I’ve been thinking about how the HD Moore managed the UPnP issue. How do you think the court of public opinion will judge it?
Imagine this:
Judge: Welcome to the court of public opinion for this hearing on whether responsible disclosure practices were undertaken during the release of a white paper on UPnP vulnerabilities. First, we shall hear from the plaintiff.
Plaintiff: HD Moore you are brought here for the crimes of grep'ing open source code, hyping years old vulnerabilities in software to shill commercial vulnerability assessment software and not conducting a coordinated disclosure and fix campaign like Saint Dan Kaminsky with that DNS bug. A fix was only released for one of the SDK's on the 29/1/2013 the day of the blog post announcing the research and there are still fixes pending for other reported issues. This sets the scene for a similar incident such as the SQL Slammer worm, with attackers reverse engineering the source code and developing an exploit. We call for scorn and derision.
Judge: Some fair points, over to the council for the defendant.
Defendant: Your honour, HD Moore has brought much needed attention to a critical vulnerability affecting home users and small businesses not able to afford access to top notch security researchers. He has helped arrange a fix with the developer of the vulnerable software development kit before release of the research. His employer has provided free software for identifying the vulnerability, a web page for checking if your internet router is vulnerable, and hence not ransoming organisations to require them to buy his vulnerability assessment software. He can't be expected to liaise with the hundreds of consumer hardware manufacturers utilising open source software, some of which don't even speak his language. He has sat on these vulnerabilities with one vendor since 2008. In summation HD's a good Samaritan. You shouldn’t persecute him.
Judge: My judgement is that HD Moore, you have jumped the gun on the release of this research.
1. Check your router for UPnP Vulnerability - http://upnp-check.rapid7.com/ 2. UPnP vulnerability whitepaper available at: https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf 3. libupnp project http://pupnp.sourceforge.net/ 4. miniUPnP project http://miniupnp.free.fr/
No comments:
Post a Comment