Book Review: Cult of the Dead Cow

TL, DR: It’s a good story, not a history book. If you are looking for a good story with a message, read it. If you are looking for a nuanced description of what was happening in history, look elsewhere.

The NYTimes called “The Cult of the Dead Cow: How the Original Hacking SuperGroup Might Just Save the World” by Joseph Menn, a great piece of storytelling, and I will agree, it is definitely a story. This is not a history book. While I only found minor factual errors, that which can be attributed to twenty years of fog, the facts that have been used only tell part of the overall story and are used to paint the picture that Menn wants the reader to see. But this is the job of any good author, and Menn pulls it off masterfully. However, as someone who lived through and participated in many of the events mentioned in the book, actually reported on them at the time through my own news outlet, and was and still is close friends with many of the characters, I see Menn’s story for what it is, a story.

Anything written about the Cult of the Dead Cow that uses members of the group as its primary source material needs to understand the group’s history. For most of the group’s existence the cDc wasn’t really about hacking. Yes, the group existed online in the before time, in the long long ago, and so most of its members were very technically adept but the group wasn’t really about hacking. It’s all right there in the group’s publications, the t-files. There are a few early files that could be considered hacker related but for the most part they are shock value human interest pieces. The group was about public spectacle, at least that’s how it appeared to other non-member hackers. Just look at the huge productions made of the Defcon releases of Back Orifice and BO2K and of course the completely made up Hong Kong Blondes. Even one of the group’s taglines ‘global domination through media saturation’ suggests the group was just in it for the glory. Menn knows this as he calls the cDc a ‘performance art group’ (page 2), the ‘liberal arts section of the computer underground’ (12), ‘the arts wing of the hacking community’ (21), ‘successor to the Merry Pranksters’ (23), ‘more of a social space’ (25), ‘they were an enormous inside joke for hackers’ (47) etc… Menn knew that was cDc ‘playing with the media’ (58) and that they would ‘jam information to see how far out it would go’ (59). As such, and Menn alludes to this in the book obliquely, anything the group says to a reporter or an author needs to be taken with a grain of salt.

Menn seems to take liberty with which facts he includes and which ones he decides to omit or quickly gloss over. Obviously he can’t include everything or the book or it would easily be five or ten times longer and his big story would get lost in all the other little stories. But there are major important facts that should not only be included but expounded apon and explained in order to give a complete and accurate picture to the reader.

For example the transition of The L0pht from hobby space to LLC to VC backed firm didn’t just happen, it wasn’t just a one person idea. (56) It was a was a huge deal, It was not the first time a hacker group had tried to become a company but when you are the first legal LLC in the state and making the move from quasi underground organization to paying taxes I would think it warrants more of a mention than just ‘newly incorporated’ (56) Especially among other hackers where accusations of ‘sell out’ were often heard. Another important yet glossed over part of the story was the explusion of Count Zero. He wasn’t kicked out because he didn’t want to transition (56) but because he wasn’t respecting the space, not following the communal house rules, and kept mostly to himself.

Not only has Menn omitted major events, which admittedly could be simply an authors prerogative, he has confused the reader on more than one occasion. For example this book review was unable to distinguish between members of the Cult of the Dead Cow and members of the cDc Ninja Strike Force, which while closely aligned were two separate group’s. There is also an extreme blurring of lines between cDc and L0pht. Menn goes so far to label L0pht as the cDc’s East Coast base (59), despite later claiming that at least two cDc members (Veggie and FreqOut) (49) along with the group’s servers where on the other side of town at Messiah Village, which had nothing to do with The L0pht. Yes, cDc, Messiah Village, Hell House, Sin House, L0pht and others were all friends and knew each other (Boston was a glorious hacking place in the mid-late 90’s) but we were separate distinct group’s, Menn’s book seems to treat everyone as one large homogeneous cluster that happened to be in Boston and it was anything but.

Menn treats the entire Hong Kong Blondes debacle, which was pointed out as fake and labeled as a ‘media hack’ years ago, as some sort of glorified civil rights cause by Menn. That somehow lying to multiple news organizations for years to highlight human rights abuses (Menn isn’t clear as to how) was a just and moral thing. If such a thing happened today it would either be called Fake News or aired on FOX. It is unclear what good exactly came from these efforts and Menn does a poor job of explaining it to the reader. In fact if you read too quickly you may not even realize that this was anything more than an attention grab by cDc and that the HKBs had no basis in reality. I feel Menn does a serious disservice here by not flat out labelling the Hong Kong Blondes by what they actually were, lies.

I have criticized how other tech books have handled footnotes and I will do so again with Menn’s book for completely different reasons. In my review of Kim Zetter’s excellent book Countdown to Zero-Day I said that including the footnotes inline on every page detracted from the main story, especially when they took up half the page in a tiny font; for that book I would have preferred the footnotes at the end. The exact opposite is true for Menn’s book. There are key footnotes that Menn sticks in the back of the book because they don’t fit in nicely with his narrative. For example the footnote on the origin of hactivism (215). In the footnote Menn claims that previous research on the origin of the word is irrelevant and yet makes a major claim in the main text that cDc not only coined the term but attempted to popularize it. Additional research as to the origin of the word would seem appropriate to include in the main body of the text so that the reader can frame the ensuing paragraphs appropriately. Then in footnote 54 (218) Menn mentions that Mudge is prone to exaggeration. Mudge and I shared an apartment for a year, I heard all his stories more than once, I am intimately familiar with his story telling tendencies. (This is not a bad thing, they are great stories!) Considering that Mudge is Menn’s primary source for all the stuff about L0pht and features prominently in three chapters of the book it would seem that his tendency to tell tall tails would be important information that should be prominently shared with the reader and made it into the primary text, and not relegated to page 253.

There are numerous points throughout the book (as in several per page) where I remember things differently. In many cases what I feel are very relevant facts have been omitted and in others there are minor factual errors that impact the overall meaning. There are entire sections of the book that have little to nothing to do with The Cult of the Dead Cow, like the VC funding of L0pht, but are included anyway to support Menn’s overall story arc. I may try to go through and document each one of these if I can find the time, or I may not.

Much of this book dealt more with the L0pht than with cDc, and while there was some cross pollination we were two separate group’s each with its own accomplishments and goals. Unfortunately as a book about L0pht there just isn’t enough here, there are many more aspects to what the L0pht accomplished and did. Evidently Menn felt that large parts of the L0pht story are somehow relevant to cDc when they really aren’t. That being said this book is a very fun read, a fun romp through memory lane (even if the lane doesn’t follow my own memory exactly) and in the end it’s a great story. But it is just that, a story.

Revisiting L0pht testimony – 20yrs later

Here is a copy of my introductory statement from the May 22, 2018 briefing where L0pht revisited its historic Senate testimony of twenty years earlier. (supporting links at the end.)

Good Afternoon, I’m Space Rogue. Twenty years ago, out of fear of corporate retaliation through lawsuits Space Rogue was the only name I used. Today I also use the name Cris Thomas, although not as frequently, and I work as the Global Strategy Lead for IBM’s X-Force Red which is the offensive security services part of IBM Security.

We are here today to talk about how things have changed in information security over the last twenty years. When we were here twenty years ago a lot of people said, we were a voice of reason attempting to warn people about just how much risk was inherent in our critical systems. A lot of people in information security, or I guess we call it cyber security now, that’s one change right there, will tell you that nothing has changed, that we still have issues with passwords from password reuse, to weak passwords, to no passwords. We still have organizations who ignore the problems either through ignorance, ambivalence or just greed. And we still have people who try to blame users for technological failures.
Continue reading

A Hacker at the Polls

On the second Tuesday in November I burned a vacation day, woke up at five in the morning and drove to a church down the street from where I live. I sat at a long table for thirteen hours and looked up names in a book. While I wasn’t at the church to pray I still felt as though I was cleansing my soul in some way. Over the years for various reasons I had amassed what I felt was extremely high level of personal voter debt and I felt this was a way to at least begin to pay some of it back.

During the last election I spent a lot of time being a pundit preaching about the integrity of the voting process. I figured if I am going to keep talking about elections I should get a look at what actually happens at polling places. So a few months before this election I did a few google searches, found my county’s voter information website and sent an email to the address listed for volunteers. The district where I vote was full so they assigned me to the neighboring district. In Pennsylvania the state voting website has a few videos to help explain to volunteers what to expect on Election Day. Despite them requiring Flash, I watched them all.

Of course I had to live tweet the whole day. When I arrived on Election Day morning it was just me and ‘Mary’ the Judge of Elections. Even though there wasn’t much to see she showed me around, pointed out the coffee and the restrooms and mentioned the voting machines which were already set up off to the side. In my district we use a Direct Record Electronic (DRE) voting machine. They weren’t much to look at but I still had to fight my urges to immediately start pulling them apart. I wasn’t here to test or even play with the machines anyway.

Continue reading

The Continuing Evolution of Cyber

I don’t think there is another word in the English language that provokes as much of an emotional response from information security professionals as much as ‘cyber’. In fact, half of the people who just read that last sentence are like yeah, but cyber is not a word it’s a prefix. (The other half probably just started giggling.) Unfortunately for them Merriam-Webster and the Oxford English Dictionary have both recently listed cyber as a stand-alone word as an adjective with the definition ‘of, relating to, or involving computers or computer networks’ which to me is an extremely broad definition. The Cambridge, Macmillan and Longman dictionaries all still lists cyber as a prefix but I am sure they will upgrade it to full word status soon. Can official use as a noun, the cyber, be far behind?

Cyber is generally understood to have originated in the Greek word ‘?Uß???????’ or ‘kybernetes‘ which originally meant helmsman, as on a ship, which came to mean ‘to steer’ and eventually ‘to govern’. Norbert Wiener chose this word when, in 1948, he entitled his book Cybernetics or Control and Communication in the Animal and the Machine It was Wiener’s work on the automatic aiming and firing of anti-aircraft guns during World War II that caused Wiener to investigate information theory. This was the first documented use of the word ‘cybernetics’ in English.

Continue reading

L0pht T-Shirt Quilt

It is hard to work in Infosec for very long and not amass a huge number of T-shirts. Vendors give them away like candy thinking that somehow a free t-shirt is going to make you spend thousands of dollars on their blinky light solution versus their competitors blinky light solution. However, some t-shirts tend to have a great value than others. Those shirts emblazoned with logos from projects or companies that you actually worked with tend to have the most value. Then the question becomes what do you do with them?
For me, for the last twenty years or so, my most valuable t-shirts lived in a plastic box under my bed. I never wore them, because, well, I don’t wear t-shirts much and these were a little too valuable to me to risk them fading due to over use. And so they stayed in the box, seldom seen.
A few years ago I ran across a company offering to make a quilt out of old T-shirts. I thought this was a great idea! And the price was pretty inexpensive to. I almost sent my shirts in immediately but for some reason I hesitated. I started Googling and found there is more than one company making quilts out of T-shirts and way more than one way to do it. I knew nothing about fabric design or quilting, backing material, batting, stitch length, binding, etc.. Evidently there is a quite a bit that goes into a quilt and I only had one copy of many of my T-shirts. I didn’t want to risk going with a low cost option simply because it was low cost.
In the end I chose Too Cool T-Shirt Quilts. I boxed up my shirts and sent them in. They emailed me as soon as they got the box and asked me what sort of options I waned, how big of a border, any designs in the quilting, special positioning of certain shirts, etc.. 2 weeks later they sent me these photos.

L0phtQuiltFront

L0phtQuiltBack


I was pretty impressed. It looked great, especially the quilting design that showed through the back. My whole purpose for getting the quilt though was to hang it on the wall in my office at home. I ordered a custom quilt hanger from Robinson’s Wood Crafts. This allows you to hang a quilt on the wall without putting holes in the quilt itself.

L0phtQuiltWall

If you have a box of valuable T-shirts taking up space under your bed you might consider getting a quilt made, but do your own research, the cheapest option may not be the best one for you and your T-Shirts.

SouthWest Password Ad is both Good and Bad.

Southwest Airlines recently aired a TV ad in their “Wanna Get Away” series that features some serious password blunders. In the ad a General is asked for his password so that they “can lock down the system” which he then reluctantly provides. The password, “ihatemyjob1”, is rather embarrassing and hilarity ensures. Lets watch…

https://www.ispot.tv/ad/AEjj/southwest-airlines-wanna-get-away-sale-sharing-your-password

 

Let us count the bad security practices used in this ad…

1. A Single point of failure. (The General)
2. He verbally shares his password for everyone to hear instead of typing it in himself.
3. The password is displayed without a mask.
4. The password is displayed in 100 point type on a 20 foot screen for everyone in the room to see.
5. Password does not use uppercase or special characters.
6. While the password uses a number it is appended to the end.
7. No 2 factor authentication.
8. Everyone who sees this ad thinks that while ‘ihatemyjob1’ may be an embarrassing password it is perfectly acceptable since a general uses it.

Let us count the good security practices in this ad

1. The password is longer than eight characters.
2. The password uses a number.
3. Everyone who watches this ad hopefully realizes that they use a similar password and quickly changes it to something better.

Lets face it, while slightly funny this ad will make no one stop and think about how secure their own password may or may not be. However, it might make some people think that ‘ihatemyjob1’ or something similar is perfectly ok to use.

Addendum: The general’s uniform in this ad is a disgrace. Although probably done on purpose so as to not offend any one service they have in fact offended all services.

Tilting It Sideways

Trying to track down the origins of an Internet meme can be an almost fruitless endeavor. Other than giving credit to its originator and perhaps giving them a few minutes of Internet fame there really isn’t a lot at stake by determining who was the kid in the success.gif or what meme Laina Morris is responsible for. Finding the origin of a story involving the breach of critical infrastructure however, can be rather important.

Like funny Internet memes, stories about compromises of water plants, steel factories, power companies or other systems controlled by SCADA or ICS can be repeated over and over until they are accepted as facts with no one questioning their authenticity. Previous events such as power outages in Brazil, a water pump failure in Illinois, the improper shut down of a blast furnace at a German steel mill, a pipeline explosion in Turkey were all originally attributed to cyber attacks. In fact cyber attacks were blamed in almost all cases not because there was any actual evidence but rather the lack of any other explanation. Since nothing else could have caused the problem it must have been those meddling hackers.

I recently heard of a new incident that seems to fall into this same scenario. The story claims that hackers broke into the control system of a floating oil rig off the coast of Africa, somehow messed with the ballast control and caused the rig to tilt. The rig had to be taken offline while the systems were cleaned up. As with most of these types of stories no supporting information is given. No actual dates, no name of the oil rig or its owner, even the location in this story is vague, ‘off the coast of Africa’, an entire continent.

Continue reading

Transcription of L0pht Testimony

Transcription of the YouTube Video:
Hackers Testifying at the United States Senate, May 19, 1998 (L0pht Heavy Industries)
https://www.youtube.com/watch?v=VVJldn_MmMY

Transcribed by:
https://www.fiverr.com/alx_does

Senator Thompson: …If you gentlemen would come forward.. We’re joined today by the seven members of the L0pht, Hacker think Tank in Cambridge Massachusetts. Due to the sensitivity of the work done at the L0pht, they’ll be using their hacker names of; Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan, and Stephen Von Neumann. Gentlemen…

Off Camera: I thought you were the Kingpin?
(Laughter)

Senator Thompson: I ah, I hope my grandkids don’t ask me who my witnesses were today, and say.. Space Rogue…

But we do, we do understand your — and do appreciate your being with us. Do you, ah, May I ask your name?

Mudge: I’m Mudge

Senator: Mudge would you like to make a statement?

Mudge: Yes I would. Emmm! Thank you very much for having us here. We think this is hopefully a very great step forward and are thrilled that the government in general is, is starting to approach the hacker community, we think it’s a tremendous asset that the hackers bring to the table here, an understanding! Emm! My handle is Mudge and I and the six individuals seated before you, which we run down the line: Brian Oblivion, this is John Tan, King Pin, Weld Pun, Space Rogue, and Stephen Von Neumann… We make up the hacker group known as The L0pht. And for the last four years, the seven of us has been touted as just about everything, from The Hacker Conglomerate, The Hacker think tank, the hangout place for the top US hackers, Network security experts and the Consumer watch group. In reality, all we really are, is just Curious. For, well over the past decade, the seven of us have independently learned and worked in the fields of satellites communication, cryptography, operating systems’ design and implementation, computer network security, electronics and telecommunications.
To other learning process, we’ve made few waves with some large companies such as Microsoft, IBM, Novell, and Sun Microsystems. At the same time, the top hackers, and the top legitimate cryptographers, and computer security professionals pay us visits when they are in town, just to see what we’re currently working on.. so we kind of figured we must be doing something right.
I’d like to take the opportunity to let the various members talk about few of their various projects, their current projects and what they are going to be working on the future. Umm! Weld?

I watched CSI:Cyber so you don’t have to.

CSI has a proven formula for making popular TV shows. Unfortunately that history does not include accurate TV shows. When it comes to tech and things ‘cyber’ this is probably the preeminent example of CSI being bad and wrong at the same time. I thought there was no way they could top this, I was wrong.

Hollywood has had a long history of doing tech wrong. Take a look at the recent Scorpion TV show, on second thought don’t, its almost as bad. Occasionally Hollywood does get Tech correct, like with the recent Blackhat movie, but while the tech was good the movie itself was bad for other reasons. The last time, perhaps the only time, Hollywood got the movie and the tech right was Sneakers, which is coming up on a quarter century in age.

While I think it is great that TV shows like this bring technical issues to a mass audience, scaring people into thinking that the Internet is out to get them is probably not in anyone’s best interest. Humans often do stupid things when they are scared.

Let me talk first about the few things that CSI:Cyber got right. The show mentions that social media is a huge aide to law enforcement and one of the characters jokingly says that’s why he doesn’t use it. This is absolutely correct; Facebook, Twitter and other sites are often the first step in an investigation of any sort, often even before they interview witnesses or suspects.

The softball shaped camera that is thrown through an open window into the bad guys lair near the end is an actual thing that is actually used by law enforcement. They got this right.

In another scene one of the technical characters, who is labeled as ‘the greatest hacker in the world’ (I’m not even going to touch that statement) claims that RATs or Remote Access Trojans are easy to get for $40 on the ‘surface net’. He is right about the easy to get part although his price is a little high and I have no idea what the ‘surface net’ is. But yes, tools that online criminals use like RATs are very easy to come by. The thing about Remote Access Trojans is that they are very similar to legitimate Remote Access Tools like say Go To My PC or Remote Desktop,

Probably the most important thing that they got right in this show was when the Worlds Greatest Hacker was berating the lowly tech employee for allowing a vulnerability to exist in the companies software and the tech guy responds with “I took it upstairs but they didn’t listen.” This is an all to common theme that is often repeated in the information security world. Company executives often refuse to listen to security concerns and instead focus more on the bottom line. This is probably the single truest thing this show got right.

The second most important thing they got right was the weak security present in many Internet connected cameras. Many such cameras have default passwords and are easily searched for over the Internet allowing anyone to connect to the camera and watch and listen to what is happening. There have been cases where people will connect to a camera and then yell at the sleeping baby. Manufacturers of these cameras were told about their default password problems but most refused to fix the problem, that is until these stories started to hit the press and the FTC started to levy fines. Even after the companies issues an update to the devices firmware it is up to the owner of each camera to learn about the update and apply the patch themselves. This seldom happens leaving tens of thousands of devices installed in peoples homes that anyone can access.

Other than that just about everything else in the show is just completely unbelievably wrong. Not only are things wrong but they play on known false tropes, like that lead can block radio signals (it can’t), that convicted criminals are allowed to work in the field on active investigations, that you can quickly separate overlaid audio and translate it, that you need big wall sized monitors in order to catch bad guys, that hackers who could be half way across the world are conveniently just an hour or less away, that non-smart phones can have GPS aps and that cops treat forensic data so carelessly.

One of the most egregious examples was the speed at which the characters analyzed the cameras source code and it came up all green and then turned red. Source code doesn’t just magically turn red when malware is found. Reverse engineering is painstakingly hard, and it takes a lot of time. If code could just magically turn red if it did bad things, like it does in this show, the world would be a much much better place.

I was especially troubled by one of the statements made early in the show “Any crime involving electronic devices is by definition, cyber” While this is just a TV show there are people who believe this or at least will be influenced by this. This scares me as I guess that makes my electric drill cyber.

Also I loved how the characters on the show could do these crystal clear remote videoconferences from remote locations? How? They never bothered to explain where the camera was or what are they are using for bandwidth. If they did it with their cell phones I want to get on that data plan.

And I could not overlook that they had the one black person on the show repeat a racist nursery rhyme “Einie meane miny moe, catch a…” well they changed the word on the show but I’m really surprised they let that through.

If you didn’t watch this show you didn’t miss anything, at all, and I encourage you not to watch it, in fact just forget that that it exists and with any luck it will be canceled. And then we just have to wait for the next TV show to do tech wrong.

In the Beginning There was Full Disclosure

Two of the largest companies in the world are bickering with each other about how best to protect users. I won’t get into just how historically hypocritical this is for both Microsoft and Google or how childish it makes them both look but it brings up a debate that has been raging in security circles for over a hundred years starting way back in the 1890s with the release of locksmithing information. An organization I was involved with, L0pht Heavy Industries, raised the debate again in the 1990’s as security researchers started finding vulnerabilities in products.

In the beginning there was full disclosure, and there was only full disclosure, and we liked it. In the beginning the goal was to get stuff fixed, it wasn’t about glory, it wasn’t about bug bounties, it wasn’t about embarrassing your competition. No, in the beginning it was about getting bugs fixed. It was about getting the software that you used, the software you deployed to your users, it was about getting it fixed, getting it to be safe. However, in the beginning vendors didn’t see it that way, many of them still don’t. Vendors would ignore you, or purposely delay you. There is no money in fixing bugs that no one else is complaining about so most vendors wouldn’t fix them, at least not until it became public and all of their customers started to complain about them. That was the power of full disclosure.

Vendors of course hated full disclosure because they had no control over the process, in fact there was no process at all and so they complained, vociferously. Vendors talked about ethics and morality and how full disclosure helped the bad guys. So a guy named Rain Forest Puppy published the first Full Disclosure Policy promising to release vulnerabilities to vendors privately first but only so long as the vendors promised to fix things in a timely manner. If the vendor didn’t get stuff fixed the researcher could still pull out their most effective tool, full disclosure, to get the job done.

But vendors didn’t like this one bit and so Microsoft developed a policy on their own and called it Coordinated Disclosure. Coordinated Disclosure calls on researchers to work with the vendor until a fix can be released regardless of how long that takes. Under Coordinated Disclosure there is no option for Full Disclosure at all. Of course Coordinated Disclosure assumes that the vendor is even interested in fixing the bug in the first place.

The problem that many companies who have vulnerability disclosure policies don’t realize, such as Microsoft, is they have forgotten that they are not the ones in control. Vendor disclosure policies are not binding on the researcher. It is the researchers choice whether or not to follow a company’s disclosure policy. Vendor policies work great for the vendor, it gives them all the time in the world to fix a bug but for researchers who want to get stuff fixed such policies can be a major pain to work within.

Disclosing vulnerabilities isn’t an easy thing. In the mid nineties at L0pht Heavy Industries we quickly found that vendors had absolutely no interest in fixing bugs at all and instead would prefer that we just kept our mouths shut. A lifetime later it was part of my job to help coordinate vulnerability disclosure with various vendors that were found by our pentesters. If you’re a lone researcher and only have one vulnerability its not such a big deal, you send a few emails, wait a little while and if the vendor is cooperative a fix is pushed out in a few days or months time. If you happen to have several dozen vulnerabilities that you are attempting to get fixed, all at the same time, and all by different vendors, the process can be a little more involved. In fact simply coordinating these disclosures can be a full time job for multiple people within an organization. There is no ROI here either, the ‘simple’ process of attempting to disclose vulnerabilities eats up revenue in the time your employees take trying to coordinate vulnerabilities and get stuff fixed.

In 2009 several researchers found the disclosure process so onerous that they started the “No More Free Bugs” campaign and promised not to release any vulnerabilities for free. In response vendors started bug bounty programs where they rightly paid researchers for their hard work. However, even that process comes at a cost for both the vendor and the researcher. So much so that there are now third party companies that will help vendors run bug bounty programs and help researchers disclose vulnerabilities.

Of course there are still vendors who refuse to fix stuff or who wait forever to do so. According to Tipping Point’s Zero Day Initiative there are currently 212 known security vulnerabilities without fixes, several of which are over a year old. It is likely that the only way any of these ancient bugs will get fixed is by pulling out the old standby of Full Disclosure. In fact Tipping Point has threaten to do just that, giving vendors just six months to get stuff fixed before they publish limited details on the bugs.

This has all lead us to the point where Google has a disclosure policy that basically says they’re going full disclosure in 90 days if the bug is fixed or not. And the point where Microsoft is asking for just a few more days so they can include the fix with their regular Patch Tuesday. Two big kids who should be setting the example are instead acting like a couple of teenagers on the playground. How does any of this get stuff fixed and protect users?

This is why you see many companies and individual researchers not disclosing anything at all, and this should not happen. And I haven’t even gotten into the issue of vendors filing lawsuits against researchers as a means to keep them quiet.

The entire process has gotten out of hand. The number one goal here should be getting stuff fixed because getting stuff fixed helps protect the user, it helps defeat the bad guys and it helps make the world a better place.

Microsoft says that full disclosure “forces customers to defend themselves” which is the wrong way to look at it. Full disclosure allows companies to defend themselves if they so choose. The opposite is non-disclosure, which helps no one. Just because a bug hasn’t been disclosed doesn’t mean it is not there. It doesn’t magically pop into existence only when someone publishes something about it. The bug is there, waiting to be found. Maybe the bad guys already found it. Maybe they are already using that bug against you. And yet you are blissfully unaware that the bug even exists. Full disclosure gives you knowledge that you can use to protect yourself even if a patch is not available. You can choose to turn off the affected device, or add additional protections to your environment to help you mitigate the risk. Once disclosure happens this is now your choice, you can evaluate the risk this particular bug presents to your environment and make an educated decision of what steps to take depending on your own risk tolerance. While most users will continue on blissfully unaware or choose to ignore the information that too is their choice, not Microsoft’s, and not Google’s.

Google’s goal of getting everything they find fixed within three months is laudable but unrealistic. Some bugs just take a little bit longer to verify, develop patches for, and test. It is not unreasonable to be a little flexible if you feel the vendor is working in good faith to develop a patch. To arbitrarily go full disclosure when you know the vendor has a patch just days away is immoral. It puts users at risk and makes you look like a stubborn child.

In this particular case both the vendor and the researcher are wrong. Microsoft obviously communicated the status of the fix to Google and told Google when to expect the patch. It is not unreasonable for Microsoft to ask for a few extra days and it should not be unreasonable for Google to grant such a request. On the other hand I am sure Google informed Microsoft that they would only wait 90 days before going full disclosure, Microsoft was informed of the risk of full disclosure and should have pushed harder to meet the deadline.

And so the disclosure debate continues unabated for over a hundred years. With two of the giants in our industry acting like spoiled children we as security professionals must take the reigns from our supposed leaders and set a better example. It needs to be about protecting the user. It should not be about grandstanding or whining or even making a buck, in the end it should be about getting stuff fixed.

UPDATE 2015.02.13
Google has made an update to its 90-day disclosure deadline. They have decided to make allowances for deadlines that fall on weekends and holidays and more importantly have granted a grace period for vendors who communicate their intent to release a patch with 14-days of the 90-day deadline. It is nice to see vendors and researchers working together. The goal here should be to protect the users and not embarrass vendors. This grace period shows an understanding of the issues surrounding disclosure that impact vendors while at the same time continuing to hold them to a high standard.

Interested in reading more?

Microsoft’s latest plea for VCD is as much propaganda as sincere – OSVDB

Microsoft blasts Google for vulnerability disclosure policy – CSO Online

A Call for Better Vulnerability Response – ErrataSec