Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Security Disclosure Debate Erupts at Black Hat



 By: Ryan Naraine
2006-01-26
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Security Disclosure Debate Erupts at Black Hat
  2. ' Microsoft'

Rate This Article:
Poor Best
Security Disclosure Debate Erupts at Black Hat
( Page 1 of 2 )

News Analysis: Oracle reacts dismissively to an alert released by a British security researcher highlighting a zero-day hole in its product line, rekindling debate on the broken disclosure loop. Will it ever go away?

There was an uncharacteristic edge to David Litchfields voice when he took the stage at the Black Hat Federal Briefings in Arlington, Va., this week.

Five minutes into his presentation—which centered on an unpatched vulnerability in the Oracle PL/SQL Gateway—it was clear that Litchfield, a noted database security expert, had completely given up with trying to nudge Oracle into fixing a flaw he rates as "very, very serious."

"Its quite astonishing how backward they are in their approach to security," said Litchfield, co-founder of London, U.K.-based NGSS (Next Generation Security Software).

A few hours after Litchfield went public with a technical description of the flaw, including a blow-by-blow demonstration of ease in which an attack could occur, Oracle lashed back, accusing the British researcher of putting its customers at severe risk for selfish, irresponsible reasons.

Resource Library:

Duncan Harris, senior director of security assurance at Oracle, acknowledged receipt of Litchfields original warning three months ago and confirmed that some customers were at risk of SQL injection attacks.

"We have a policy where we fix bugs in severity order. This one wasnt fixed yet because we dont think its as severe as [Litchfield] thinks it is," Harris said in an interview with eWEEK.

"There is a big disconnect in terms of what Litchfield believes and what we know to be true."

Even as he downplayed the severity of the flaw, Harris said Litchfields decision to go the way of "irresponsible disclosure" was a "dangerous thing to do."

Click here to read more about an Oracle zero-day flaw announced at Black Hat.

"He has put out a workaround that is completely insufficient and inadequate. We cant endorse his workaround because it will break a number of Oracle products. He doesnt help anything with this irresponsible action," Harris said.

The tiff between Oracle and Litchfield rekindles an old, never-ending debate on the issue of responsible disclosure and underscores the need for an acceptable protocol for cooperation between independent researchers and software vendors, says Jeff Moss, founder and CEO of the popular hackers conference.

Moss himself became entangled in the debate last summer when former ISS (Internet Security Systems) researcher Michael Lynn quit his job on the spot to present the first example of exploit shellcode in Cisco IOS (Internetwork Operating System), a Black Hat presentation that landed him in legal hot water.

Six months later, Moss maintains that the security research disclosure loop is broken, and may never be fixed.

"Youve written this story before, and Im pretty sure youll be writing this story five years from now," he said in an interview with eWEEK moments after Litchfields presentation.

"If everyone plays right, the [disclosure] process works. But, there will always be the companies like Oracle who refuse to play by the rules," Moss said.

"Here we have the researcher spending all this time finding these flaws, and his only reward is public recognition for his work. Its free quality assurance for Oracle, but they dont see it that way. They see him as an irresponsible hacker and miss the bigger picture."

Read more here about the debate surrounding disclosure practices.

"On the other hand, Litchfield feels he is being taken advantage of. What else is he supposed to do? In his mind, Oracle is the irresponsible party. Hes doing free work for them and theyre dismissive. Thats a big, big problem in this industry," Moss added.

He said Oracles decision to publicly denounce the work of legitimate researchers only serves to push the discussion into the underground.

"You have two conversations going on. There are guys like Litchfield who find the problems and want to report them to the vendor. When Oracle talks about them being irresponsible, they arent talking about the organized crime groups who will never play nice. Thats the unfortunate thing."

Next Page: Microsoft: A good example?





  Reader Comments: Security Disclosure Debate Erupts at Black Hat
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r8qռFsw1E)%[r-y-%n"!c䒔}}AKbK@7F7?Ip4ô'1%3TI}"I~xh#(7`Z)rdxBԲ|WR #YĮtj55Gl$J~x#AT{j xL9uƜM}ٜi7'x2 Xm 8N0,,Z P8"˱h] \(~!c1 [tV;v T| pfL&;=aR!k4ً(qG/wȀYǽgF {.Q^Z∌,GZUX'[vb䅠1FE8 /5#wJ3q򿹓' jr'ӤRcfHÑc7PWw,ǃT*KTjQ3cmfZ35-3@ؾQ̀ ݢq#!_TBp`Vr̳X#vRpce[#]6e5]G~;mgE5'l,R"ۆ@ظ?0HO L"S9ˑ,kFp0閩mȺu{*Z+RP:<ߊWm8e/&Neם[޾yQ(Z(^ ? n84h;@ryMS! e H}qF5nxvtx/g@m&37`jLTV*bxd" P}jCG',BK>o Vs aQ-jR;֓,f3} 3+i3YN:AK~2u&u}Yf0R*CA-t?c;Szqsֺyt[>9]VcGV=Bg#j`Bmium_Zvn`KvO\/3Q&ںa#jCIɽEf;|jio]}8蜒$7SYn Z0dio,Ynws$b&Z|Y|ěy#0ri4(-ߦAf@7[@(k:YKS703h_]=w a4z@L5&:h)5?&F`Mab&DJH7R uR—U/(AM/- 5|*\($ٛ"G;z̈_"ʥgp1S{l.S4ipq ^oVW͉:]X]uUjZnE?´Tw9qn>\[{7ߵaUb}PhvZM]qsuTStTt >Jjj%xp _1p-~~j0B m] :V|y0`贎;mF_{g0HP? M/6G˥qn>5 @ L^a V835Cuӹݰ=Wԇ9[ϩ`I l"v|scм`yna23fC?F{7t$4,/{@`\@Z8`$8ʼE ]qksB7}ŜiL L<ģ\~q (~9-R;C/1tKt=JI ڂ"D% T h4A'EENNAww$]KI+\fD8nOu$]8g_%s㙰\J٣XB YX/_23CCɴX9{DMfT`B[ụDKak`FZ, ǪzXc&cS7a @ == 3ܴ ҄%Ll;ii`2Ґ(e`9ޟx=Fn;A뎒:\f335{00q}c] kjwtӴ٢͙iÂqjS9_Aa" eBC`9N{S^jkȓwL%~K{0s k2 'yvwj7uΙ_O#k[}7 |z[.z: %r% 5kb$T`CfL <yBN6{rkkFM'W.s1r@@-T%XScX`D~w Lzb8ufm/n$)`V|\uΖMkͲ{_No6zeXZ @)Ui,a70Ԣ(P|M$"!tsqͰ,C /0kQ@/ı``{sp9pJ.k1sM^^.V꺰'uBld>n 'L[az{>8`Tfha86-by;HyäcI_)~$[b"ud\6˰@e9ִ&3v,˹& zfd^0RҴ&gzQ4*$og+F#ްvSc'v5wDwHm [̜gbQIB=OB%)` L] T<5&y; 6. G\ //Pb% #PT1"&cYEǖ`TیЂ[|T=Oұ@%ЧCizi}~هF9#*!'HHo?ZDjZXZQrTU߬7cSO@H.ǡ3S翼;u 3}h1gSpHo(ڿ`3\uȕ`s|eLFմlxXa<,I+$#v.*'L)`Ճ{3O\PvSlfS "8&Ԗswq 5`EY=ޙ#ynR)brdLǖ8+ё,Xr*-Mޭ쮫F'F voS(0f4Ӣ-RxsRӲ+SJjH@Aܚ:{>z,LHT0ou 0-tq])TkE}VW7{%|h#Q j` Kx{ZCAm1۩w\܁c:P=H(Tg7gMEH]ac6U{z@n)Z-MӫU;4 OcIۛGojA-rF37=_`%to@șY%7Gj1m97a~"(Gcj9KXDOb+>A:+lmBs0X3f~5086 LB lhܕ[ c _?J}[L4@V1-0]̞̙A-mۨ*X9 6<`C"lγ>AqHlwBK`w*0&rR)Yd {259p\Semi[}O^-a,0r&n\☺|l'Ge7UVE GYdI.|akJZ<]q,g$ ,$(e,zǃx]!6p ^a?up-<9^K(4܈ xϰL'Vqc?3 cCWW_ZaqbE1 w܆cyJV~ZgZSq= Ϛb2{?RXn:)lHgŧ#<dzGzΠab>&λA&`}/{^i\/0C>Kn)XԼwmI6?pȾ>KU$(XM^4qߵ'^y {{l:w5a>h F)$ _9 Ky_>]Icr鶥dcxޕx\OcR{ru4+$Ey|hq0)MF" 0S׏5!麫?72l%һn9`\Rh5c5ɅH'“ &oDy4eZyy~ï-,d20! WktvcBXH\R ~tDӿh~Nlu؋^s  m D785C He*4Д+e3ѓ:MSo4 jGYkNEm펇{-~=prr(SJ%Q'i&.j5Kbģs/RJ<:x_GM{uS棏G ڝ9k3rİeݨ{25[tؗ_{vOKr<]1nglLgI"+W{U7}\8%ۗ dx|t21@7Yu (f~X;pGʠc㹭mfO]f+wP;_z͞YiYu/K\-"PnZ^|W%0.Ձ,0eRO˭^^'\/_zqؙj%':['M<K 585?rL(ZFSәi28IuY٥tKԖ]ZV'zPM= ]Lv̏VKu/iDToɓ#κ(3H~> HNT{1<'4|u :\x&@H^_V[0MLZI(}6H{  Lx'#K>72g@m]w )ӢycCpPaٓ8\io-DEtete s/ b## &.1.3peYb{HvGo,3J4vL=Ȣ!9 n$︷$+KxT9Ei%WCޮ8σW q=TYnI%`:ՊJ9N4Nr1"$qyJ7J'rByd} )5F)a//k LwIFX^pi(V Ыથÿ>p5r 7 /)CbdI 'PBb{RA<ͮW˅rr'J5 ~2bZurD 9ghi;h vňz':s );֙j\:,|c= ;&ˇ,U*?+ԥ> ,:aI=I/ehD⿇L{d )$4 뢙P%E TϚbcݴ1[%;Yo4LG<3ʹ$Q~Fa|LjeEOF~7(BD+BVhDͬ*0Z  i<VUeҏhҵfK簸`j {2%{HpxYqKCtD]أ"R-{=N P˒b*ţJ%`;Ŝ.ҙ$@G$@,y$MBr<ǽ+$uzNK[H0Y'Lcz Т#q!  `yY!;إNS eI)mf6D &$Anw*zxea/r=uaYujۈYޣ3玮d}{URjjN ?iw>q9[yG¡Hj|ubC$486/ g3&e ab98Z!O<@`{s41W(jc5?}jg闺UɉG}E˼ yMZFړ䥸iİOR^4bVd=-T?^<@!&|Za?vGes Sٿggp~xP8Pk׳}-1Ӫ=B(XK Pͨ4$ 8!n1|{ y|K [jRcঀ_l~x܈;@+$ٝ1=߸fw'"/aݵ⟎~R3{䏥B7oҮqH e_M Ba[g0‡bqaA  BX?EKm8ѕ\Drv)Wr@Ym2yؕŠ=B 0 ~CX^q#U3&k~6Fce\[SS]ϭZï0[Ԓ#rd! `Bo,"Exa oquQ%|$h#8XiLʃx3ZA=sj4 b4BM;_, }L1WZ8TK.}KRG*+N+tW BZc{Weskɣ.j", jD:-~0ǫh1]Hist3#lzZC JOk&pVi j+LxZ8Ow| 􄼥޼voO%Yթ@,;]t<է<0ڢ R܉Y*a x_lSaZG ~r1se*1̶yb?jPV*ڱߡ<ƌ\^#+5PUk%r\Ph] 5r ̘|iNDJq9 Փ>.,bGc0/Ř`^.b¼yւkafǍ9G!/a\lGN$(cX azqOw|}P.[}1W5vᮥq O+%<3`J|xI,5o 㽻m% D`cvx H[5A\N{=EJMh>#4+#1/նWS lO1Vٹ%Z|fVؖmmq.]%Wd$)q8 @\5^D`߷~uB0ƘMZ8.,`J \0] 6~Z#ZIHx J7:]~_%ʄM0ǘ \TcЭB)˪M;InP}wY?e=` ' 24/xyB/j85 olUPī8AnKwm-@+>nN A'&`Cq =rt&WAz$7p O= Pm¼ϴHbS}o LðhDLROWI\vD!_K_!߰VIm{7R[ $yx?ZED& I}nG~hv.H}ӿh>zxX2b7C-9kI\Xțije@S[E@ǰG}9$.+Ja 3RtA<]ԁيֽ?#7L>-l \Zs4pB巷z}/ƈt3O0枩UITdL4B&(qTik$<49|_LYJ%‚ 5" #<|I@  u<9knٌqr6ޟfAӃD\11Fiŷ~(l;b21c|>Ocx˄H"0XJ$_.JgUEt0w  sn Q&@Ĕv7UI8Fwͭ03L\Xej xpƧxm))? |43LkR>ɖàzP8Y|obyLgA~\b @Ԑ0(JIB uXRFB(6s 7&EH릧ou;5u_F`p3W .Ԕj> MZ E>gٕa)豢 ߺoS wV7+ʟX'z+i+*K9I͑1;^(u@| LBz،\S;.0%D9]&9nIIs5}ѻ3R֚_ԝ^iY۾tƙLGƿf&R0mw 5YyfvʜPδ/x)B*rK x5" /g%qx&0f/EAgpD(/* F:ICfuljŵg5:ٙKϦKN#C3sr:X)` /\js!& )n}>^k&5+ۼv(3?Ck(\~NmfQ>\P~ sAww?l.?VieC:CLQd}?x(6_ 05.3_f^fsAK2K OnݏP13(ˌrnvA~Ӆf_O/C@2U\W_\gOg7\C}Y >>foʁo2ڿh&s$eCP̐.NpN2˹I+/ޯ.? fVt{r"%݆n ۍ9 xL|uӚܴOݖv<2kӫk+#B5Af_b 9y?'OxVfŭC:*5OKWX-Jaġ$[<ʹ}zև^V+_p3Nlc}o~ >W;}m^ =Ջ쓥->gA7gn"B8#/0 dH= _\0vZ{h 7\zď{nC21Nr|$UJZR[TJ= æDDݣ(B]N-U+r 0X\^9Q(Fuo*K0fy=q̐ga1VJ!'\CxKm.+2fdof2nQKpޤv,P@pTR Pcoy =s XI /?r{I2hؐCK؊9N-=)N>@OgÙ#ga&38W !7cUݡQ'M)<:,`̀4WЫȥ&`" 9oٔ^^CZ ΅G ˗ X62Y)07F@ B`u jϗ57[n%c$Q#5Erly0%60wHP,cV},"0 ;VWӄ.󡟼K{ǻkOsD`a\m8ʷI(q0ASփMΊ6q b/޺}hd9Mk+P<P%vqA0cX =`?EcБ2S-F&AG}FV垓$g'_7b Fy] YV8[xҢwr\鱻$0\d~d;Tlw[.@`'/2^;' O 8>eC[gI2T~{F=*P=fZRO;= n"0Yz#Io=Gmk_VeńK!z>[;@B!#R.ܐOߦ "#`A]eD$ug 3EϩfSC>X읙fc.Mc(ŬBCd=)O?6G[nE\<>bi x) yc<znG}4bעƄJu!A]=_v{[=/'R`Ba2\DGx kyfŧ3W<2ZP/jdVw@8̝,ӟ~H϶I5"`:Vڕ+zYL1e~}=3ӲG(qQ2,@Sqt3B׀5V`=H_3(|9NRnãÍXǸ׬[ [+ qy6` <Щ0D\bXe܌1MF.E]khT[)**S6 9/ߵS3pݼ®"vyXA\gX3' ȱ ya1 g{y{~kC'> kwx:YʐL\,^ ˈ /O C7Ѱ0 L{,luEG%RrNCa 0F :h2 19.f@xI1%h3l䃈mAb?iʱL}aG?q,EaKvdzUvѽk xٚջHR#.Yׂ!gn耵]1nBO .&DW6K54Ƙb~q1LX+0_mkASsLeU|t#GYEL`&;]+N%t&ж?8acT 1L(W,RYדWv!{Zq΋|E>WNENE<<Sf}#)VSL_Xџ_,P>I*g\%ƕy_Sq||h\7,Hgŧ#RI>Rlv<<~v|n a% ѨT\ߴ;GkO{,,M'{-)h,-(ZNN`)XfKVz C%ȕ/2F#-<#@F]Q+j5Nbi|ۊX#iQgrYO ZqKmN~늘p6JL?-۔9MR"GZk/%!zR4fr0>d֊&|ƷZ2cˤ_ l|x[+