Thursday, December 3, 2015

NTIA Vulnerability Disclosure Loya Jirga Part Deux

Here we are, gathered in a circle to talk about vulnerability. 

So the NTIA meeting was livestreamed yesterday (and livetweeted) and also you could physically attend! I had good luck with a combination of the conference-call and video system they had, but I know other people did not.

But some of you in our community don't want to sit through the entire day of action packed livestream, or read my twitter feed. So I'm going to provide some perspective below.

First of all, there were a few "moments" that caught my eye during the day.

Wendy Nather (who works in the retail industry space) started the day off by stating her group was interested in a way to tell extortionists, which they get a lot of, from normal vulnerability researchers. I'm not sure this is as hard a problem as it sounds, since extortion is already illegal? I also don't know the scope or scale of this problem in the real world. In the financial industry Immunity has, in the past, gotten requests to look at a potential issue reported from an outsider to validate it or find it if not enough information was given about it. In some cases the original reporter was looking for a gig of some type (aka, leading to money) but to be honest, these cases are not "extortion" and a "bug bounty" would have likely handled it better than any other solution for nominal cost.

Keep in mind, it is literally impossible to prevent full-disclosure on the Internet. There's a genuine Multiverse of vulnerability disclosure possibilities, one of which is tell a vendor about something and then forget about it forever, and the rest are going to make every vendor in the room uncomfortable in some way.

Nevertheless, she said one thing I thought was interesting: "Is there anyone in the room who thinks there are no situations where you should sue vulnerability reporters?" And nobody raised their hands. I would have raised my hand, and not because I'm naturally contrarian, but because it seems obvious and even in the past when someone has hacked into an Immunity server and then told me about how, my instinct was to thank them, not sue them (and then of course we removed that server from the Internet forever).

Some interesting statements were made towards the end of the day by Juniper's representative, who is much closer to the position of many big software houses than a lot of the other speakers (Oracle, for example). In particular, he stated that he would "personally rail against any document" that was a proponent of bug bounties or of an open vulnerability marketplace.

Toyota, at the end asked for a less publicly transparent forum, under Chatham house rules (which prohibit the attribution of statements made during a meeting). NTIA's process is fully transparent to the public, as they pointed out (to their credit), but DHS offered to host such a meeting.

And of course KatieM of Hacker0x1 (who is obviously a proponent of bug bounties) pointed out that in some cases, although a lot of thought goes into "how long before a fix is made available should be acceptable", there's often cases where no fix will ever be made available for various reasons. This was a theme of the day as pointed out by KatieM and Art from US-CERT: When the details of any particular issue were discussed, reasonable people disagreed widely. 

There's always a drumbeat theme from various parts of industry of "If only we could have Commerce sign off on what is GOOD and what is BAD behavior on the part of vulnerability disclosure" - and this, of course, is the clear and present danger I am hoping never happens.

Chances for it actually happening are low, despite a process in place to guide the "community" toward that point if it is at all possible. Most of the people are from West Coast software companies or the Government. There's the thought that "SOMETHING MUST BE DONE" which guides their actions but that said, even after two grueling meetings, there is still nothing even close to consensus what that thing might be.

Keep in mind that these people are all extremely well intentioned, but literally today I was proofreading a deliverable for a critical infrastructure company and I know that for all the noise about Internet of Things the way loss of life happens in the critical infrastructure space is probably SQL Injection, just like in any other space. Stuxnet is the perfect example of this, if you look closely enough.

In other words, the thought that the "safety" space is somehow magically different or more important  or more sensitive than say, the financial space, is more marketing than science. I say this as someone who has hacked all those things. Although, to be fair, this again is one of those issues with wide disagreement.

In summary, there may be massive ancillary benefits to having all these companies all together in one place. The companies clearly would prefer that place to be in Silicon Valley. But it is still highly unlikely a "statement of principles" will be the final result.


This area reserved for various quotes and resources (unsorted):

Blog from Space Rogue (of Tenable) (either optimistic or super pessimistic, depending on your worldview):

Here you can see that Greg disagrees with me about the "Safety" industry being different.

Dino was basically the one "researcher" voice in the room, although obviously others have experience finding bugs.

The FDA is of course doing their thing. But this is pretty far out of range for their capability set (and in fact, maybe all roads lead to the NSA?)

There is palpable anger still for Charlie Miller and Chris for their car hack on a highway shenanigans.

The consequences most companies are worried about are "Their bottom line".

Important to note that FIRST was very active during this meeting and is of course doing a lot of work on vulnerability disclosure issues for multi-party - as are many other people and groups. This is something that keeps coming up - every group on Earth is working on making a methodology for disclosure.

No comments:

Post a Comment