allanhardy wrote:
However upon research and hearing how you have handled the warnings about this over the past month, and handled howdark in general, I am left asking if you all feel you have the right policies and procedures in place? Have you learned anything from this? Your tactics against Howdark seem petty and foolish, at least in hindsite. Of course I do not have a full picture.
Indeed you don't ... so accusing us in any way, shape or form is not exactly clever now is it? Shall we review what happened? Yes, let's do that ...
On the 21st of September someone calling themselves "jessbunny" filed a report noting a potential hole in the highlighting code in viewtopic.php. They stated they could not see any way to actively exploit this. Acyd Burn followed up this report, and upon investigation similarly concluded there was no apparent way to take advantage of it. The "exploit" was therefore given a low priority and a fix set in place for a future release.
Following this I was contacted by PM by "jessbunny". She wrote the following:
Because of the way my security group is being laid out, we want to make sure we get credits for submitting them, not because we want fame and glory, just because want to keep it open that we were the actual ones who found them, and helped support phpBB. (sounds sortve contradicting, but its just the way we decided on it).
If on agreement, we are also going to make sure you put out a patch, before we release it out our security site
We encourage the use of spreading knowledge.
If met under these terms, we will make sure you are first to hear, since we are really in the mood to break down phpbb into parts and help fix everything piece by piece.
Thanks<3! This would work especially well if you could chat with me on AIM.
For our group leader: Brett (emu so emo)
me: My nightindreams.
Now smack me over the head with a hammer but I, and indeed others were not terribly impressed by how that was phrased ... it sounds very much like a pre-condition "You promise to do X, and we'll inform you". Crikey, in some places it could be deemed blackmail. I responded to that with text which included the following:
Let me start by saying that I very strongly believe it's the responsibility of anyone finding a vulnerability in any application to first submit that to the authors of the relevant software ... no if's, no but's, no maybe's and certainly no pre-conditions To not submit an issue and give vendors a reasonable opportunity to correct it puts untold numbers of people at risk.
<snip nothing of great importance to this topic>
We here take all such submissions seriously and release updated versions as deemed necessary. Not all "vulnerabilities" are vulnerabilities, not all require immediate patching, etc. etc. Equally we note in the changelog the names of those who submit issues to us ... however it is my strongly held opinion that people should not submit issues just to "associate" their name with an application. I've submitted issues with other software to the relevant authors before and I have never expected recognition for it. IMO it's a case of doing what's right.
We request all security related issues be submitted to our tracker. That way the development "group" can respond appropriately. This ensures a "written" record of any problems, eliminating issues we've had in the past were people claimed to submit issues when in fact they hadn't. Equally it allows responses not just by myself but by others in that group.
I hope that answers your questions.
jessbunny replied with:
I agree, but I also agree credit deserves to be where credit is due. I didn't sit in front of your software for days for no reason. I'm here to make phpBB better and safer. To work faster then the people who try to abuse it.
I don't really see it a responsibility though. I'm actually morely if anything disappointed in what i've seen after scrolling through these files. There are numerous areas only protected by shear luck of intval, also tons of sloppy spelling mistakes.
And don't even get me started on the email scripts. Did you guys forget about those years ago?
I guess we'll just see how things work out.
Now again, smack me silly but that last line rather is rather "questionable" wouldn't you say?
Again, I responded with the following:
Hi,
Without wishing to start a flamewar here ... "Tons of sloppy spelling mistakes" ... come on, have you read your own PM's to me? If you say "you spelled authorization" incorrectly I'll scream
As for "luck of intval" ... it's called variable casting. Now it's very true to say we didn't do enough of this in 2.0.0 and upon problems being found by ourselves or others we've addressed them. Equally in 2.2.x we've centralised the setting of vars to better ensure they do not contain data they shouldn't. Ensuring parameters/variables contain the relevant type is one of the basic things you can do to reduce or eliminate injection and remote script execution problems.
As for "responsibility", sorry as I note, IMO it's very much a responsibility. If you lost your house keys would you like:
a) Whoever found them to pin them to your front door with a note saying "These keys belong to this house", or
b) Whoever found your keys to personally hand them to you and give you a chance to change the locks?
I'll go with b) By posting vulnerabilities in software into the public domain before informing the authors is the same as a) IMO
Finally, as I said, we note the names of those who inform us of vulnerabilities before releasing the info publically (we don't include the names of those who didn't bother informing us or who informed us after releasing the info). But I say again, that shouldn't be motivation for deciding whether or not to inform the software authors. Such submissions should be viewed IMO as being "I did something useful".
Don't get me wrong, we appreciate submissions to our security tracker. But I must admit to being a little disappointed in your "need for pre-conditions" ... IMO someone either wants to "help" by submitting issues or they don't. To place "pre-conditions" on it rather goes against the idea of "helping" IMHO.
Thanks
jessbunny responded with:
My original idea for getting them wasn't for helping, I thought I could eventually just help out and give them to you, because I do have ethics and a stance of basic morality in the computer world.
I went through hell staring at the code. There's a difference from someone finding a key on mistake, or someone looking damn well hard for that key. I would happily hand over the key, I didn't think a little note would be such a big deal.
As for sloppy spelling mistakes, apparently you didn't see that I was pointing it out in your software, not my private message, but thanks.
But you're right, this is a useless waste of my time.
Sorry for my 'pre-conditions!'
The exchange ended ... I said nothing more, we received nothing more.
Now, do tell me all, where was I rude in this exchange? Where did I "harrase" (as another member of "howdark.com" claimed?) her?
We move on ... the day before yesterday a post was sent to bugtraq noting a hole in phpBT, a bug tracking app. This app was not written by us, we have absolutely nothing to do with it. All we do is use it like a great many other people. The person posting this exploit however chose to give proof of concept by linking to _our_ bug tracker, see
http://msgs.securepoint.com/cgi-bin/get ... 1/151.html This was an outrageous act, we obviously were not informed of this at all before said post appeared. Due to this our site was attacked and defaced. We logged the intrusion and from that a post was sent to the ISP in whose netblock that address was contained ... standard practice. That IP was also banned on our forums and soon after on the server level (along with several other IPs all of which were attempting to gain access to our system).
One "jess" (ring any bells?) subsequently appeared on IRC with a hostmask containing the same IP as one of those implicated in attacking our site. She apparently (I wasn't online at the time to see this but it was logged by other team members) pointed to a folder on the howdark site which contained image after image of screenshots of our board, hidden forums, the ACP, etc. Why would this person do that? hhhmmm. When I joined IRC "jess" wasn't online, when they did appear I kickbanned them ... again no shock there.
All went quiet ... then yesterday we were informed by another party (AFAIK unrelated to howdark) that the exec exploit was indeed serious and they provided suitable evidence of this (they could've phrased it a little less sarcastically but what the heck
). We immediately started testing our provisional 2.0.11.
Today, the intended (and now actual) release of 2.0.11 we discovered howdark.com were complaining about being contacted by their ISP ... now, let's examine this shall we? We contacted the ISP whose netblock contained an IP address clearly implicated in attacking our site ... we had no idea it was howdark.com, yet the ISP (Road Runner) clearly tied the IP we provided to their RADIUS/DHCP logs and contacted the relevant person. Now, combine this with the IRC hostmask which matched that IP, the fact this user was obviously involved with howdark.com ... and what do you get? Now that site has released proof of concept information, giving explicit detail on how to utilise an exploit to do damage. They should be careful in doing that ... noting an explot is one thing, handing out pieces of code which can be used to actively do damage is quite another.
So tell me, do you think we were incorrect in our actions? Do you think we should've sat back and allowed someone to attack our site (we had no idea at the time who as I've already stated)? Do you think we dealt with howdark.com badly? I think not ... I think the problem here has been howdark.com. I should add that someone else claiming to be with howdark.com joined our IRC channel recently, first they demanded an appology for us harrassing jessbunny ... we had no proof, how dare we. By the end of the discussion, following evidence as given above, this person had changed tune and was saying "Okay, I guess Jessica did fiddle with your server" ... game, set, match.