Unsent Bugtraq Rant re: Web Vulnerability Checking
Someone asked Bugtraq about whether students in a security class should notify websites of vulnerabilities they have found. Most of the reaction was smarmy, bureaucrat CISSP types saying, "This is totally unethical!" I am sensitive to the problem of signal/noise on Bugtraq and decided against adding my own volume to it, but I did compose the following rant:
I will agree that this is probably the legal position; in Britain Daniel Cuthbert found to his regret that any interaction with a web server at all is fraught with peril. I think the legal position is pretty retarded, though.
Inspecting web sites for XSS is as valid and as ethical as fuzzing binaries. Get something straight: THE BAD GUYS ARE DOING THIS. They are no longer waiting for patches to reverse-engineer, if they ever were. Discovering vulnerabilities and disclosing them to vendors is a good thing.
Without disclosure, consumers are at the mercy of marketing weasels who value the perception of security much more than they value the reality, and FAR more than they value your well-being.
Even if it were not an indisputably Good Thing, you still have to construct an incoherent theory of trespass to craft a law disallowing certain types of interaction with a web server on the internet. Why did you set a web server up if you don't want interaction? Daniel Cuthbert simply added ../../../ to a URL. Web servers function by accepting URLs. That's what they do.
I'm not arguing for full-blown, unauthorized pen-tests. Nor am I arguing for the right to exploit vulnerabilities once found. I'm also trying really hard to stay away from argument by analogy. "Killing the messenger" is not an analogy; it's a precise description of the situation.
Someone asked Bugtraq about whether students in a security class should notify websites of vulnerabilities they have found. Most of the reaction was smarmy, bureaucrat CISSP types saying, "This is totally unethical!" I am sensitive to the problem of signal/noise on Bugtraq and decided against adding my own volume to it, but I did compose the following rant:
I will agree that this is probably the legal position; in Britain Daniel Cuthbert found to his regret that any interaction with a web server at all is fraught with peril. I think the legal position is pretty retarded, though.
Inspecting web sites for XSS is as valid and as ethical as fuzzing binaries. Get something straight: THE BAD GUYS ARE DOING THIS. They are no longer waiting for patches to reverse-engineer, if they ever were. Discovering vulnerabilities and disclosing them to vendors is a good thing.
Without disclosure, consumers are at the mercy of marketing weasels who value the perception of security much more than they value the reality, and FAR more than they value your well-being.
Even if it were not an indisputably Good Thing, you still have to construct an incoherent theory of trespass to craft a law disallowing certain types of interaction with a web server on the internet. Why did you set a web server up if you don't want interaction? Daniel Cuthbert simply added ../../../ to a URL. Web servers function by accepting URLs. That's what they do.
I'm not arguing for full-blown, unauthorized pen-tests. Nor am I arguing for the right to exploit vulnerabilities once found. I'm also trying really hard to stay away from argument by analogy. "Killing the messenger" is not an analogy; it's a precise description of the situation.
posted by JimmytheGeek at 11:31 AM
0 Comments:
Post a Comment
<< Home