consumers how they should enjoy the music
(rather than letting the consumers decide for themselves).
P2P
file-sharing networks still serve a consumer need, but the content
owners have succeeded some in increasing the search costs that consumers
have to receive (such as by using spoof files). As consumer search
costs using file-sharing increase, legal downloading sites with
efficient search/navigation interfaces become more attractive.
Astalavista : How would you explain the major investments of known companies
into spyware/adware? Is it legal but unethical from a moral point of view?
Eric
: I’m a little contrarian on this topic, so I may be unintentionally
controversial here. From my perspective, we should start with a basic
proposition: adware and spyware are not inherently evil. Like many other
technologies, adware and spyware are good technology capable of being
misused. Indeed, I think adware and spyware are an essential part of our
future technological toolkit—perhaps not in the existing form, but in
some form. We should not dismiss the technology any more than we should
dismiss P2P file sharing technology simply because many users choose to
engage in illegal file sharing using it.
Once we realize that
adware and spyware are not necessarily bad and could even be useful,
then it makes sense that major brand-name companies are working with
adware/spyware. Adware and spyware offer new—and potentially better—ways
to solve consumers’ needs, so we should expect and want companies to
continue innovating. Let me give an example. I use Microsoft XP and it
constantly watches my activities. Indeed, in response to my
actions/inactions, I get lots of pop-up alerts/notifications….“updates
are available? “you are now connected online? “we have detected a
virus? etc. I want my operating system to be monitoring my behavior
and alerting me to problems that need my attention. In fact, I’d be
happy if Microsoft fixed problems that don’t need my attention without
even disturbing me. Microsoft is aware of this and is working on
technological
innovations to be smarter about when it delivers alerts.
So
from my perspective, Microsoft is in the spyware business. They have
huge investments in spyware. I’m glad they are making these investments
and I hope they find even better ways to implement their software. I
think adware and spyware have been maligned because a number of
otherwise-legitimate marketers have engaged in (and may continue to
engage in) some questionable practices. These practices can range from
deceptive/ambiguous disclosures to exploiting security holes. I remain
optimistic that legitimate businesses will evolve their practices. We’ve
seen movement by companies like Claria (eliminating pop-up ads), WhenU
(deliberately scaling back installations by taking more efforts to
confirm that users want the software) and 180solutions (cleaning up its
distribution channels). This is not to say that we’ve reached the right
place yet, but I like to think that the major adware companies will
continue to improve their practices over time.
However, there
will also be people who will disseminate software that is intended to
harm consumers, such as by destroying or stealing data. We have to
remain constantly vigilant against these threats. But they are far from
new; we’ve had to deal with malicious virus writers for a couple of
decades. In thinking about the policy implications, we should not lump
the purveyors of intentionally harmful software together with legitimate
businesses that are evolving their business practices.
Astalavista
: Do you think the distributed and globalized nature of the Internet is
actually the double edged sword when it comes to fighting/tracing cyber
criminals and limiting the impact of an already distributed/hosted
copyrighted information?
Eric : There’s no
question that the global nature of the Internet poses significant
challenges to enforcement against infringement and criminals. While this
is mostly a problem, the need for cross-border coordination creates an
opportunity for governments to develop compatible laws and legal
systems, and there could be real long-term benefits from that.
Astalavista
: What's your opinion on the current state of DRM (Digital Rights
Management) when it comes to usefulness and global acceptance?
Eric
: I know DRM is pretty unpopular in a lot of circles, especially
academic circles. Personally, I don’t have a problem with DRM. I look at
DRM as a way of determining the attributes of the product I’m buying.
Consider the analogy to physical space. When I buy a car, most
manufacturers give me some options to purchase. For example, I can
upgrade the seat covers to the leather package if I’m willing to pay for
that. The manufacturer could make that choice for me (and sometimes
they do), but when it’s my choice, I can pay for what I value. DRM is a
way of creating different product attributes in digital bits. In theory,
with DRM, I can buy 24 hour viewing rights, 1 year viewing rights or
perpetual viewing rights. Depending on my needs, I may prefer to pay
less and get less, or I may want the perpetual rights and will happily
pay more for that. Without DRM, we’ve relied on physical nature of the
content storage medium, plus post-hoc copyright infringement
enforcement, to establish those different attributes. DRM does a much
more effective job of defining the product. Therefore, DRM gives the
content owners new ways to create products that respond to consumer
needs. Of course, consumers need to understand what they are buying when
it’s controlled by DRM, but that’s a consumer disclosure issue that
we’ve encountered in lots of contexts before.
As far as I can
tell, consumers have no problem with DRM. Indeed, the comparative
success of download sites like iTunes indicates that consumers don’t
really care about DRM so long as they can get what they want.
Astalavista : In conclusion, I would really appreciate if you share your comments
about the Astalavista.com site and, particularly, about our security newsletter?
Eric
: My first introduction to your site was when one of my articles was
linked on the site. My traffic immediately took off like a rocket ship. I
was very impressed with the quantity and
sophistication of your readers. Thanks for giving me an opportunity to speak with them.
------------------------------------
Interview with Robert, http://www.cgisecurity.com/
Astalavista
: Hi Robert, would you, please, introduce yourself to our readers and
share some info about your profession and experience in the industry?
Robert
: I first started to get interested in the hacker/security aspect of
computers in the 90's in high school where I had my first brush with a
non 'windows/mac system' called 'VMS' (a VAX/VMS system to be exact). A
yearlater I *finally* got access to an internet connection and to my
amazement discovered that it was possible to break into a website with
nothing more than your browser which was something I found to be rather
interesting. This *interest* grew into a website I originally hosted on
xoom (some free hoster I forget which :) that later became
CGISecurity.com in September of 2000 where I've published numerous
articles and white papers pertaining to website security. In 2003 I
'sold out' (get paid to do what you'd do for free ) and was hired to
perform R&D; and QA on a Web Application Security Product where I am
to this day. In 2004 I Co Founded
'The Web Application Security Consortium' with
Jeremiah Grossman
to provide an outlet for some projects that multiple people we knew
where interested in participating in. A year later I created
'The Web Security Mailing List' as a forum where people can freely discuss all aspects of Web Security where I am currently the lead list moderator.
Astalavista
: Recently, there's been a growing trend towards the use of automated
code auditing/exploitation tools in web applications security. Do you
believe automation in this particular case gives a false sense of
security, and provides managers with point'n'click efficiency, compared
to a structured and an in-depth approach from a consultant?
Robert
: Scanners provide a good baseline of the common types of issues that
exist but are not magic bullets. It shouldn't come to a surprise to you
but many of these consultants use these automated scanning tools (Both
freeware and commercial) in conjunction with manual review and simply
verify the results. The skill of the person using any specialized
product greatly impacts the end result. Someone with a good security
understanding can save immense amounts of time by using such an
automated product. If your organization doesn't have a 'security guy'
then a consultant may be the best solution for you.
Astalavista
: Phishers are indeed taking a large portion of today's e-commerce
flow. Do you believe corporations are greatly contributing to the
epidemic, by not taking web security seriously enough to ensure their
web sites aren't vulnerable to attacks in favour of online scammers?
Robert
: Phishing doesn't *require* that a website be vulnerable to anything
it just simply requires a look alike site exploiting a users lack of
security education and/or patches. I wouldn't say they are contributing
towards it, but I do think that educating your user (as best as you can)
is a requirement that should be in place at any online organization.
Astalavista
: What are you comments on the future use of web application worms,
compared to today's botnets/scams oriented malware? What are the
opportunities and how do you picture their potential/use in the upcoming
future?
Robert : In 2005 we saw a rise in the
use of search engines to 'data mine' Vulnerable and/or suspect hosts.
Some of the larger search engines are starting to put measures in place
such as daily request limitations, CAPTCHA's, and string filtering to
help slow down the issue. While these efforts are noteworthy they are
not going to be able to prevent *all* malicious uses
a search engine
allows. I think the future 'web worms' will borrow methodologies from
security scanners created to discover new vulnerabilities that will have
no patches available. While the downside of this is to slow infection
rates and lots of noise, the upside is infecting machines with no vendor
supplied patch available because the 'vendor' may be a consultant or ex
employee who is no longer available. Worms such as Nimda infected both
the server and its visitors making it highly effective and I expect this
user/server trend to increase in the future. I also suspect a switch
towards 'data mining' worms, that is worms that are trying to steal
useful data. Modern day versions of these worms steal cd keys to games
and operating systems. The use
of worms to seek and steal data from a
server environment, or user machine is only going to grow as credit
card and identity theft continue to grow. While investigating a break-in
into a friends ISP I discovered the use of a shopping cart 'kit' left
behind by the attacker. This kit contained roughly 8 popular online
shopping carts that where modified to grab copies of a customers order, a
'shopping cart rootkit' if you will. I suspect some type of automation
of either auto backdooring of popular software or uploading modified
copies to start creeping its way into future web worms. In 2002 I wrote
an article titled
'Anatomy of the web application worm' describing some of these 'new' threats that web application worms maybring to us.
Astalavista
: Is the multitude and availability of open-source or freeware web
application exploitation tools benefiting the industry, resulting in
constant abuse of web servers worldwide, or actually making the
situation even worse for the still catching up corporations given the
overall web applications abuse?
Robert : This
entirely depends on the 'product'. There are tools that allow you to
verify if a host is vulnerable without actually exploiting it which I
consider to be a good thing while some of these 'point and root' tools
are not helping out as many people as they are hurting. In the past
few
years a shift has started involving 'full disclosure' where people are
deciding not to release ./hack friendly exploits but are instead
releasing 'just enough detail' for someone to verify it. This 'shift' is
something that I fully support.
Astalavista :
CGISecurity.com has been around for quite a few years. What are your
plans for future projects regarding web security, and is it that you
feel the industry is lacking right now - awareness, capabilities or
incentives to deal with the problem?
Robert :
Actually September 14th will be the 5th year anniversary of
CGISecurity.com. Right now I'm heavily involved in 'The Web Application
Security Consortium' where we have numerous projects underway to provide
documentation, education, and guides for users. I plan on expanding
CGISecurity into a one stop shop for all 'web security' related
documentation where you can (hopefully) find just about anything you
could ever need. To answer the second part of your question I'd say
all three with awareness (education) being the biggest problem.
One of
the things that the industry hasn't 'gotten' yet (in my opinion) is
security review throughout an application's lifecycle. Sure developers
are starting to take 'secure development' more seriously but as many
of your readers know deadlines hamper good intentions and often
temporary solutions (if at all) are put in place to make something work
in time for release. This is why we need security review during all
phases of the cycle not just during development and post production. I
think that a much overlooked aspect of the development cycle is Quality
Assurance. QA's job is to ensure that a product works according to
requirements, identify as many pre release (and post release) bugs as
possible, and to think about ways to break the product. I think that
more companies need to implement 'QA security testing' as a release
requirement as well as train their testers to have a deeper
understanding of these 'bugs' that they've been discovering. You've
heard the term 'security in layers' so why can't this process be
implemented throughout most development cycles? Developers get busy and
may overlook something in the rush to meet the release date which is why
(before release)
they need someone double checking their work (QA) before it goes production.
Astalavista
: In conclusion, I would like to ask you what is your opinion of the
Astalavista.com's web site and, in particular, our security newsletter?
Robert
: I first discovered astalavista in my 'referrer' logs when it linked
to one of my articles. Since then I've been visiting on and off for a
few years and only recently discovered the newsletter which I think is a
great resource for those unable to keep up with all the news sites, and
mailing list postings.
-------------------------
Interview with David Endler, http://www.tippingpoint.com/
Astalavista
: Hi Dave, would you, please, introduce yourself to our readers and
share with us some info about your experience in the industry?
Dave
: Sure, I'm 6'1", a Leo, I like long walks on the beach, coffee ice
cream,^H^H^H^H^H^H^H . . . oh, sorry, wrong window. I'm the Director of
Security Research at 3Com's security division, TippingPoint. Some of the
functions that fall under me include 3Com's internal product Security
testing, 3Com Security Response, and the Digital Vaccine team Responsible
for TippingPoint IPS vulnerability filters. Prior to 3Com, I was the
director of iDefense Labs overseeing vulnerability and malware research.
Before that, I had various security research roles with Xerox
Corporation, the National Security Agency, and MIT.
Astalavista
: What's the goal of your Zero Day Initiative, how successful is your
approach so far, and what differentiates it from iDefense's one?
Dave
: Over the past few years, no one can deny the obvious increase in the
number of capable security researchers as well as the advancement of
publicly available security researching tools. We wanted to tap into
this network of global researchers in such a manner as to benefit the
researchers, 3Com customers, and the general public. Our approach was
the construction
of the
Zero Day Initiative (ZDI), , launched on August 15, 2005. The main goals behind the program are:
a.) Extend 3Com's existing vulnerability research organization by leveraging
the methodologies, expertise, and time of others.
b.) Responsibly report 0day vulnerabilities to the affected vendors
c.) Protect our customers through the TippingPoint Intrusion
Prevention Systems (IPS) while the product vendor is working on a patch
d.) Protect all technology end users by eliminating 0day vulnerabilities
through collaboration with the security community, both vendors and
researchers.
The
ZDI has had an incredibly positive result in only three months of
activity, far exceeding our expectations. To date we have had over 200
researchers sign up through the portal, and received over 100
vulnerability submissions. We suspect that part of the early success of
the program can be attributed to the wild launch party we threw at
Blackhat/Defcon 2005.
The
ZDI is different from iDefense's program in a number of ways. 3Com has
invested considerable resources to ensure the success of the ZDI. As a
result, ZDI contributors will receive a much higher valuation for their
research. We provide 0day protection filters for our clients, without
disclosing any details regarding the vulnerability, through our
TippingPoint IPS, as opposed to simply selling vulnerability details
in advance of public disclosure. Finally, we altruistically attempt to
protect the public at large by sharing the acquired 0day data with other
security vendors (yes, this includes competitors) in an effort to do
the most good with the information we have acquired. We feel we can
still maintain a competitive advantage with respect to our customers
while facilitating the protection of a customer base larger than our
own.
Astalavista : 0day vulnerabilities have
always been a buzzword in the security community, while in recent years
decision makers have started realizing their importance when evaluating
possible solutions as well. What's the myth behind 0day vulnerabilities
from your point of view,
and should it get the highest priority the way I'm seeing it recently?
Dave
: Certainly not all vulnerabilities should be treated equally,
including 0day. A typical vendor-announced vulnerability can be just as
devastating as a 0day due to the trend of shrinking windows of time for
exploit release. Obviously, for an organization or home user that
doesn't stay up-to-date with security patches, a three-year old exploit
for a patched vulnerability could be just as devastating as a 0day
exploit. I think 0day vulnerability protection has begun to take more
shape in security buying decisions simply due to the growing frustration
and helplessness felt by users when vendors take a long time to patch
these issues when exploits are widely circulating. In the last year
alone, we saw several of the 0day browser exploits incorporated into
spyware sites within one day of their disclosure.
Astalavista
: Do you feel the ongoing monetization and actual development of
security vulnerabilities market would act as an incentive for a
ShadowCrew style underground market, whose "rewards" for 0day
vulnerabilities will contribute to its instant monopoly?
Dave
: I think there will always be an underground market, but I doubt it
will ever have a monopoly for a few reasons. We know there is a thriving
underground market today for 0days, especially browser vulnerabilities
that can be used to inject Trojans and steal financial data. I think the
main obstacle currently curbing the growth of the underground
vulnerability-purchase
movement is a lack of trust. Since a security
researcher doesn't really know the identity of an underground buyer,
there's no guarantee he will get paid once he unveils his discovery.
Also at the end of the day, many researchers want these vulnerabilities
to be fixed and want to receive the appropriate recognition in the
mainstream security community.
Astalavista :
While you are currently acting as the intermediary between a vendor and
researcher, do you picture the long-term scenario of actually bidding
for someone else's research given the appearance of other competitors,
the existence of the underground market I already mentioned, and the
transparency of both? How do you think would the market evolve?
Dave
: Good question. I hope the markets evolve in a way that encourages
Vendors to put more skin in the game. It behooves these vendors to help
protect their own customers more by rewarding outside researchers for
security discoveries that escape internal QA testing. The only vendors I
know of who currently do this are Netscape and Mozilla through their
bug bounty
programs. I think a "0-bay" auction model could be viable
if a neutral party launched it that was trustworthy as a vulnerability
"escrow agent" and could guarantee anonymity and payment to researchers.
There was some good discussion on the
Daily Dave list of some of the issues raised by such an auction model.
Astalavista
: Should a vendor's competencies be judged on how promptly it reacts to
a vulnerability notification and actually provides a (working) fix?
Moreover, should vendors be held somehow accountable for their practices
in situations like these, thus eliminating or opening up windows of
opportunity for pretty much anything malicious?
Dave
: I've worn the hat of a security researcher, vulnerability disclosure
intermediary, and most recently, a vendor. I now have a great amount of
sympathy for all three groups. In general, vendors need to make a more
concerted effort to reach out to security researchers in the
vulnerability disclosure process. Many vendors don't seem to understand
that most security researchers get no tangible benefit for reporting a
security issue. More and more 0day disclosures it seems are also the
result of a vendor-researcher relationship breaking down due to a
misunderstanding over email or poor follow-up from the vendor. Ideally,
vendors should also reward these researchers, if not with money, then
other perks or recognition as a sign of appreciation. It's hard to judge
all vendors the same on the amount of time it takes to patch a
vulnerability. Some vulnerabilities legitimately take longer to fix and
QA than others. Because there are no laws today that govern a vendor's
security response, the market is going to have to be the ultimate judge
in this arena. If enough potential customers are lost to a competitor
because of poor security patch handling or a destructive worm, you can
bet that more money will be budgeted into their security development lifecycle.
Astalavista :
Having conducted security research for the NSA must have been quite an
experience. Does the agency's approach on security research somehow
differ from the industry's one, in terms of needs for sure, but in what
way exactly?
Dave : No comment :-)
Astalavista : Can money buy creativity and innovation from an R&D's point of view?
Dave
: Of course no amount of money can buy your way to really innovative
research.Some of the most prolific research teams are built through
visionary research directors creating a nurturing and non-restrictive
environment, insulating the team from most corporate pressures and
politics.
Astalavista : Thanks for your time!
-------------------------------------
Interview with Vladimir, aka 3APA3A http://www.security.nnov.ru/
Astalavista
: Hi Vladimir, would you please introduce yourself to our readers, and
share some info on your background and experience with information
security?
Vladimir : OK. I'm 31, I’m married,
and we have two daughters. For last 10 years I'm support service head
for middle sized ISP in Nizhny Novgorod, Russia. As so, I'm not occupied
in IT security industry and I'm not security professional. It's just a
kind of useful hobby. And that's the reason why I use nickname though I
have no relation to any illegal activity. Everyone who is interested can
easily find my real name. In addition to my primary
job, I give few classes a week on computer science in Nizhny Novgorod State University.
I
started on the Russian scene in the late 90s with the article on HTTP
chats security. 'Cross site scripting' was quite new vulnerability class
and the term itself arrived few years after. Later I began to
publish some articles on the Bugtraq. Because my previous nickname taken
from Pushkin's personage was not understandable abroad, I used gamer's
nick '3APA3A', 'zaraza' in Cyrillic, it means infection. It also has a
meaning of English 'swine' :). No, there is no relation with famous
3APA3A. ZARAZA virus, it was few years before.
I'm not 'bug
digger', as one may think. Some bugs were discovered in the process of
troubleshooting, while others were found in attempt to discover new
vulnerability class or exploitation approach. And I’m proud to catch a
few :)
Astalavista : What are some of your current and future projects?
Vladimir : Since 1999
http://www.security.nnov.ru
is the only project I'm constantly involved in. Sometimes, I patch old bugs and create new ones within 3proxy
http://www.security.nnov.ru/soft/3proxy/.
Astalavista
: How would you describe the current state of the Russian security
scene? Also, what are you comments on the overall bad PR for, both,
Russia, and Eastern Europe as a hackers' haven?
Vladimir
: "hack" is an opposite to technology for me. The industry with
technology is a conveyor, while the hack works only here and now.
Hacking is the process of creating something to solve one particular
problem without enough money, resources and, most important, without
knowledge. In the best case it's something new for everyone and nobody
to share knowledge and resources with you.
If you mean a lack of money, resources and knowledge - yes, Russia is hackers' heaven :)
We
had interesting discussion on this topic with David Endler (from your
Newsletter #23) Of cause you know how many viruses originated from
Russia and you know some "famous" virus writing teams. Do you know any
software written here? Well.. may be after some research you can find
Outpost and Kaspersky Antivirus you have never used... That's all. You
think. Lets look at the city I live. Many really interesting things from
Quake II graphical drivers and Intel debugging and profiling tools
to Motorola and Nortel firmware were written here. It's not largest city
and Russia is large country. Same goes to Eastern Europe, India and
China.
We have a lot of unknown programmers and few famous virus writers, that's the problem :)
The
security scene in Russia is really hard question. Of course, there are
few professionals, they are well-known buddies, who work for well-known
companies. They publish their really useful books and write their really
professional articles and receive their really good money. There are
old-school hackers who do not speak Russian for few years. There are
“underground" e-zines, none of them are living enough to spell
correctly. There are "security teams" known by defacing each over and
publishing up to 6 bugs in PHP scripts. Teenage #hax0r1ng IRC channels.
And, of cause, guys who do their business with trojans and botnets and prefer to stay invisible.
That's all, folks. There is no scene. No place to meet each over. No Russian Defcon.
Astalavista
: What are the most significant trends that happened with vulnerability
researching as a whole since you've started your project?
Vladimir
: Any new technology arrives as a hack, but grows into industry. It was
with computers, software, network security and finally it happens with
vulnerability research. This fact changes everything. No place left for
real hacking. The guys on this scene became professionals. If you enter
this without knowledge, all you can is to find some bugs in unknown PHP
scripts.
Astalavista : Do you think a huge
percentage of today's Internet threats are mainly posed by the great
deal of window of vulnerabilities out there, and how should we respond
to the concept of 0day by itself? Patching is definitely not worth it on
certain occasions from my point of view!
Vladimir
: Imagine a 100,000,000 of purely patched default configuration Fedora
Core machines with users running their Mozilla's from root account.
That's what we have in Windows world. Did you know that, 99% of Windows
trojans/viruses/backdoors will not work if executed from unprivileged
account? Life could be much more secure if only administrator with
special license (like driver's one) might configure system and get
penalties in case of virus incidents :)
Did you know that, most
ISPs do not monitor suspicious activity from their customers and can not
stop attack from their network within 24 hours? It's almost impossible
to coordinate something between providers. There are non-formal
organizations, like NSP-SEC, but it only
coordinates large providers from few countries. Coordination and short abuse response time
would be another step.
Astalavista
: What is your attitude towards an 0bay market for software
vulnerabilities? And who wins and who loses from your point of view?
Vladimir
: On the real market both sides win. No doubt, the fact there is now a
legal market for 0days is a good news for researches and end users,
because it rises vulnerability price and establishes some standards.
This "white" market is in it's beginning. There are only few players.
Who
can value 0day Internet Explorer bug? First of all, Microsoft. But for
some reason it does not. The second, IDS/IPS vendors and security
consulting companies to make signatures and PR. Bugtraq posting is
really good PR. If vulnerability is then exploited in-the-wild, it
raises the article in Washington Post. It's even better PR.
Astalavista
: Do you also, somehow picture a centralized underground ecosystem, the
way we are currently seeing/intercepting exchange of 0day
vulnerabilities on IRC channels, web forums. But one with better
transparency of its content, sellers and buyers?
Vladimir
: And, of cause, underground market is always ready to pay. Exploits
are required to install a trojan. Trojan is required to create a botnet.
Botnet is required for spamming, DDoS and blackmailing, phishing,
illegal content hosting. It's definitely a kind of ecosystem with
different roles and specializations and it's money cycle as a basement.
With
some dirty games with 0day Internet Explorer vulnerability you can make
a new car on the botnet market or (and?) just few thousands dollars
with PR. Underground market is not
centralized and lies on private
contacts. Forums and IRC channels you can find are the top of the
iceberg. It makes it less vulnerable. I bet last WMF exploit was sold
without any IRC channels and forums.
Astalavista : Can there ever be a responsible disclosure, and ow do you picture it?
Vladimir
: According to Russian legislation, a vendor may not sell roduct
without informing customer about any known defect or imitation on it. I
bet different countries have similar legislations. I don't understand
why it doesn't work with computer software. Vendor should either timely
inform customers on defect in software or should stop to sell it.
Of
cause, disclosing information without informing vendor is just stupid
and non-profitable for everyone. From other side, a vendor has not
eliminated vulnerability after few months and has
not informed
customers there is nothing non-responsible in publishing this
information. I never saw vendor who blames esearchers in non-responsible
disclosure to stop selling defective product.
There were few attempts to standardize disclosure policy, FPolicy is the first one.
Astalavista : Can a vulnerability researcher gets evil if not reated properly, and what could follow? :)
Vladimir
: Sure. Imagine a situation you want to get money rom vendor for
vulnerability information you discovered. There is nothing bad in
getting money for your work and
vendor should be interested in buying
this information on the irst place. But it can be just a blackmail if
not "treated properly".
Astalavista : In
conclusion, I wanted to ask on some of your uture predictions for 2006
concerning vulnerability research, nd the industry as a whole?
Vladimir
: One year is small period. Maybe we will see endors to buy
vulnerabilities. "Vulnerability researcher" ay be scripted on somebody's
business card and become profession by this way. "Vulnerability
researching" as University course... No, let's wait for another 2-3
years :)
Astalavista : Thank you for your time!
RSS Feed