Print

CloseWindow

From:www.csoonline.com

SoftwareVulnerabilit Disclosure:TheChillingEffect
HowtheWebmakescreatingsoftwarevulnerabilitieseasier,disclosingthemmoredifficultand
discoveringthempossiblyillegal
byScottBerinato,CSO
Januar 01,2007
LastFebruaryatPurdueUniversity,astudent
taking"cs390s SecureComputing"toldhis
professor,Dr.PascalMeunier,thataWeb
applicationheusedforhisphysicsclass
seemedtocontainaseriousvulnerabilitythat
madetheapphighlyinsecure.Sucha
discoverydidn'tsurpriseMeunier."It'sasecure
computingclassnaturallystudentswantto
discovervulnerabilities."
Theyprobablywanttoimpresstheirprof,too,
who'safixtureinthevulnerabilitydiscovery
anddisclosureworld.Dr.Meunierhascreated
softwarethatinterfaceswithvulnerability
databases.HecreatedReAssure,akindof
vulnerabilityplayground,asafecomputingspacetotestexploitsandperformwhatMeuniercalls"logically
destructiveexperiments."HesitsontheboardofeditorsfortheCommonVulnerabilitiesandExposures(CVE)
service,thedefinitivedictionaryofallconfirmedsoftwarebugs.AndhehasmanagedtheVulnerabilities
DatabaseandIncidentResponseDatabaseprojectsatPurdue'sCenterforEducationandResearchin
InformationandAssurance,orCerias,anacronympronouncedliketheadjectivethatmeans"nojoke."
AlsoreadMarcusRanum'sdissectionofwhethervulnerabilit disclosuremakesusmoresecure
WhentheundergraduateapproachedMeunier,theprofessorsensedaneducationalopportunityanddidn't
hesitatetogetinvolved."Wewantedtobegoodcitizensandhelppreventtheexploitfrombeingused,"he
says.Inthecontextofvulnerablesoftware,itwouldbethelasttimeMeunierdecidedtobeagoodcitizen.
Meuniernotifiedtheauthorsofthephysicsdepartmentapplicationthatoneofhisstudents hedidn'tsaywhich
one hadfoundasuspectedflaw,"andtheirresponsewasbeautiful,"saysMeunier.Theyfound,verifiedand
fixedthebugrightaway,noquestionsasked.
Buttwomonthslater,inApril,thesamephysicsdepartmentwebsitewashacked.Adetectiveapproached
Meunier,whosenamewasmentionedbythestaffofthevulnerablewebsiteduringquestioning.Thedetective
askedMeunierforthenameofthestudentwhohaddiscoveredtheFebruaryvulnerability.Theselfdescribed
"stubbornidealist"Meunierrefusedtonamethestudent.Hedidn'tbelieveitwasinthatstudent'scharacterto
hackthesiteand,furthermore,hedidn'tbelievethevulnerabilitythestudenthaddiscovered,whichhadbeen
fixed,wasevenconnectedtotheAprilhack.
Thedetectivepushedhim.Meunierrecallsinhisblog:"Iwasquicklythreatenedwiththepossibilityofcourt
orders,andthenumberoffelonycountsintheincidentwasbrandishedasjustificationforrevealingthename
ofthestudent."Meunier'sstomachknottedwhensomeofhissuperiorssidedwiththedetectiveandaskedhim
toturnoverthestudent.Meunieraskedhimself:"Wasthisworthlosingmyjob?Wasthisworththehassleof
respondingtocourtorders,subpoenas,andpossiblyhavingmycomputers(workandpersonal)seized?"Later,

'

,
.S

,
W

390

"

,
W

,M

"

.T

,
.

'

.I

'

.F
...

,"
CERT/CC.

.B

"

.T

.V

.B

.M

?"L

.T ,
.F

.O

'

'

"

."

.I '
'

(
,

'
,

.I

,M

."E

,M

,"

."

T M

W
S

I
.A
.

.E

:"I

, .D

S ,

.M

.P

'
,

.M
,
M


.T

TheRiseofResponsibleDisclos re
I

.I '

,
E

?"A

.I

'

' .W

.I

'
(
,
.I

A
C
M
U
."I'
I

.B

,
."T
,

,
,W
,

, '

.W

,
.

),

.
.A

'

repairpostrelease,dominate."Thetruthis,asamanufacturedgood,it'sextraordinarilyexpensive[and]time
consuming[tomakeithighquality]."Atthesametime,asacreativeexpression,making"quality"softwareisas
indeterminateasthenextbestseller."Peopleusesoftwareinsomanyways,it'sverydifficulttoanticipatewhat
theywant.
"It'sterribletosay,"Aroraconcedes,"butinsomeways,fromaneconomicperspective,it'smoreefficienttolet
themarkettellyoutheflawsoncethesoftwareisoutinthepublic."Thesameconsumerswhocomplainabout
flawedsoftware,Aroraargues,wouldneitherwaittobuythebettersoftwarenorpaythepricepremiumforitif
moreflawed,lessexpensivesoftwarewereavailablesooneroratthesametime.True,codecanbe
engineeredtobemoresecure.Butaslongaspublishingvulnerablesoftwareremainslegal,vulnerable
softwarewillrulebecauseit'sasignificantlymoreefficientmarketthanthealternative,highsecurity,lowflaw
market.
Thepriceconsumerspayforsupportingcheaper,buggysoftwareistheybecomeanadhocqualitycontrol
department.Theysuffertheconsequenceswhensoftwarefails.Butvendorspayaprice,too.Bylettingthe
marketsortoutthebugs,vendorshavecededcontroloverwholooksforflawsintheirsoftwareandhowflaws
aredisclosedtothepublic.Vendorscan'tcontrolhow,whenorwhyabugisdisclosedbyapublicfullofpeople
withmanifoldmotivationsandethics.Somewantnotoriety.Someusedisclosureforcorporatemarketing.Some
doitforafee.Somehavecollegialintentions,hopingtoimprovesoftwarequalitythroughcommunityefforts.
Somewanttoshamethevendorintopatchingthroughbadpublicity.Andstillothersexploitthevulnerabilities
tomakemoneyillicitlyorcausedamage.
"Disclosureisoneofthemainethicaldebatesincomputersecurity,"saysresearcherSteveChristey."There
aresomanyperspectives,somanycompetinginterests,thatitcanbeexhaustingtotryandgetsome
movementforward."
Whatthissystemcreatedwasakindoffreeforallinthedisclosurebazaar.Discoveryanddisclosuretook
placewithoutanycontrols.Hackerstradedinformationonflawswithoutinformingthevendors.Security
vendorsbuiltupentireteamsofresearcherswhosejobwastodigupflawsanddisclosethemviapress
release.Sometoldthevendorsbeforegoingpublic.Othersdidnot.Freelanceconsultantslookedformajor
flawstomakeanameforthemselvesanddrumupbusiness.Sometimestheseflawsweresoesotericthatthey
posedminimalrealworldrisk,buttheresearchermightnotmentionthat.Sometimestheflawswereindeed
serious,butthevendorwouldtrytodownplaythem.Stillotherresearchersandamateurhackerstriedtodothe
rightthingandquietlyinformvendorswhentheyfoundholesincode.Sometimesthevendorschosetoignore
themandhopesecuritybyobscuritywouldprotectthem.Sometimes,Aroraalleges,vendorspaidmercenaries
andpolitelyaskedthemtokeepitquietwhiletheyworkedonafix.
Vulnerabilitydisclosurecametobethoughtofasamessy,ugly,necessaryevil.Themadnesscrested,
famously,attheBlackHathackerconferenceinLasVegasin2005,whenaresearchernamedMichaelLynn
preparedtodisclosetoaroomfullofhackersandsecurityresearchersseriousflawsinCisco'sIOSsoftware,
thecodethatcontrolsmanyoftheroutersontheInternet.Hisemployer,ISS(nowownedbyIBM)warnedhim
nottodisclosethevulnerabilities.Sohequithisjob.Ciscointurnthreatenedlegalactionandorderedworkers
totearoutpagesfromtheconferenceprogramanddestroyconferenceCDsthatcontainedLynn's
presentation.HackersaccusedCiscoofspinandcensorship.Vendorsaccusedhackersofunethicaland
dangerousspeech.Intheend,Lynngavehispresentation.Ciscosued.Lynnsettledandagreednottotalk
aboutitanymore.
Theconfoundingpartofallthegrandstanding,though,washowunnecessaryitwas.Infact,asearlyas2000,a
hackerknownasRainForestPuppyhadwrittenadraftproposalforhowresponsibledisclosurecouldwork.In
2002,researchersChrisWysopalandChristeypickeduponthisworkandcreatedafarmoredetailed
proposal.Broadly,itcallsforaweektoestablishcontactbetweentheresearcherfindingavulnerabilityanda
vendor'spredeterminedliaisononvulnerabilities.Thenitgivesthevendor,asageneralguideline,30daysto
developafixandreportittotheworldthroughproperchannels.It'saheadstartprogram,fulldisclosure
delayed.Itpositsthatavulnerabilitywillinevitablybecomepublic,sohere'sanopportunitytocreateafix
beforethathappens,sincethemomentitdoesbecomepublictheriskofexploitincreases.Wysopaland
ChristeysubmittedthedrafttotheIETF(InternetEngineeringTaskForce),whereitwaswellreceivedbutnot
adoptedbecauseitfocusedmoreonsocialstandards,nottechnicalones.
Still,itseffectswerelasting,andby2004,manyofitsdefinitionsandtenetshadbeenfoldedintotheaccepted
disclosurepracticesforshrinkwrappedsoftware.BythetimeLynnfinallytookthestageanddisclosedCisco's
vulnerabilities,USCERT,Mitre'sCVEdictionary(Christeyiseditor),andDepartmentofHomelandSecurity
guidelinesallusedlargeswathsofWysopal'sandChristey'swork.

guidelinesallusedlargeswathsofWysopal'sandChristey'swork.
Recently,economistAroraconductedseveraldetailedeconomicandmathematicalstudiesondisclosure,one
ofwhichseemedtoprovethatvendorspatchsoftwarefasterwhenbugsarereportedthroughthissystem.For
packagedsoftware,responsibledisclosureworks.

F omB ffe O e flo

oC o

Si eSc ip ing

ThreevulnerabilitiesthatfollowedtheresponsibledisclosureprocessrecentlyareCVE20063873,abuffer
overflowinanInternetExplorerDLLfileCVE20063961,abufferoverflowinanActiveXcontrolinaMcAfee
productandCVE20064565,abufferoverflowintheFirefoxbrowserandThunderbirdemailprogram.It'snot
surprisingthatallthreearebufferoverflows.Withshrinkwrappedsoftware,bufferoverflowshavebeenfor
yearsthepredominantvulnerabilitydiscoveredandexploited.
Butshrinkwrapped,distributablesoftware,whilestillproliferatingandstillbeingexploited,isalessdesirable
targetforexploitersthanitoncewas.Thisisn'tbecauseshrinkwrappedsoftwareishardertohackthanitused
tobe thenumberofbufferoverflowsdiscoveredhasremainedsteadyforhalfadecade,accordingtotheCVE
(seechartonPage21).Rather,it'sbecausewebsiteshaveevenmorevulnerabilitiesthanpackagedsoftware,
andWebvulnerabilitiesareaseasytodiscoverandhackand,moreandmore,that'swherehackingismost
profitable.Inmilitaryparlance,webpagesprovideatargetrichenvironment.
ThespeedwithwhichWebvulnerabilitieshaverisentodominatethevulnerabilitydiscussionisstartling.
Between2004and2006,bufferoverflowsdroppedfromthenumberonereportedclassofvulnerabilityto
numberfour.Countertothat,Webvulnerabilitiesshotpastbufferoverflowstotakethetopthreespots.The
numberonereportedvulnerability,crosssitescripting(XSS)comprisedoneinfiveofallCVEreportedbugsin
2006.
TounderstandXSSistounderstandwhy,fromatechnicalperspective,itwillbesohardtoapplyresponsible
disclosureprinciplestoWebvulnerabilities.
Crosssitescripting(whichissomethingofamisnomer)usesvulnerabilitiesinwebpagestoinsertcode,or
scripts.Thecodeisinjectedintothevulnerablesiteunwittinglybythevictim,whousuallyclicksonalinkthat
hasHTMLandJavaScriptembeddedinit.(Anothervariety,lesscommonandmoreserious,doesn'trequirea
click).ThelinkmightpromiseafreeiPodorsimplyseemsoinnocuous,alinktoanewsstory,say,thattheuser
won'tdeemitdangerous.Onceclicked,though,theembeddedexploitexecutesonthetargetedwebsite's
server.Thescriptswillusuallyhaveamaliciousintent fromsimplydefacingthewebsitetostealingcookiesor
passwords,orredirectingtheusertoafakewebpageembeddedinalegitimatesite,ahighendphishing
schemethataffectedPayPallastyear.Abufferoverflowtargetsanapplication.ButXSSis,asresearcher
JeremiahGrossman(founderofWhiteHatSecurity)putsit,"anattackontheuser,notthesystem."Itrequires
theusertovisitthevulnerablesiteandparticipateinexecutingthecode.
Thisisreasonnumberoneit'shardertodiscloseWebvulnerabilities.Whatexactlyisthevulnerabilityinthis
XSSscenario?Isitthedesignofthepage?Yes,inpart.Butoften,it'salsothesocialengineeringperformedon
theuserandhisbrowser.AhackerwhocallshimselfRSnakeandwho'sregardedintheresearchcommunity
asanexpertonXSSgoesevenfurther,saying,"[XSSis]agateway.AllitmeansisIcanpullsomecodeinfrom
somewhere."Insomesenseitislikethedoortoahouse.Isadooravulnerability?Orisitwhenit'sleft
unlockedthatitbecomesavulnerability?Whendoyoureportadoorasaweakness whenit'sjustthere,
whenit'sleftunlocked,orwhensomeoneillegallyorunwittinglywalksthroughit?Inthesameway,it'spossible
toarguethatcarelessusersareasmuchtoblameforXSSassoftwareflaws.Forthemoment,let'streatXSS,
theabilitytoinjectcode,asatechnicalvulnerability.
ProblemnumbertwowithdisclosureofXSSisitsprevalence.Grossman,whofoundedhisownresearch
company,WhiteHat,claimsXSSvulnerabilitiescanbefoundin70percentofwebsites.RSnakegoesfurther."I
knowJeremiahsayssevenof10.I'dsaythere'sonlyonein30IcomeacrosswheretheXSSisn'ttotally
obvious.Idon'tknowofacompanyIcouldn'tbreakinto[usingXSS]."
IfyouapplyGrossman'snumbertoarecentNetcraftsurvey,whichestimatedthattherearecloseto100million
websites,you'vegot70millionsiteswithXSSvulnerabilities.Repairingthemoneoff,twooff,200,000offis
spittingintheproverbialocean.Evenifyou'vedisclosed,you'vedoneverylittletoreducetheoverallriskof
exploit."Logistically,there'snowaytodisclosethisstufftoalltheinterestedparties,"Grossmansays."Iusedto
thinkitwasmymoralprofessionaldutytoreporteveryvulnerability,butitwouldtakeupmywholeday."
What'smore,newXSSvulnerabilitiesarecreatedallthetime,firstbecausemanyprogramminglanguages

What'smore,newXSSvulnerabilitiesarecreatedallthetime,firstbecausemanyprogramminglanguages
havebeenmadesoeasytousethatamateurscanrapidlybuildhighlyinsecurewebpages.Andsecond
because,inthoseslick,dynamicpagescommonlymarketedas"Web2.0,"codeisbothhighlycustomizedand
constantlychanging,saysWysopal,whoisnowCTOofVeriCode."Forexample,lookatIIS[Microsoft'sshrink
wrappedWebserversoftware],"hesays."Forabouttwoyearspeoplewerehammeringonthatanddisclosing
allkindsofflaws.Butinthelastcoupleofyears,therehavebeenalmostnonewvulnerabilitieswithIIS.Itwent
frombeingadogtooneofthehighestsecurityproductsoutthere.Butitwasonecodebaseandlotsofgive
andtakebetweenresearchersandthevendor,overandover.
"OntheWeb,youdon'thavethatgiveandtake,"hesays.Youcan'tcontinuallyimproveawebpage'scode
because"Webcodeishighlycustomized.Youwon'tseethesamecodeontwodifferentbankingsites,andthe
codechangesallthetime."
Thatmeans,inthecaseofWebvulnerabilities,saysChristey,"everyinputandeverybuttonyoucanpressisa
potentialplacetoattack.Andbecausesomuchdataismovingyoucanlosecompletecontrol.Manyofthese
vulnerabilitiesworkbymixingcodewhereyouexpecttomixit.Itcreatesflexibilitybutitalsocreatesan
opportunityforhacking."
ThereareinfactsomanyvariablesinaWebsession howthesiteisconfiguredandupdated,howthe
browserisvisitingthesiteconfiguredtointeractwiththesite thatvulnerabilitiestosomeextentbecomea
functionofcomplexity.Theymayaffectsomesubsetofusers peoplewhouseonebrowseroveranother,say.
Whenit'sdifficulttoevenrecreatethesetofvariablesthatcompriseavulnerability,it'shardtoresponsibly
disclosethatvulnerability.
"Insomeways,"RSnakesays,"thereisnohope.I'mnotcomfortabletellingcompaniesthatIknowhowto
protectthemfromthis."

AWAKEUPCALLfor ebsites
AroundbreakfastonedaylatelastAugust,RSnakestartedathreadonhisdiscussionboard,Sla.ckers.org,a
sitefrequentedbyhackersandresearcherslookingforinterestingnewexploitsandtrendsinWeb
vulnerabilities.RSnake'sfirstpostwastitled"Soitbegins."Allthatfollowedweretwolinks,www.alexa.comand
www.altavista.com,andashortnote:"Thesehavebeenoutthereforawhilebutarestillunfixed."Clickingon
thelinksexploitedXSSvulnerabilitieswithareasonablyharmless,proofofconceptscript.RSnakehad
disclosedvulnerabilities.
Hedidthisbecausehefelttheresearchcommunityand,moretothepoint,thepublicatlarge,neither
understoodnorrespectedtheseriousnessandprevalenceofXSS.Itwastime,hesays,todosomeguerilla
vulnerabilitydisclosure."Iwantthemtounderstandthisisn'tJoeShmoefindingalittleholeandbuildinga
phishingsite,"RSnakesays."Thisisoneofthepiecesofthepuzzlethatcouldbeusedasanastytool."
Ifthatfirstpostdidn'tserveasawakeupcall,whatfolloweditshould.HundredsofXSSvulnerabilitieswere
disclosedbytheregularklatchofhackersatthesite.Mostexploitedwellknown,highlytraffickedsites.Usually
thepostsincludedalinkthatincludedaproofofconceptexploit.AnXSSholeinwww.gm.com,forexample,
simplydeliveredapopupdialogboxwithanexclamationmarkinthebox.ByearlyOctober,anonymous
lurkerswerecontributinglonglistsofXSSvulnerablesites.Inonesetofthese,exploitlinksconnectedtoa
defacedpagewithSylvesterStallone'spictureonitandthemessage"Thispagehasbeenhacked!Yougot
Stallown3d!1"ThesitesthishackercontributedincludedthewebsitesofUSAToday,TheNewYorkTimes,The
BostonGlobe,ABC,CBS,WarnerBros.,Petco,Nike,andLinens'nThings."WhatcanIsay?"RSnakewrote.
"Wehavesomekickasslurkershere."
SomeoftheXSSholeswereclosedupshortlyafterappearingonthesite.Othersremainvulnerable.Atleast
onepersontriedtogetthediscussionboardshutdown,RSnakesays,andacoupleofothers"didn'treactina
waythatIthoughtwasresponsible."Contactsfromafewofthevictimsites GoogleandMozilla,amongothers
calledtotellRSnakethey'dfixedtheproblemand"tosaythanksthroughgrittedteeth."Mosthaven't
contactedhim,andhesuspectsmostknowaboutneitherthediscussionthreadnortheirXSSvulnerabilities.
ByearlyNovemberlastyear,thenumberofvulnerablesitespostedreached1,000,manydiscoveredby
RSnakehimself.Hissignatureonhispostsreads"RSnake Gottaloveit."Itconnotesanaloofnessthat
permeatesthediscussionthread,asiffindingXSSvulnerabilitiesweretooeasy.It'sfunbuthardly
professionallyinteresting,likeTomBradyplayingflagfootball.
Clearly,thisisnotresponsibledisclosurebythestandardsshrinkwrappedsoftwarehascometobejudged,

Clearly,thisisnotresponsibledisclosurebythestandardsshrinkwrappedsoftwarehascometobejudged,
butRSnakedoesn'tthinkresponsibledisclosure,evenifitweresomehowdevelopedforWebvulnerabilities
(andwe'vealreadyseenhowhardthatwillbe,technically),canwork.Forone,hesays,he'dbespendingall
dayfillingoutvulnerabilityreports.Butmoretothepoint,"IfIwentoutofmywaytotellthemthey'revulnerable,
theymayormaynotfixit,and,mostimportantly,thepublicdoesn'tgetthatthisisabigproblem."

Discover Is(Not?)aCrime
RSnakeisnotaloneinhisskepticismoverproperchannelsbeingusedforsomethinglikeXSSvulnerabilities.
Wysopalhimselfsaysthatresponsibledisclosureguidelines,oneshehelpeddevelop,"don'tapplyatallwith
Webvulnerabilities."ImplicitinhisandChristey'sprocesswastheideathatthepersondisclosingthe
vulnerabilitieswasentitledtodiscovertheminthefirstplace,thatthesoftwarewastheirstoinspect.(Evenon
yourownsoftware,theenduserlicenseagreement EULA andtheDigitalMillenniumCopyrightAct DMCA
limitwhatyoucandowith/toit).TheseeminglyendlessstringofwebsitesRSnakeandthesmallbandof
hackershadoutedwerenottheirstoaudit.
DisclosingtheXSSvulnerabilitiesonthosewebsiteswasimplicitlyconfessingtohavingdiscoveredthat
vulnerability.Postingtheexploitcode nomatterhowinnocuous wasdefinitiveproofofdiscovery.That,it
turnsout,mightbeillegal.
Nooneknowsforsureyetifitis,buthowthelawdevelopswilldeterminewhethervulnerabilityresearchwill
getbackontrackordevolveintotheunorganizedbazaarthatitoncewasandthatRSnake'sdiscussionboard
hintsitcouldbe.
Thecaselawinthisspaceissparse,butoneofthefewrecentcasesthataddressvulnerabilitydiscoveryisnot
encouraging.AmannamedEricMcCarty,afterallegedlybeingdeniedadmissiontotheUniversityofSouthern
California,hackedtheonlineadmissionsystem,copiedsevenrecordsfromthedatabaseandmailedthe
informationunderapseudonymtoasecuritynewswebsite.Thewebsitenotifiedtheuniversityand
subsequentlypublishedinformationaboutthevulnerability.McCartymadelittleattempttocoverhistracksand
evenbloggedaboutthehack.Soonenough,hewaschargedwithacrime.Thecaseissomewhataddled,says
JenniferGranick,aprominentlawyerinthevulnerabilitydisclosurefieldandexecutivedirectoratStanford's
CenterforInternetandSociety."Theprosecutorarguedthatit'sbecausehecopiedthedataandsentittoan
unauthorizedpersonthathe'sbeingcharged,"saysGranick,"butcopyingdataisn'tillegal.Soyou're
prosecutingforunauthorizedtestingofthesystem" whatanyWebvulnerabilitydiscovererisdoing "but
you'remotivatedbywhattheydidwiththeinformation.It'skindofscary."
TwocasesinasimilarveinprecededMcCarty's.Onewasacquittedinlessthanhalfanhour,Granicksaysin
theother,prosecutorsmanagedtoconvictthehacker,but,inastrangetwist,theydroppedtheconvictionon
appeal(Granickrepresentedthedefendantontheappeal).IntheUSCcase,though,McCartypleadedguiltyto
unauthorizedaccess.Granickcallsthis"terribleanddetrimental."
"Lawsaysyoucan'taccesscomputerswithoutpermission,"sheexplains."Permissiononawebsiteisimplied.
Sofar,we'vereliedonthat.TheInternetcouldn'tworkifyouhadtogetpermissioneverytimeyouwantedto
accesssomething.Butwhatifyou'reusingawebsiteinawaythat'spossiblebutthattheownerdidn'tintend?
Thequestioniswhetherthelawprohibitsyoufromexploringallthewaysawebsiteworks,"includingthrough
vulnerabilities.
Granickwouldliketoseearuleestablishedthatstatesit'snotillegaltoreporttruthfulinformationabouta
websitevulnerability,whenthatinformationisgleanedfromtakingthestepsnecessarytofindthevulnerability,
inotherwords,benevolentlyexploitingit."Reportinghowawebsiteworkshastobedifferentthanattackinga
website,"shesays."Withoutit,youencouragebaddisclosure,orpeoplewon'tdoitatallbecausethey'reafraid
oftheconsequences."Alreadymanyresearchers,includingMeunieratPurdue,havecometoviewarequest
foraresearchers'proofofconceptexploitcodeasapotentiallyaggressivetactic.Handingitover,Meunier
says,isabadideabecauseit'sproofthatyou'veexploredthewebsiteinawaythepersonyou'regivingthe
codetodidnotintend.Thevictimyou'retryingtohelpcouldsubmitthatasExhibitAinacriminaltrialagainst
you.
RSnakesayshethoughtabouttheseissuesbeforehestartedhisdiscussionthread."Iwentbackandforth
personally,"hesays."Frankly,Idon'tthinkit'sreallyillegal.IhavenointerestinexploitingtheWeb."Asfor
othersonthediscussionboard"everyoneonmyboard,Ibelieve,isnonmalicious."Butheacknowledgesthat
thespecterofillegalityandtheuncertaintysurroundingWebvulnerabilitydisclosurearedrivingsome
researchersawayanddrivingothers,justasGranickpredicted,totrytodiscloseanonymouslyorthroughback
channels,whichhesaysisunfortunate."We'relikeasecuritylab.Tryingtoshutusdownistheexactwrong

channels,whichhesaysisunfortunate."We'relikeasecuritylab.Tryingtoshutusdownistheexactwrong
response.Itdoesn'tmaketheproblemgoaway.Ifanything,itmakesitworse.Whatwe'redoingisnotmeantto
hurtcompanies.It'smeanttomakethemprotectthemselves.I'maconsumeradvocate."

ALimitedPoolofBraver
Whathappensnextdepends,largely,onthosewhopublishvulnerablesoftwareontheWeb.Willthosewith
vulnerablewebsites,insteadofattackingthemessenger,workwiththeresearchcommunitytodevelopsome
kindofresponsibledisclosureprocessforWebvulnerabilities,ascomplexanduncertainaprospectasthatis?
Christeyremainsoptimistic."Justaswithshrinkwrappedsoftwarefiveyearsago,therearenosecuritycontacts
andresponseteamsforWebvulnerabilities.Insomeways,it'sthesamethingoveragain.IfthedynamicWeb
followsthesamepattern,itwillgetworsebeforeitgetsbetter,butatleastwe'renotatsquareone."Christey
sayshishoperestsinpartonanefficaciouspublicthatdemandsbettersoftwareandamoresecureInternet,
somethinghesayshasn'tmaterializedyet.
Orwilltheystartsuing,threatening,harassingthosewhodiscoveranddisclosetheirWebvulnerabilities
regardlessoftheresearchers'intention,confidentlycuttingthecurrentwiththewindsofMcCarty'sguiltyplea
fillingtheirsails?Certainlythisprospectconcernslegalscholarsandresearchers,evenoneswhoarepressing
forwardanddiscoveringanddisclosingWebvulnerabilitiesdespitethecurrentuncertaintyandrisk.Nobleas
hisintentionsmaybe,RSnakeisnotinthebusinessofmartyrdom.Hesays,"IftheFBIcametomydoor[asking
forinformationonpeoplepostingtothediscussionboard],I'dsay'Here'stheirIPaddress.'Idonotprotectthem.
Theyknowthat."
HesoundsmuchasMeunierdidwhenheconcededthathe'dhaveturnedoverhisstudentifithadcometo
that.Inthefifthandfinalpointheprovidesforstudentstellingthemthathewantsnopartoftheirvulnerability
discoveryanddisclosure,hewrites:"I'veexhaustedmylimitedpoolofbravery.Despitethepossiblebenefitsto
theuniversityandsocietyatlarge,I'mintimidatedbythepossibleconsequencestomycareer,bankaccount
andsanity.Iagreewith[notedsecurityresearcher]H.D.Moore,asfarasproductionwebsitesareconcerned:
'Thereisnowaytoreportavulnerabilitysafely.'"
Emailfeedback oSeniorEdi orSco Berina o.
CXOMediaInc.