sadly
there doesn't appear to be a law against distributing shit code.
A German software company has threatened legal action against a security researcher who privately reported a critical vulnerability in one of its programs, Dark Reading reports. Legal goons from Magix AG sent a nasty gram to a researcher who goes by “Acidgen” after he reported the stack buffer overflow in the company's Music …
Its this type of nonsense from companies and iLawyers that get themselves in the sights of the less than ethical hackers.
If it was me, I would go ahead and get the details of the vulnerability on every website I could find. I don't think you are obliged to hold off publishing until its fixed, but they would soon learn not to bite the hand that's trying to help....
Despite his good intentions, he gave their lawyers enough to work on to form a twisted view of his intentions, such that a case may be viable. However, if it came to trial then it should become pretty obvious that there is no case to answer, and that the company concerned are truly a bunch of twats.
"According to the report, Acidgen alerted Magix representatives to the bug in several emails that also included proof-of-concept code that forced the Windows calculator to open, indicating the flaw could be exploited to execute malicious code on a victim's computer."
He could have opened something a little *less* malicious than Windows Calculator, just for demonstration purposes. No wonder they unleashed the lawyers.
Now they know that there is a problem and have stupidly acknowledged this via their actions, I can imagine them getting into trouble for continuing to sell the product. They would be knowingly sell a defective product, AFAIK that's illegal in almost any country under consumer laws.
OTOH, that has never stopped the sale of Windows, so maybe not..
Security reaearcher discovers software flaw.
Security researcher warns author of said software.
Security researcher does all the work and offers a fix for free.
Software company threatens to sue for extortion and in doing so damages their company image, looks massively ungrateful and creates Barbara Streisand effect their company may not recover from.
If any software I used did this I wouldn't reward their behaviour by staying with them.
It's unfair and potentially dangerous for their users/customers.
This is a talented guy, you should be grateful to! I think the CEO of this company should literally kiss the security researcher's ass as a gesture. If he suggested ways, that means HE IS GIVING YOU THE ANSWER, you _fuckwits_!
It is possible that this was all a geniune misunderstanding, I suppose. i.e. it's concievable that these lawyers were a little bit stupid. If this is the case, I truly hope that this artile at least shames Magix AG to issue an apology to this researcher.
"WHY WOULD HE DO THIS?" I hear the dumb Magix AG directors saying. It's so that once you fix the flaw (using your in-house coders), he gets to brag about it on his CV. This means he is more likely to land a consultancy job at a major organistation.
How the great IT populace as a whole benefits if this person reveals details on how to exploit a vulnerability?
Even if a patch has been released, how much time is he giving the universe to apply the patch?
Some of us have better things to do than have to apply patches a nanosecond after they're released... by unveiling the details of a vulnerability, he is in effect forcing every BOFH to have to snap to every time one of a gazillion vendors releases a patch.
Oh by the way, did I mention applying patches comes with it's own set of perils to system stability? The vast bulk of system outages are the result of change-induced incidents. Bad patches, or good patches incorrectly applied, or patches that for whatever reason are in conflict with your particular configuration.
Yeah, let's have to do them all daily, or even better one at at time as they come out because Klem Kaddiddlhopper is going to release the details of how to exploit!
This a-hole should have his pubic hairs pulled from his scrotum one at a time.
How about you re-read TFA, for comprehension this time, instead?
Re: the rest of your rant ... As a sysadmin, I review, evaluate and apply patches as required for the software running on the systems under my control. If I get sixteen patches in for ten different pieces of software on the same day, I grit my teeth & get on with it. It's been that way since the year dot, and I don't see it changing any time soon. It's a part of running large, complex systems.
But that's OK, AC. You can always switch to Microsoft-only products, and only have to apply patches on patch Tuesday, once a month, regardless of how critical the bug(s). Doesn't that make you feel better? ::patpatpat::
I assume if the car you drive is recalled for replacement of defective brakes that can fail at any time, you will be all "Meh, I don't have time this month, maybe next month if I feel like it." It is called 'maintenance' and all complex systems need it.
You all must be running small shops without mission critical applications.
If you have thousands of servers, running almost every operating system ever invented (NT, Wintel, AIX, Sun, AS/400, z/OS, z/Linux, Linux, Tandem OS, VMS, etc. etc) you cannot one-off your patches. You have a patch cycle, with negotiated outages with the business, that you follow.
Complex systems my ass! I'll stack the complexity of the environment I have to deal with with anybody else's any day of the week, and complexity is indeed the problem and why a carefully designed patch cycle is key to stability.
If you have mission-critical systems (in my case hospital systems) you cannot throw patches into production without testing, unless there truly truly is a vulnerability. You also cannot throw patches on unless you have a pre-negotiated window (hint, hospitals run 24X7) or arrange for one based upon special need.
You cannot patch 20,000+ systems in a heterogenous system every week. You can't even do it every month.
You DO have to apply critical patches as they come out, but critical is a judgement call of impact and likelihood.
This yahoo is threatening to increase the likelinood of what he discovered being released in the wild, thanks to his apparent willingness to divulge details. This increases the overall urgency of applying patches, which disrupts a planned patch cycle and adds unnecessary risk.
To what end?
For what purpose?
All I can see is to stroke his ego and to build his resume.
Argument from authority doesn't work around here, and generally makes the arguer look silly.
How many OSes does this particular buggy software run on?
Your "heterogenous"(sic) systems are not my issue. Bad planning on your company's part doth not make me give a shit about your company's bad planning. And again, said insecure software doesn't even come close to running on half the OSes you cite.
One wonders why said AC allows "critical hospital systems" to be accessed from public networks in the first place. The mind boggles.
And one also wonders why said AC seems to believe that "planned patch cycles" relate one-to-one on critical software bugs.
Also, the AC seems to be intentionally ignoring the fact that the security researcher kept the central issue to back-channels, didn't go public, and from all accounts didn't intend to go public until after the problem was fixed.
AC seems to be entirely confused. Or perhaps a trifle too shrill ... Mayhap it has an investment in the small German company with obviously real security problems who seems to think that throwing lawyers at the problem, instead of programmers, is a good idea?
Or perhaps said AC is actually a shill for said company. Which would be my guess.
At least the AC is an anonymous coward, and not trying to stroke it's own ego ... I'm not certain if that's a plus or a minus ;-)
"from all accounts didn't intend to go public until after the problem was fixed",
Yes but....
Fixed how, when and where? By vendor issuing a patch? That doesn't fix anything. Nothing is fixed until all the users of the software have applied the patch. How much lead time is he giving people? Is he going to wait a day, a week, a month, a year?
The issue here is not this particular example, the issue is the principle.
I'm still waiting for someone to explain to me how the IT world in general benefits from him RELEASING THE DETAILS! Not finding and reporting the bug, that was not, is not, and never was the issue. The issue is he said he would release the details. WHY?
I'm not going to argue my shop doesn't have issues; but when a company is built by acquiring over time various other companies, has a history of weak central IT control (since corrected), has multiple lines of business spread across even more operating regions, all with some degree of autonomy (ever try telling a doctor "no"?), you're going to have some "legacy issues". Shit happens. What I don't need is people making things more difficult than they need to be.
And yes, our servers are behind appropriate multi-layer firewalls, but then you have things like USB drives, people with laptops who connect on public internets at home or while traveling, then come to work the next day and and log in: so various nasties WILL wind up on your internal networks, firewalls aside. May not be an attack vector in this case, but we're talking principle here.
And yes, I know the difference between responding to a virus outbreak and proactive patching; just in case you wanted to go down that path. This issue is about proactive patching, and whether or not you can control the number of critical out-of-cycle patches you need to apply due to heightened exposure.
Then you have the auditors who want to know if you're good with HIPAA, SOX, PCI, and many other legal restrictions; all of which impose various security/vulnerability requirements on us. Doesn't matter if a server is directly visible to the external internet or not.... and you should know that if you really have to maintain a significant server farm in a large business venture that includes personally identifiable information, or financial information, or credit card information, or health care information. Ask Sony about this concept someday.
So you end up having to patch EVERY vulnerability on EVERY server it could possibly apply to, because proving to an auditor that there is no theoretical attack vector due to firewalls and/or network segregation is more work than just patching things. Plus, you could be wrong.
So one more time:
How does DIVULGING DETAILS, not finding and reporting, benefit the greater IT community?
I'm OK with everybody telling me I'm full of shit if they would address my question, but nobody HAS yet addressed my original question: Why is divulging the details a good thing for US?
Yeah yeah yeah, good on him for finding and reporting... give him a merit badge, pay him a finders fee, write him a letter of recommendation, let him put it on his resume'.
What is the upside for us when he divulges attack details?
Anybody?
And no, not German; US.
Not sofware company; Health Care (did work for a US software company in the 80s).
Don't even run this software, could care less one way or the other.
I just think this guy (and others who behave similarly, as this seems to be a standard modus operandi in the 'white hat' community) do us no service by releasing 'how to' info, as he has no way of knowing how many users have completed applying the fix, and THEIR TIMETABLE IS NONE OF HIS BUSINESS.
Shrill? You bet. I just don't understand why the rest of you aren't also pissed off, so I must be missing something... so tell me please: what is the upside to ME of him divulging details? 'Cause I for sure can see the downside.
Last post on this, promise.
What are the benefits to the public of releasing the details of this hack?
1. Sysadmins running this software on their systems can experiment with and and test the vuln to ensure that the patch actually works and their systems are now secured;
2. Programmers and software engineers in related areas can examine their own code to see if a similar vuln exists in their systems;
3. A person with effective skills at finding vulns can put the result on his CV, enabling him to get jobs where he can find other vulns and rectify them before they cause real damage, for example in your hospital systems.
There are reasons why you make such findings public. Those reasons have much to do with a component of standard scientific method commonly known as "peer review".
Easy to understand if you think a bit about it....let me ask you a little question...do you truly believe only "white hats" discover bugs?
If not exposed, it could mean that it will be either not fixed nor checked on the rest of the code, (a different part might have the same issue)...so it is nice to have someone cleaning up the zero day vulnerabilities...even if you have to work a bit to make your system stable.
I have no problem with him finding bugs. I applaud him for finding and reporting them. That's not the issue. That's not why the company threatened him.
I have a problem with him publishing to the world at large how the exploit works.
This assists any number of black hats in developing attacks. It increases astronomically the number of people not only aware that a vulnerability exists, and tells them how to exploit it. It shortens the window of time people have to apply patches before an exploit hits them.
Yes, perhaps someone else would have stumbled upon it, but divulging details is irresponsible and serves no purpose to the IT community at large.
Since you're a customer, why not ask Magix's sales people and even the CEO (or is it the Managing Director in Germany?) for their responses to the allegations and comments raised in this article? How they respond should be educational, and deserving of being a part of future buying decisions.
for following the so-called "responsible disclosure" procedures. He should have just released his research straight up.
"Somebody explain to me.... How the great IT populace as a whole benefits if this person reveals details on how to exploit a vulnerability?"
No, I will not. If you believe withholding information is a good idea I won't convince you otherwise. You are wrong though.
I think it may be a good idea to send the email with only a link to the information, with a 'shrink wrap' statement that by clicking on the link, the recipient agrees to abide by the laws of <insert non-German country>, etc. Also the linked info should obviously not be on a server in Germany.
Can somebody explain to me how we are better off without Thalidomide - some goody-goody reporters try and make a name for themselves by reporting a few problems with a drug and we suddenly have to run around finding a replacement.
I mean does everybody really need arms anyway?
Ironically the medical are fighting to allow Thalidomide to be used again - it's a very useful drug.
Doctors have now discovered a large part of the population who are unlikely to suffer any pregnancy related side effects..