A Few Realities About Security Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
secresearcher at hushmail.com
secresearcher at hushmail.com
Wed Jul 2 20:46:29 BST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Reality. I have a critical vulnerability with Microsoft right now. Only
their people and myself - and a few other researchers at my company -
know about it. This affects every Windows OS across the board. You can
be with the US government... or with Saudi Arabia's government -- if
you use Windows, I can hack your system.
Microsoft should give me a badge saying, "This man has the right to know
about a backdoor in Window's OS bigger than what the NSA could ever hope
to have." They should put on the front page of their website my picture,
saying, "While we fix this bug, this man knows how to get into your
But, nobody ever thinks about this.
The media doesn't understand this angle.
Perhaps no one should. I am trustworthy. You can trust me not to tell
anyone the specifics of these bugs. Not even my best friends. Not even
my wife. For three months - the minimum amount of time Microsoft has
taken to fix my bugs - nor for six months... the longest they have taken.
Yes, though diplomats and bank executives are always prone to my critical
bugs... I won't ever use my bugs on you.
I don't get paid too much, but luckily for you I am a solid American,
a good Christian.
I am a professional. I have seen top military advisors blurt out secrets
in Vanity Fair -- but, me, I know all about keeping secrets. I think
these guys are amateurs.
I am not telling you where I work, what bugs I find, or anything of this
nature. I know this. Because, I am a professional. I have great experience
with secrets. I respect secrets.
I also realize reader's will understand my sarcasm here. Yes, everything
I have said is true. Indeed, only someone like me would be so astounded
that Microsoft so trusts me -- because they do not know me. And, what
about every other security researcher and every other security company?
I read about how guys in the security industry get various rights to
handle varying degrees of classified material. Yet, I know that the security
bugs I deal with - security bugs my co-workers deal with - these things
could be used to hack into any system anywhere. Heck, the government
itself should finance us, if only to ensure we could afford the kind
of physical and network security we should have here -- massive metal
doors, security cameras, on presence security guards, counter-surveillance
teams, etc, etc.
What if terrorists broke in and got our archive of zero day? What if
North Korea did this? What if Cuba did this? What if the Russian mafia
People that don't find critical security bugs in 100 million plus systems
don't think on this. People that do, do do this. Even those that are
less politically aware than myself.
Now, what if someone with more loose lips disclosed such a bug on IRC?
What if they told a hacker friend whom had an issue with who knows what
government or company and did some worm?
Schmidt was absolutely right (and it is our advice he listened to) --
zero day viruses are a massive threat. We have been going on borrowed
Understand, these renegade virus writers that have also been able to
find zero day are not the top of the line people. They are the first
of an emerging breed of attackers.
Finding serious security vulnerabilities in 100 million plus systems
may not be getting easier -- but more and more people are learning how
to do this. Combining that knowledge with the ability to code a nasty
worm or trojan may not be getting easier -- but sooner or later, you
will find rogue nations, corporations, and organized crime capable of
We do not get paid very much. Not every security researcher has such
morals as I do, nor as my co-workers do. Talent and morals do not always
go hand in hand.
Applications which truly protect against zero day are extremely rare.
Systrace does this effectively -- but how many admins use this, how many
use it effectively? SecureEXE, how many use this? Entercept? Trivial
to get around. Firewalls like Zone Alarm which attempt to do proper application
gating that protects against unknown trojans based on the same kinds
of concepts as systrace uses? These are trivial to get around.
Zone Labs recently replied that these attacks are not trivial. They are
correct, only in the sense that they assume one person won't make the
trojan and another use it. It only requires one public release -- and
a bunch of script kiddies hex editing it so it bypasses signature based
AV for a problem to result.
Much of these problems are due to incompentence, poor funding, and security
companies that mislead the public. Poor funding is probably the biggest
problem. We security researchers get little respect. Look on monster.com
or dice.com for how many companies are hiring security researchers? Security
enabled QA people? It is dismal.
If you want to get a job -- get your CISSP and play dumb. If you want
to find companies hiring for code reviewers? Forget about it. Not happening.
This does not mean I support the wannabe "black hats" posting here, debating
on IRC, playing stupid poseur games. That whole scene is fake, a pose.
It is disgusting. These guys don't know a "black hat" from the tooth
No, "black hats" hack for money. People should realize this. Law enforcement
realize that people are generally bad -- but law enforcement personell
of any caliber are far removed from computer security.
Indeed, there is no law enforcement branch for the Internet. You get
hacked, it has to be over multiple thousands of dollars of damage, then
the FBI might be interested. The FBI. That is like using a sledgehammer
to type on your keyboard. They are underfunded, under experienced, undermanned
for such tasks.
If you see a lot of busts -- that is high profile gimmickery. It is a
sham. It makes law makers blind to the realities. It is as unjust as
the fact that RICO laws weren't used against the Mafia for over a decade.
It is as unjust as the fact that Hoover claimed for decades "there is
And, let's not even contemplate the rest of the world.
Hopefully, this little speech was enlightening to some people. Some,
I am sure, will be arrogant and not believe it. Such people have the
reasoning faculties of a child. Not surprising, since it is extremely
rare that security researchers actually read books on subjects other
than on security. Look at slashdot comments. They are morons outside
of tech issues (indeed, most are morons even inside tech issues).
Anonymous Security Researcher
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
Promote security and make money with the Hushmail Affiliate Program:
Full-Disclosure is hosted and sponsored by Secunia.