Verizon dubs sec researchers 'narcissistic vulnerability pimps'

NVP

Anyone can use the phrase "Narcissistic Vulnerability Pimp" is definitely someone who for example would get caught out by putting unchecked buffers on the stack.

I call sour grapes on this one.

So, anyone who doesn't accept what they are given...

...at face value, and is grateful for it, is narcissistic, I suppose. Lets, for instance, apply this to politics. I will accept what the currently empowered establishment tells me, and trust that if there are any flaws in the system, they will quietly sort them out without ever having to cause me any worry or concern whatsoever. To do otherwise would be merely attention seeking.

Methinks somebody just had a lot of work laid wide open by the observation of a fairly critical vulnerability, and isn't very happy.

Intelligence Unit, eh?

So we have an "official" blog post from some outfit called "Verizon's Risk Intelligence unit" (probably the same unit that passed phone records to the NSA under the table) smearing people but the author prefers to stay "unnamed"?

Have old GOP "operators" found a new home?

... and have you seen the security of the physical locks?

It's a joke, plain and simple. Most locks are still bumpable (google for lock bumping, it's great fun), and most of the locks can be opened relatively easy by almost anyone with a bit of training. So, comparing computer security (which is able to stop a lot of bad people for most of the time) and physical locks (who stop mostly people who aren't trying to break in) is a bit apples and oranges.

And yes, blaming the messenger isn't the best idea. Insulting them might even make some people happier just to release what they have found, instead of doing any kind of the "responsible disclosure". Not that Verizon are known for being able to think, anyway.

Partial Credit

He got the "self-glorification and self-gratification" part right, but the "harms business and society by irresponsibly disclosing information that makes things less secure" part is dangerously wrong. The harm is caused by faulty systems, and a lack of responsiveness is repairing the faults when they are identified.

'Vulnerability pimps'

Well yes, security researchers are. The ones that have a legitimate claim to the title "Security Researcher" bring the vulnerability information first to the company that makes the vulnerable software. Here's where things get tricky. As a software company, you are supposed to:

A) PAY THE RESEARCHER FOR FINDING AN ISSUE IN YOUR SOFTWARE

B) PATCH THE HOLE. (Perhaps by getting the assistance of the researcher.)

If you simply ignore the information about the vulnerability, then why shouldn't that researcher release the information publicly? You obviously don't care enough to support independent analysis of your software, nor do you care enough to patch it. This means that you are then a liability to your customers, and they deserve to be informed. This is no different than the current movement by regular citizens to demand that the governments of the world put into place laws that reveal when security breeches occur which would have left personally identifiable information vulnerable.

If you are unwilling to put the time, effort and money into your products to secure them yourselves then you deserve to go out of business: your products are a liability to those who use them.

Security Researchers shouldn’t just be paid for their work; their work should be funded by a coalition of all software development companies, and managed by an industry organisation. Companies and individuals should have to get a licence to be allowed to release code into the wild, that licence fee should scale to the size of the project, number of customers and the amount of personal information that code can potentially put at risk. (You pay a fee each year to register your car, and periodically to renew your driver's license, I see this as little different.) That money should go to the aforementioned industry organisation as a means of creating a "bounty pool" for security researchers. This then would be guaranteed funding for them, incentive for them to continue, and would mean that legitimate researchers would be registered with the industry association. These people would have their “white hats” firmly in place. ("Rogue" researchers would thus be firmly into “grey hat” territory and could be thus legitimately hunted. “Black hats” wouldn’t bother disclosing anything publicly to begin with.)

This would have the added bonus of ensuring that the information discovered by these researchers would have to be disclosed to the industry organisation, and all companies would have a minimum time to respond before the organisation itself published that information. The timeframe available would be shorter based on the seriousness of the bug.

Don’t try turning white hats into criminals. White hats are the only defence you have against black hats.

That's excellent

So what he's saying is that the only reason security through obscurity doesn't work is because those dang white hat hackers go telling everyone about the vulns?

Golly gosh darn it, that explains everything!

Except for, oh, the way the vulnerability exists (and will be found by those with malicious intent) regardless of whether white hats report them or not. But no, clearly this is an information flow problem and not a security/software patching procedural issue.

Sauce for the gander

Of course this is the same guy who (in last autumn's ICSA report on security products) berated the developers of security products for failing to "think like attackers".

Super-Drone

I guess only a telecoms company can employ this kind of Pointy-Haired Drone. The issue at hand is researchers informing software companies about flaws in their products and being ignored. Only then they disclose to the public, because the software company is a lazy bunch of bastards.

From my own job experience in a Financial Software company I can tell you more than one nice story. One of them is this: A brokerage/banking system that was based on BTX session was to be converted to a browser-based system. After having logged in, the next request from the browser must of course again find "his" session. This is handled by a session id. Problem is of course that this session id could be faked by a malicious user. The developers see the issue and invent an additional Session Password, which is generated by the rand(5) function.

rand(5) is a rather bad random number generator, especially because you can use output(N) to calculate output(N+1),output(N+2),output(N+3) and so on.

I reported this issue to management, who did at first not understand. Then they decided to use a better random number generator for FUTURE projects. The current ones were too expensive to change.

This company was a major supplier to German and British banks at that time and prided themselves about their "Security" competence. Fortunately they are no bankrupt

I suppose...

...he also doesn't want Grey's Anatomy published, as it tells the reader where the most vulnerable portions of the human body are located.

One could think of dozens of similar examples. Suffice it to say that the researchers - sorry, narcissistic vulnerability pimps - are not creating the vulnerabilities about which they warn consumers. Their actions are no different than those of a product-testing group which warns consumers of a top-heavy vehicle's propensity for rolling over. I guess if this guy worked for Toyota, he'd be suing the NTSB for warning customers about the dangerous failures in that company's designs.

Is this a joke?

Dear Verizon, I hope your joking. In future you can expect no forthcoming announcements or early bird warnings and we hope all of your customer base realizes the true criminals are the ones who demonize the people who bring to light the failings and shortcomings of those PAID to protect them. I will personally spend the rest of my life hunting down every single mistake in your softwares that are distributed to the public, only I will sell them instead of tipping you off - for free, and at great expense to myself. F*ck you.

Well I guess that would make the late Gallileo Galilei

a narcissistic heliocentrism pimp?

and Newton, a mack-daddy in the "what goes up" department?

the Curies, two players on the radioisotope field....

Darwin, just a pimp with a stroll in the Galapagos....

and the Jabberwocky, the next emperor of the known world.

I hope Verizon R&D will wise up and mind their supposedly professional manners, already.

Security costs companies $$$

Damn it, don't you realize how hard it is to meet your bare requirements (like code even compiles) when you please your finance department and outsource everything to a 3rd rate shop in India? And now the ungrateful unwashed masses expect the code to not only work but be secure besides? What the commoners don't understand is how fixing security holes and preventing them in first place takes boat loads of cash. Cash I could be reporting as profits and increasing my sick stock options. Damn it us executives are hurting too. Last year I couldn't even afford a new yacht or home in Monaco. So STFU you rabble rouser security people, what the sheeple don't know may not hurt them (and if it does our lawyers will blame someone else) but it will hurt our profits if you don't keep your traps shut.

Sincerely,

Verizon and most other fortune 500 CIOs

@Richard IV

The guy you quote is an equally idiotic man who works for "CSOONLINE" - the C*Os are exactly the problem. Also its from that crap-journo company IDG.

The author states that 99 % of users were more concerned about features anyway, so all this "security issues" talk is surely just a nuisance. Exactly the crap that these clueless "top" managers have told him. He is also making it up as if the whitehats were the source of zero-days exploits - as if the blackhats never discover a security issue.

I worked in more than one software company as a development engineer, including a financial software company who prided themselves in their "security" competence. There was absolutely ZERO determination to deliver good code and to fix problems that were discovered. We had lazy developers doing "copy-paste" programming instead of creating a procedure. The "CTO" even suggested we should not provide bug fixes at all and instead make customers upgrade to a (totally incompatible) later version. Which was not feasible as customers had tons of code written to interface with our old software.

In a rush to "use XML" we converted a totally functional and well-readable config file structure into a hairball of XML. For which we needed to develop a GUI to edit. All at great cost (both GUI and core product changes) and new bug, of course.

Fortunately this company went tits-up in 2001...

Most managers are less than indifferent to security issues - all they want is to ship as many features as early as possible. And change everything early and often.

@Jlocke

Cite yes, because gosh - the same phrase was used - and I was pointing out the phrase wasn't even original, no matter how picaresque it is.

Agree with, mostly not actually - personally I'm in favour of default disclosure and some independent timing mechanism that doesn't depend on corporate vested interests OR the ego of a researcher.

I should point out that even managers have the occasional good idea (Disclaimer: I'm not one, nor do I want to be one). Balls of "XML", err XML tags containing only CDATA, are definitely not one of them though. I've had to wrestle one into submission without the aid of a safety net for, guess what, security competence...

Let me know when you're done on the straw URL, it might have some life in it yet.

"Hacking" Oracle

I am not sure it still works, but ca 1997 I could bring down Oracle simply by doing

telnet oraserver 1381

and typing some random characters.

Now talk of Nasty Whitehat Hacking The Good Oracle Database Server. Punish ! Send to Guantamo for Ziber Terroizm !!

Recently, MS discovered more than 1000 (!) bugs in Office just by randomly modifying the input files ("fuzzing"). How many more can be exploited by analyzing the program code ??