Matasano Chargen - Latest Comments in McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

ivan — Sat, 12 May 2007 16:18:09 -0000

@anonym: if you are a vuln. researchers and want to get paid to do it then go get a job as vuln. researcher. If you do it to save the world or as a hobby or because you are a really nice guy or accidentally then do not come saying that you would do it for the bounty. You can't have it both ways.
Bug bounty companies are not NPOs they're profit-oriented security vendors and they, eventually, must make money off the bugs they bought otherwise their business model doesn't work, that in turn means that your "raw material" is transformed into a "good" that can be sold in a "free market" that requires money to enter.
You and many others may support that model but that doesn't prove it beneficial to everybody, specially to those that may not have access to the proposed free market.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Thu, 10 May 2007 23:37:04 -0000

No mainstream vendor treats security researchers better than Microsoft does.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

anonym — Thu, 10 May 2007 22:59:47 -0000

Difference is that MCAF is a company that serves a few, and independant researchers serv a bunch, so naturally those few are pissed. Really campanies hate to see researchers being paid, they just want to get everything free, treating researchers like crap(MICROSOFT specially) just becouse they want to earn something for their research, they see 0 day initiative like a threat to them, hoping that if no one pays researchers one day they will get tired and leave there products alone for them to control the information. Wanting to get paid for vuln research is expectable, its a hard demanding that involves many hours, its good to be abl e to sell that information to others than spammers.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Thu, 10 May 2007 20:45:52 -0000

So what's the difference between the GOOD vulnerability research that MCAF does, which generates attack code for vulnerabilities, and the BAD vulnerability research that Dino did?

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

kurt wismer — Thu, 10 May 2007 19:32:03 -0000

@thomas ptacek:
"Wait, you’re saying that if we pay Dino to find vulnerabilities, we’re paying to create new malware?

I thought you were OK with vulnerability research. Now you seem to think all vulnerability research equates to creating malware. Which is it?"

the pwn-to-own contest wasn't just vulnerability research, one had to launch a successful attack... are you telling me the code written shouldn't qualify as malware? is it safe to hand over to a skiddie?

(not a skilled black hat, mind you, as they could turn any exploit code into attack code)

"Also, is it OK for MCAF to pay their own researchers to find vulnerabilities (NOT the virus guys — the guys like Mark Dowd, who find product vulnerabilities for MCAF)? It sounds like that’s also a case where MCAF is paying for the production of new malware."

i've already indicated that not all vulnerability research activities are created equal... i've already indicated that there are ways to prove the existence of a vulnerability in a benign way... creating tools to compromise machines using the vulnerability doesn't fall under that category...

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Thu, 10 May 2007 14:36:26 -0000

Wait, you're saying that if we pay Dino to find vulnerabilities, we're paying to create new malware?

I thought you were OK with vulnerability research. Now you seem to think all vulnerability research equates to creating malware. Which is it?

Also, is it OK for MCAF to pay their own researchers to find vulnerabilities (NOT the virus guys --- the guys like Mark Dowd, who find product vulnerabilities for MCAF)? It sounds like that's also a case where MCAF is paying for the production of new malware.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

kurt wismer — Thu, 10 May 2007 13:18:37 -0000

@thomas ptacek:
"Why do you care if MCAF pays Dino, versus us paying Dino?"

gee, i wonder why would anybody care about an anti-malware vendor paying for the production of what is essentially new malware? what could possibly go wrong?

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Wed, 09 May 2007 17:22:09 -0000

Why do you care if MCAF pays Dino, versus us paying Dino?

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

kurt wismer — Wed, 09 May 2007 17:19:11 -0000

@thomas ptacek:
"So, your concern that bounties will incite bad actors into writing attack code means that people like Dino shouldn’t get paid for their work?"

no, that's not what it means... whether or not someone deserves payment is entirely orthogonal to whether or not someone else has any place making the payment...

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Kurt — Wed, 09 May 2007 16:27:25 -0000

I post this to Avert Labs. They probably delete.

So Rahul- is this your organization idea of responsible?
http://labs.idefense.com/intelligence/vulnerabi...

"VIII. DISCLOSURE TIMELINE
08/14/2006 Initial vendor notification
10/17/2006 Second vendor notification
02/07/2007 Third vendor notification
02/08/2007 Initial vendor response
05/08/2007 Coordinated public disclosure

6 months to even RESPOND to reported vulnerability in your product??? What do you say for that? Maybe McAfee should stop criticize other competitors and start working on their own policy!

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

one.miguel — Wed, 09 May 2007 15:26:16 -0000

This sounds like the legality of gun ownership debate.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Wed, 09 May 2007 08:22:46 -0000

So, your concern that bounties will incite bad actors into writing attack code means that people like Dino shouldn't get paid for their work?

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

kurt wismer — Wed, 09 May 2007 07:38:25 -0000

@thomas ptacek:
"I don’t get it. If it’s fine for people like me to independently research vulnerabilities (which requires the generation of “attack code”), why isn’t it fine for McAfee to pay me to do it?"

perhaps the root of this communication problem is the assumption that the people getting paid would necessarily be people like you...

at any rate, it's clear to me that we're operating on very different wavelengths and at this point i don't really expect to be able to bridge the gap...

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Tue, 08 May 2007 21:04:25 -0000

I don't get it. If it's fine for people like me to independently research vulnerabilities (which requires the generation of "attack code"), why isn't it fine for McAfee to pay me to do it? Is vulnerability research like sex?

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

kurt wismer — Tue, 08 May 2007 18:00:57 -0000

@thomas ptacek:
"I do not understand why you are talking about “attack code” in a thread about ZDI’s handling of the QuickTime vulnerability."

the post was about mcafee's claims that they won't touch a contest like pwn-to-own with a barge pole... the contest required that a contestant attack and successfully compromise a machine in order to win - that is where attack code comes from...

"The points you are making about vulnerability contests in general strongly imply that you believe ZDI made attack code available. Nothing of the sort happened."

you're talking about disclosure here - i made it clear in my very first sentence in my very first comment to this post that i wasn't...

"I suppose you could be debating whether it’s OK for researchers to produce “attack code” at all."

more along the lines of whether it's ok for a company like mcafee to pay 3rd parties to do so (especially people who mcafee cannot bind to subsequent responsible/ethical handling of the materials in question)...

"No mainstream AV vendor currently advocates for the end of vulnerability research, and I suspect you will find a hostile environment for that sentiment on this blog as well."

i'm not calling for the end of vulnerability research either, which is why i was at one point trying to draw a distinction between benign exploit demos and attack code that can be used by script kiddies - to underscore that there are ways to do it that should generally not be considered problematic (but which are inherently not embraced by a contest such as pwn-to-own)...

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Tue, 08 May 2007 15:41:39 -0000

I do not understand why you are talking about "attack code" in a thread about ZDI's handling of the QuickTime vulnerability. The points you are making about vulnerability contests in general strongly imply that you believe ZDI made attack code available. Nothing of the sort happened.

I suppose you could be debating whether it's OK for researchers to produce "attack code" at all. You will then be debating the entire concept of security research. No mainstream AV vendor currently advocates for the end of vulnerability research, and I suspect you will find a hostile environment for that sentiment on this blog as well.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

kurt wismer — Tue, 08 May 2007 14:39:09 -0000

@thomas ptacek:
"Kurt, none of what you are talking about is relevant to the situation at hand. Can you find some other comment thread on our blog to post this stuff to? Because if you imply again that 3Com published exploit code for this vulnerability, I’m just going to delete your comment. This is getting silly."

thomas, there is clearly a fundamental disconnect between the words coming out of my keyboard and the ones you're reading on your screen... i never made the implication you're talking about (so i can't really make it 'again') and i was never even headed in that direction...

if you don't think there's relevance in the issue of paying people to produce bad things (regardless of the controls one tries to put in place) then so be it, but it's an issue the anti-virus industry in general (and mcafee in particular) started grappling with a long time ago so mcafee's position should come as no surprise...

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Tue, 08 May 2007 08:33:44 -0000

Kurt, none of what you are talking about is relevant to the situation at hand. Can you find some other comment thread on our blog to post this stuff to? Because if you imply again that 3Com published exploit code for this vulnerability, I'm just going to delete your comment. This is getting silly.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

kurt wismer — Tue, 08 May 2007 07:55:39 -0000

@thomas ptacek:
"Kurt, this vulnerability has nothing to do with Javascript."

i did preface that bit about javascript with the words "as an example"

@tyler reguly:
"You’re trying to distinguish between a web-based vulnerability and a system vulnerability… two completely different breeds of attack"

actually i'm not trying to draw any such distinction because i don't believe such distinctions are relevant in the context of benign exploits vs fully functional attack code...

"In the end though there’s no difference between a malicious exploit and a PoC other than a hop, skip and a jump to change calc.exe to a listening shell."

actually there is a difference... with benign exploit code you aren't directly arming the bad guys if/when the details get out... could a benign exploit be modified to be less benign? sure, so can a hello world program... you can't control what bad people do with the things you create, but there are many things you can do to avoid helping them...

that said, it looks like mcafee took a harder line with exploits than i anticipated so the distinction i was drawing between benign exploits and full attack code is moot (and, considering their history with regards to financial incentives for attack code, good for them)...

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

newsham — Tue, 08 May 2007 04:24:54 -0000

Markets make everything better!!!

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Tyler Reguly — Tue, 08 May 2007 01:22:28 -0000

*Mental Note... don't include 'less than, hypen, hypen in posts*

To finish the above post:

All you've done is describe a proof of concept... You're trying to distinguish between a web-based vulnerability and a system vulnerability... two completely different breeds of attack... In the end though there's no difference between a malicious exploit and a PoC other than a hop, skip and a jump to change calc.exe to a listening shell.

As for companies, like Tipping Point, that pay for vulnerabilities... They are a huge benefit to the community. 5-10 years ago you saw a lot more exploits make the mailing lists and forums... Now you see (for the most part) low hanging fruit and garbage... Why? Because people have figured out that it's more worthwhile to get $10,000 from Tipping Point than it is to send a 0day to a mailing list for free... These companies are improving security for everyone... They are a great benefit to the security community and the Internet as a whole.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Tyler Reguly — Tue, 08 May 2007 01:18:28 -0000

@kurt

As I pointed out kurt... Many companies won't accept them... They want proof of the vulnerability...

Also your example of web-based vulnerabilities doesn't work. What you've done is state that you can "demonstrate vulnerabilities to the user"

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Tue, 08 May 2007 01:15:04 -0000

Kurt, this vulnerability has nothing to do with Javascript.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

kurt wismer — Tue, 08 May 2007 00:56:44 -0000

@thomas ptacek:
"What a ridiculous red herring. Nobody published attack code. You still don’t have access to anything beyond proof-of-vulnerability (not even proof of concept)."

yes, since it didn't happen this time the potential for it to happen must be a red herring...

@tyler reguly
"The AV companies would rather sit back and wait for the virus/worm/trojan that exploits a vulnerability then proactively find the vulnerability before the bad guys so that the vendor can properly patch it."

why do you think it sounds like that? because they would rather not participate in an exercise that requires a successful attack? you are, i hope, aware that you can demonstrate exploitability benignly, right? as an example, there have long been websites which demonstrate javascript and other associated vulnerabilities to the user without actually compromising the user's system in a meaningful way...

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Thomas Ptacek — Mon, 07 May 2007 22:03:20 -0000

Also: auctions and bounties make my flesh crawl too. We don't do it.