Professional bug hunting is alive and well. The automation of the process has reduced time in finding the low hanging fruit but there are still massive problems with black and white box analysis tools.

I have worked on a number of commercial products that audit using black and white box methods and I can tell you that if we are only going to rely on those tools, then we might as well pack it in. Blackbox scanners are weak for anything non-web and the web application scanners have their own set of problems. Whitebox scanners have their own set of problems especially when you consider that even the most advanced static analysis is still formally undecidable as its reduced to the halting problem.

Without professional bug finders, we will never discover some of the truly critical vulnerabilities in commercial applications. For instance, when Mark Dowd went back in time and killed hitler with his IE/Flash exploit, that was a critical bug that would have never been discovered with an automated tool. That’s also true for Mike Lynn’s Cisco discovery a few years back. In fact, there is a giant list of these types of critical bugs that required a very skilled individual to identify and exploit.

Considering how little security researchers get paid in the grand scheme of things, I’d say its a pretty good deal to pay for exploits.

Then again, I’m not totally opposed to the extortion idea…

But i think, that whole thing about free bugs is a issue of big companies such Google, or Microsoft. If you’ll try to report something to these companys, you’ll know, that they’ll max thank you for it. I tried to make a deal, coz i found something more as XSS (i don’t think that XSS is little vuln, i think it’s big one, but still, i found something i think bigger). When i reported this to Google sec. team, they told me “we will not pay, or do anything else for it. publish it, we don’t care”. There is the exact problem.

I had an idea long time ago to build a web (project) where can anybody anonymously put any discovered vulnerabilities by him. guys from this site will contact vendor and try to make a deal. if he’ll not be interested, ok. his site will be in public list vuln sites/apps. after it’s on the vendor to do something with this.

maybe it’s time to make something like this.

There is nothing about NMFB that is against sharing knowledge with the community. There is a long history of that in the security community and I hope that it will continue. Nowhere above is public security research addressed, only the act of responsibly disclosing vulnerabilities to large commercial software vendors for free.

Responsibly disclosing vulnerabilities to vendors for free is not “sharing your knowledge for free with the community” since it is still kept secret. And even after the vulnerability is patched, properly following “responsible disclosure” requires you to continue to withhold details on the exploitation of that vulnerability for another 6 months to prevent exploitation of customers who have not yet patched. At the same conference where Charlie announced NMFB, Charlie and I presented a number of tools and exploitation techniques for OS X. You can get the slides for that presentation as well as all of the source code and tools from our book for free right here (http://blog.trailofbits.com/the-mac-hackers-handbook/) and in Metasploit. I do not feel like I am being hypocritical in doing that, either.

I hope that clarifies my position on public research, namely that I am not against it, nor is NMFB about putting a stop to it. A number of software vendors are even very supportive of the security research community and sponsor the popular security conferences, which I am very appreciative of since I have spoken at a number of those sponsored conferences. I also have a high degree of respect for the product security teams at many of these vendors, both personally and professionally. They employ a number of very talented researchers. I will, however, criticize some of the decisions regarding security made by the larger company. Namely, I believe that by not doing more to address the security of their shipped products, they are doing their users a disservice.

-Dino

=[ The Underground Myth ]=
….
The hacker underground has been systematically dismantled, a victim of
circumstance. There was no reason for this, no conspiracy, no winner. A
conquered people, but with no conqueror, no enemy to fight. No chance
of rebellion. Conquered by circumstance, if not fate.
….

/to all others – keep your passion and curiosity, hacking is not just winning
the next Mac on another Pwn2Own contest

I’m shocked to see nerds thinking like that – what happens with the real intent of old-school hacking?

Isn’t it all about beeing the smartest and share your knowledge for free with the community?

So is this the end of having serious discussion in public? Researcher liability issues – well that will always happen in a free cyberspace and democracy!

I hope there are still researchers out there following their passion of hacking and not following the money trail…

Thanks for the comment, you bring up some interesting points.

Your comparison with civil engineering is a good one. In civil engineering, there are safety engineers who assess the safety of buildings in design as well as post-design for potentially dangerous faults. That is an almost ideal comparison to software engineering and security engineers. Continuing with that metaphor, say that a number of safety engineers pointed out flaws in a bridge or building. The engineering firm responsible for its construction would probably respond in the same ways that software vendors do now (address them, ignore them, etc). At what point should the engineering firm engage a safety engineering firm for an actual third-party safety assessment? In the software world, vendors do not engage security engineers to assess their shipped products, only their in-development products. The answer the question about when the engineering firm would engage a third-party safety assessment would be: never or only when it was forced to by public opinion or government regulation.

One final comparison with civil engineering is in order. I don’t actually know the answer to this, but I would love to see a comparison between the ratio of the number of civil engineers vs. civil safety engineers within an engineering firm compared to the number of software engineers to security engineers employed at a large software vendor. As you mentioned, security vulnerabilities don’t usually kill lots of people, so that probably justifies the difference.

One of my larger points is that the public is not served by large vendors doing very little to secure the software products sitting on user’s systems. With identity theft and financial fraud ever on the rise, is “We actively listen to what people freely volunteer to tell us” a proactive security stance? Monitoring security mailing lists, patching freely reported vulnerabilities, and doing a code-review and/or pen-test before shipping are the current software security best practices. However, a two-week review at the end of a project that took two years to develop is hardly enough.

I don’t want to comment on what are “free” or “non-free” uses of OSS software, that is a debate for the free/open software philosophers. For my opinion on whether bugs in them should be considered “free” or not, see what I wrote in the second comment.

Finally, I consider most forms of security research to be socially responsible. Working to make the Internet a safer place to socialize, have fun, and do business is a noble pursuit. I just believe that solely relying on volunteers to address the security of commercial vendors’ shipped products is not a sustainable model and one that I personally consider to be somewhat socially irresponsible.

-Dino

Secondly, I don’t know what to think about your proposal of NO MORE FREE BUGS. There’s a long standing tradition of reporting, monitoring bugtraq, and working together. I don’t know if you can really make money a part of that.

If I’m a civil engineer and I see a bridge is in danger of collapse due to a century storm, do I block it off so that people don’t die, or do I investigate whether it was a community built bridge via taxation versus a commercial toll bridge to decide?

Of course software vulnerabilities don’t usually kill lots of people. Yet they are costly and do impact lots of people. Is there a social responsibility implied by being involved in security research, or not?

alex