Tuesday, 8 November 2011

Demonising security researchers

Even today security researchers
run the risk of demonisation
Security researchers used to be viewed with extreme suspicion but commonly they work with companies to fix problems, rather than cause them.

Some IT firms have not quite entered into this spirit of cooperation.

This year three separate cases have made the headlines. In April one researcher was threatened with legal action when he disclosed a buffer overflow vulnerability in a music-making application. A report on Dark Reading covers this case and one other in the same year.

Today it turns out that Apple has banned well-known researcher Charlie Miller from its software development programme. His access is suspended for a year.

Miller today sent the following message out through the Twitter system:

Just found out not only am I kicked out, I can't come back for a year. 1 year suspension. (Thanks @ioerror for actually reading the email)
0xcharlie

I've also experienced issues with some security services resisting my efforts to test them. My guess is that they are afraid I'll run a full penetration test rather than the more basic tests I hope(d) to run.

Only once have I been directly threatened by legal action. Well, twice, but the first time was so unpleasant that it sticks in my mind. Actually, three times but anyway...

Ten years ago I was asked to review some encryption software for the UK's biggest business IT magazine. The software was also a service. It was supposed to encrypt files and then upload them to a secure server.

Early one morning I installed the software and headed for a quick bath (I did not have a shower in those days). On a whim I turned back and, resplendent in dressing gown, leant over my desk, called up a Windows console and typed the following:

C:\> netstat

I saw an FTP connection to a well-know (at the time) and low-cost ISP.

Ignoring a bath overflow event in the next room I fired up Ethereal (now Wireshark). Restarting the encryption software caused it to re-connect to the 'secure' FTP server. I now had a username and password to the server. I also knew the path to where my files were stored. I then typed:

C:\> ftp <username>@<server_ip>

This produced a list of directories. One of them was for my files. The others were not. I was able to access the encrypted files belonging to other users.

Following some swift bath tap action I sent the information I had discovered to the software company. A developer there confirmed the truth in my claims and also claimed that they would be addressed.

I wrote a review. It was not very positive, largely because the usability of the software was dire. It did not even use system path variables, so it had C:\Windows hard-coded instead of %WinDir%. In itself that's not very interesting, but one of the features of the software was that it could also hide encrypted volumes. If you had installed Windows into C:\Win98 (for example) your hidden files would be unrecoverable. Not ideal.

The review also noted that there were some unspecified security issues that the company had promised to fix.

Windows FTP client: Public enemy #1
A week later the editor received a threat to sue me personally. It demanded to know what "illegal hacking tools" I had used to compromise the software. It denied any promises to fix the apparently non-existent problems.

I don't think that this software exists any more.

Weirdly (and ironically) the company's owner backed down and offered to submit an article to the same magazine about security. And that was the last we heard from him.