Monday, 3 January 2011

Security Researchers: Heroes or Vigilantes?

This is a touchy subject, especially for me. It is, however, one that I feel needs to be discussed. Michal Zalewski just put out an amazing announcement this weekend. He has created a new DOM fuzzer for testing Web Browsers, and has unsurprisingly turned up some interesting results. My first reaction to this is of course "Zalewski is the man!". I think this for a couple of reasons. Firstly, for creating this fuzzer. Secondly for tracking the flaws through the complex space of web browser. And finally for releasing the tool for the rest of us wannabes to get our grubby little hands on.

It has taken very little time for the criticism to start trolling...*ahem* rolling in. I want to take a moment to discuss this article before we move on. The authour posits that it is 'suspicious' that the posting mentions webkit browsers without explicitly stating that this includes Safari and Chrome. The implication is that their is some impropriety on the part of google, trying to downplay it's own weakness. Let's take an alternative view for a second though. 

Rendering Engine
Internet Explorer

So what we see here, is a breakdown of the popular browsers and the rendering engines used. Internet Explorer, Firefox, and Opera each use their own rendering engines. IE's Trident and Opera's Presto are proprietary systems, while Gecko is open source but is maintained by Mozilla.

So why is it fairly honest to say Webkit instead of Safari and Chrome? Chances are that the bug actually resides in the Webkit engine and is thus the responsibility of the Webkit project team to correct. To claim the bug as being a fault of either the Safari or Chrome development teams, in this scenario would be actually less honest and unfair to those development teams. furthermore, msot people who are fans of Safari or Chrome already know that Webkit means their browser of choice. By the reverse of this it does not, however, make sense to specifically call out the other browsers by their rendering engines. Most people would have no idea what you mean if you told them there was a problem with the Trident Rendering Engine. Seeing as how it falls under the purview of the same company, it also does not accomplish anything to make such a distinction. So there is nothing underhanded about Mr. Zalewski saying Webkit instead of Chrome, he's just being factual.

Where i am really waiting for the other shoe to drop, is from the Microsoft side of things. Microsoft was apparently advised of the issue 6 months ago, and did no follow-up. Zalewski then pinged them again in December, at which point they confirmed the vuln, and asked that he postpone release of the tool indefinitely. Zalewski refused since they failed to provide any good reason as to why they ignored the bug for 6 months. This all comes on the heels of Tavis Ormandy's HCP vuln fiasco.  If you're not aware of the PR shit storm that resulted from that, go do some quick Google searches and you'll dig up plenty of vitriol and lots of opinions. 

Here's where things get a little fuzzy. Zalewski and Ormandy both refused Microsoft's requests for non-dislosure. Zalewski has not fully disclosed the details of the vuln yet, but has released the tool, so it's probably only a matter of time. I will be interested to see if the same furor starts up again, or if we've gotten over it. The interesting bit comes from the sense of almost vigilantism in this sector. Note that in both of these cases the involved researches released it on their own personal space and time. They are not acting, as far as I can tell, in an official capacity for google in these matters. They are however, making decisions on what to do with tis information, and that gives them a power separate from the entities to whom it most directly applies. 

Some people will make the case that this is not a good thing. That security researchers need to be reeled in a bit. Of course, Tavis Ormandy and Michal Zalewski are heroes to me, so i am very biased against this argument. I have to wonder, in fairness, does this argument have some merit? Do Security Researchers have more of an obligation to protect those we seek to help? Or is our obligation, in fact, to truth and the freedom of information? It is a perilous line between, I suspect. we must maintain some degree of professionalism and integrity, otherwise these companies cannot trust us or rely upon us. How do we define the lines of that trust, where do we determine where the trust is being violated by the other side, and what is the appropriate recourse for breaches of this trust? these are probably some of the hardest questions to answer in the information Security field right now.

In the meantime, I continue with my assertion that Tavis Ormandy and Michal Zalewski are heroes, and deserving of my respect and admiration. Maybe that's a self-serving viewpoint. I don't have any firm answers.

No comments:

Post a Comment