Matasano Chargen - Latest Comments in Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

sigsegv — Wed, 29 Aug 2007 13:15:01 -0000

Yea, you all have it wrong. Non-disclosure is the way to go. Don't tell anybody anything. Not the vendors, not the public, not your so-called "peers", *NOBODY*. Keep the sploits to yourself. Use them when it benefits you. Send the PoC's and exploit details to the appropriate vendors after you've owned all the money grubbing whitehat "security professionals" you can with your 0days.

pr0j3kt m4yh3m 1nd33d.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Chris_B — Fri, 22 Jun 2007 04:56:39 -0000

@David Maynor

I don't dislike you, I don't even know you. This is business not personal. If you dislike me, well thats on you.

My employer does make extensive use of QA services and does pay for several reporting and research services. We have a reasonably good (IMNSHO) security experts group who as far as I've seen is quite able to differentiate vendor hype from potential threats to our business environment. We also have a rather long set of terms and conditions to which we subject every vendor before we sign any contracts.

We try and do a reasonable amount of due diligence before we go to T&C though. Part of due diligence is estimating the risk that a company will end up affecting reputational risk. Once again, from a business perspective, you look risky.

I hope this is clear enough and that you understand I'm speaking with my work hat on. Maybe someday we'll run into each other and can work out whether we get along personally. If you are at Black Hat Japan, lets have a drink there.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Thomas Ptacek — Fri, 22 Jun 2007 01:13:06 -0000

I'll take two!

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

David Maynor — Thu, 21 Jun 2007 16:09:36 -0000

@Tom
Wow, believe it or not everything Errata does is not about my ego. My ego has nothing to do with out decision not to disclose vulnerabilities to Apple, ego is not a factor in our choice to create new exploits from scratch. The reason we do it is simple, to understand the vulnerability in-depth, to understand any possible mitigating factors, additional vectors, and even possible evasions that could affect security tools. In addition to supplying customers with all the information we can find to protect themselves, we also use this information in our product tests. This is not the kind of information you can get from just doing a write-up on a publicly available vulnerability.

A lot of publicly available exploits suck (not including Metasploit, they rock but they don’t cover everything) so in order to really understand the impact to an environment we have to construct high quality ones. SO its not about the “crafted by David Maynor” angle, its about the “we understand the threat from the ground up” angle.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Thomas Ptacek — Thu, 21 Jun 2007 11:34:07 -0000

Also, for what it's worth, we've released a total of two (2) advisories since our inception, one of which was for a vulnerability that had an exploit in the wild prior to our release.

But, thank you for positioning us as the full-disclosure zealots. I feel like we take much more shit from the researchers for not releasing findings than we do from customers for releasing too much.

Why would an enterprise care whether you're a "clipping service" or not? Does an exploit "hand crafted by David Maynor" have more value than one written in Poland? I recommend that you guys try to differentiate on things that have value to customers, not on things that gratify your team.

Unless your exploits are engraved. I'll take two!

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Thomas Ptacek — Thu, 21 Jun 2007 11:30:48 -0000

David, Chris *just said* it was about you. =)

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

David Maynor — Thu, 21 Jun 2007 10:26:18 -0000

@Chris_B
Also we don’t weaponize vulnerabilities because we are 31337. Our value to a company is the ability to tell them without a doubt what threats are real and what threats amount to marketing hype. In order to do that we develop a working exploit for every Hacker Eye View report we create. If we can’t get code execution or it will only be reliable in a lab type environment we inform out customers of that. On the flip side if a vulnerability is trivial and does not take much effort to make reliable we tell them that as well. Since we aren’t a vulnerability clipping service we create original exploits for every HEV we write we can speak with authority about the actual impact to an enterprise.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

David Maynor — Thu, 21 Jun 2007 10:05:56 -0000

Are you serious? Do you use any advisory or QA service? If so you signed a PO with them and you didn’t bother to ask about their disclosure policy? That’s kinda short sighted.

I think it is about me, you just can’t admit that because it completely takes the wind out of any argument you have. For all the posturing you have done you seem to support organizations that actually put people at risk yet you reserve your scorn for an organization that refuses to help criminals or put users at risk. So it can’t be any business practice we have that makes you dislike my company you as you said, you just dislike me. That’s fine, I don’t like you either but just admit it instead of trying to hide behind hollow arguments and contradicting yourself.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Chris_B — Wed, 20 Jun 2007 22:26:29 -0000

@David Maynor

None of your response addresses my comment. Let me try and put it a bit more clearly: I dont want to do business with a company that has you as a prominent figure because you come off as a PR problem.

Its not you personally, I generally dont want to deal with a QA service or advisory service that makes the sordid details of their business relations with others a matter of public record.

Is any of that unclear?

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

David Maynor — Wed, 20 Jun 2007 19:18:23 -0000

@DaveG
I can’t help but notice you continue to attempt to trivialize my disclosure decision to “I don’t report bugs to Apple because I got made at them”. There is more than just Apple on the list and I, according to all my customers, have a valid business reason for what I do.

@Outside Party
I have to look at Apple products because they affect my customers.

@Chris_B
Based on what you are saying you must be pissed at vendors like Core who find their exploits in botnets or Matasano who release in-depth details on vulnerabilities on the day the patch is released before assuring every vulnerable person has applied them.

Please tell me how I put anybody in danger of being compromised?

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Chris_B — Wed, 20 Jun 2007 06:13:43 -0000

As a "user" (meaning corporate customer of various security services), allow me to repeat that how a vendor presents themselves to the public has something to do with this whole question. The vendors who come off as "part of the problem", whether that be by releasing 0days or airing their dirty laundry in public, are not vendors who I could consider contracting for any security services at all.

"We" customers don't care who is the 1337est of them all in terms of bugs found and weaponized. What it comes down to is the perception that people who do things which might cause harm to cant be trusted.

Probably my experience in various aspects of security (not as a bug hunter) colors my opinion, but it is what it is.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Outside Party — Mon, 18 Jun 2007 14:38:00 -0000

@Dave Maynor:

If you're not going to "offer free QA services" to Apple, nor share anything that you find, why are you looking at their code at all? Why publish the warning at all if you don't want to be involved? From the outside, what you did looks a lot more like an attempt to cast a bad light on a company that you have a rocky history with rather than actually improving public safety.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Dave G. — Mon, 18 Jun 2007 12:02:07 -0000

@Dave Maynor:

I think the criticism here isn't that you haven't dropped exploit code. It is that you have publicly stated that you have vulnerabilities in Safari and that you aren't going to help Apple's customers by reporting the vulnerability because you got into a fight with Apple.

Can I ask what specific information is being made available via Hacker Eye's View on this?

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Thor Larholm — Mon, 18 Jun 2007 11:11:44 -0000

This is an interesting topic that has been debated for years, and this discussion does not seem to have moved the agenda along any further.

I have disclosed vulnerabilities under a variety of different policies, proprietary/closed/responsible/full. In all cases, independent third party verification has been possible either through vendor credit or source release.

Maynor has had a heated past with Apple. As such it is only natural to expect more from him than unverifiable claims of 6 vulnerabilities. If neither we nor Apple can verify these claims ourselves and no other independent third party can vouch for the claims then that is all they are - unverifiable claims.

I don't hold a grudge against Apple, yet I still released the first 0day exploit code for Safari 3. I doubt that I will now have any problems getting a proper and swift response from Apple on my remaining Apple vulnerabilities, all of which will be released under a responsible disclosure policy quite similar to the one Matasano abides by.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

David Maynor — Mon, 18 Jun 2007 07:08:27 -0000

Our “over hyped” vendor talk brought attention to a vulnerability class that not many people have heard of or thought about resulting in scores of bugs fixed.

What I should have done, which seems to be the general feeling here, is protect everybody by dropping 0day and claiming I am helping to fix the problem. You forgot that in your comparison, how many of vendor A’s exploits were used to attack innocent people versus vendor B. There seems to be a false sense that patches are applied instantly when they come out which everyone knows is not true. So dropping working PoC with an advisory is leaving tons of people vulnerable.

Also there is this critisim that I am not helping people fix a problem. How is a PoC going to assist with that? When vulnerabilities like these appear the best way to prtect yourself is to stop using the affected applications. Does any here really thing releasing PoC for the problems will make end users craft a binary patch to protect themselves, no, of course not.

I think the MOST important thing is people don’t get owned, call me old fashioned. I am still holding out for the belief there are lots of ways to get problems fixed without dropping exploit code that can be used by both good guys and bad guys.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

MikeP — Sun, 17 Jun 2007 10:17:07 -0000

David, that wasn't aimed particularly at you, but since you asked... my kneejerk reaction is that you start a relationship with the company when you release statements about their products. You may not care to further the relationship any (say, by giving them or anybody else more details about what you found), but you do have *a* relationship at that point.

I don't know if you're standing by your ethics, I'm not trying to judge you or them right now. I was just responding to Thomas's statement in a general manner.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

dre — Sun, 17 Jun 2007 00:21:02 -0000

so, yes, we all know your disclosure ethics on vulnerabilities and how exploits fit into the equation.

but what is your disclosure policy on new threats? think CWE, not CVE. how do novel weaknesses become disclosed? if it is even possible to disclose them responsibly, how does a security researcher go about doing so?

what is the Matasano policy on these sorts of disclosures?

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

ivan — Fri, 15 Jun 2007 19:58:33 -0000

@crash
I am in total agreement, I'd just point out that if we want the users to make an informed and rational decision both researchers and vendors should provide accurate information and should make the disclosure process transparent to external observers. As it is today, most users have not clue whatsoever of what *really* happens during the period that ranges from discovery to public disclosure of a bug (including all the sordid details of the communications between vendors and researchers)

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

crash — Fri, 15 Jun 2007 18:32:43 -0000

A poll won't give us totally accurate results, but it sure as heck is a good start. Any online poll is too easy to game. It also depends on the results- will we see a clear trend? Or just as much debate as in the research community.

Either way, we won't know until someone tries.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Thomas Ptacek — Fri, 15 Jun 2007 17:28:13 -0000

Do you propose taking a poll, and abiding by it?

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

crash — Fri, 15 Jun 2007 14:16:06 -0000

We're really losing perspective on this.

We have to stop pretending that researchers and vendors have the right to determine disclosure practices. It's really the responsibility of the *users* who are most affected to speak out and tell *us* what they want.

On one side is Dave, who doesn't believe in releasing code since that can help the bad guys. It's a reasonable position- before exploit code appears, unless there's a quick workaround, code will probably help the bad guys more than the good guys. Most end users don't have the resources to use detailed vuln info, they want patches and defensive tools/signatures. Dave also doesn't want to work with vendors who he's had negative dealings with in the past.

On the other side is Ivan, who believes that by giving customers code to test their systems and harden, they are better secured. All vendors should be notified of vulnerabilities and information only released in public with real code. Again, a totally reasonable position.

But the real world seems far grayer, and after years of watching this debate it's frustrating to see how little is contributed by those most affected- the users. We need more user participation, and have to stop letting the disclosure debate be completely defined by vendors and researchers.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

mh — Fri, 15 Jun 2007 12:19:33 -0000

David, the name calling is silly drops this argument down to the kindergarten sand-pit.

Throwing stones at ivan begs a little test:

Vendor-A found a bug in OpenBSD. Despite the vendors initial "this is just a DoS" reaction, solid research carries on and the bug is proven to result in remote code execution. Vendor-A releases the advisory when the patch is available and even publicly credits the OpenBSD team.

Vendor-B follows an immensely (over) hyped conference talk (even if it wasn't their doing) with a blog splurb of an advisory with 0 information (but with comments to the trade press)

i guess u can guess why Vendor-A doesn't agree that A & B are two peas in the same pod...

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

ivan — Fri, 15 Jun 2007 11:33:03 -0000

@david maynor

No, we don't do the same thing. We provide details about the bugs that *we* discover (which as I explained was not the case of your misplaced WINS example), we contact the vendors and give them details, we publish our findings to everyone at the same time: paying customers and non-paying customers (ie. everybody else), we don't even attempt to profit from our customer base with the bugs we found, we don't sell them that information as a service, we do not herd 0day, we do not claim findings and then show videos as the means of proving our findings, we show technical details and code or we don't show anything, we don't sell "analysis services", we sell software, yes our software includes exploit code for known, publicly disclosed bugs, it does not include 0day (even tho it would make it much more profitable), we even give out defensive software FOR FREE. Not an IDS signature, a fully fledged HIPS for Windows. That's mitigation for everyone not just for those that pay us (which seems to be what you indicated as desirable with your NASL scripts and snort rules).
We do not have two, three or four different standards for how to conduct ourselves in the industry.

Our business practices are absolutely not the same of yours no matter how hard you'd like them to be.

Finally, Dual Standards David (DSD, I'll call you that for as long as you call me ITI, seems fair to both of us), you got it all wrong, I don't want to point fingers at you because I think "you're making the world a less safe place", I am upset because you are (or at least I feel that you are) hurting my profession and not helping _me_ solve a security problem that you found and that affects _me_. I don;t speak on behalf of the world, I only speak on my behalf and of those that I work with.
You are entitled to do whatever you want with your business and I won't pass an ethic judgment on your actions but if I think that what you do does not help me and may put at risk my profession (and a hundredth co-worker's careers) I will say so.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

David Maynor — Fri, 15 Jun 2007 08:30:50 -0000

@Thomas Ptacek
Where do you see me asking for anybody to apologize for anything? Ivory Tower Ivan, or ITI (I will only refer to him as that now), wants to point fingers about how I am making the world a less safe place. I believe if he wants to release weaponized code that ends up in a botnet that is his business decision. I just don’t want to get lectured on responsible disclosure by him when we protect our customers in the same way, if not more, than what he does for his customers. That would be the equivalent of getting lectured by Andrew Dice Clay about not cursing.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

David Maynor — Fri, 15 Jun 2007 08:25:08 -0000

@Ivan you said:
We did our analysis, wrote, QA’ed the exploit and shipped it to our customers in November 25, 2004.

Huh. I have weaponized code and exploits available through our Hacker Eye View service. I have mitigation strategies in the form of Snort rules and NASL scripts for our customers. How did your Impact exploit help customers fix any problems? I don’t recall Impact providing IDS rules or scanner checks…

So it sounds like we do the same thing you do, even more by offering actual ways our customers can protect themselves, but somehow I am making the world less safe place. You just lost all creditability in my eyes in any argument regarding this subject but feel free to yell at me more for following the same business practices you yourself follow, make fun of my spelling, and use all caps; things like that really make your argument valid.