I feel it's prudent that I preface this blog with the fact that I am NOT a vulnerability researcher. I took a class on exploit development. I even got Ret2libc to work, like once. So, I guess you could say that I stayed at a Holiday Inn last night.
Let's take a moment to talk about vulnerability research
Vulnerability research is widely defined as identifying previously unknown security flaws (also known as “zero days”) in software products. Needless to say, this type of research can be challenging and, at times, have little to show for the amount work put into it. Vulnerability researchers could spend days, weeks, or months trying to find vulnerabilities or bugs, and turn up empty-handed. Sometimes researchers will take to Twitter, or whatever social media platform of choice, as an outlet for their work frustrations or to rant about the softwares they’ve analyzed. Due to this, there have been some recent... rumblings... in regard to how vulnerability researchers should conduct themselves in the public eye.
The claim is that vulnerability researchers bear a responsibility to not grumble about their work and just fix the problems.The concern is that the jokes, memes and offhand comments connected to the software that has vulnerabilities, could be taken out of context -- basically, to be used as a justification by your average consumer to not use that software at all: 'some cybersecurity bloke says they're not secure, so I'm not using one.'
Allow me to introduce "Taviso"
Tavis Ormandy (aka "Taviso"), who is a very successful vulnerability researcher and also employed by Google as a part of their Project Zero initiative, is a large part of why this blog post exists. If you’re not familiar with Project Zero, it’s an initiative that focuses on identifying zero day vulnerabilities and responsibly disclosing them to vendors, so that they may be fixed in a timely manner.
Anyway, Tavis has torn apart security products by a number of vendors -- Sophos, ESET, Kaspersky, Avast, FireEye, AVG, Comodo, Malwarebytes, Avira, TrendMicro, Symantec, and McAfee. He found the vulnerabilities, made some snappy comments in the Project Zero bug tracker, as well as on social media, the issues got fixed, then the details got released. No harm, no foul. Nobody seemed to have a problem with it at the time. Maybe it was because, by and far, most security researchers treat antivirus with disdain. After all, antivirus is dead, right?
Enter: The password manager bug situation
What’s interesting is that the TrendMicro vulnerability, linked in the paragraph above, piqued the interest of other security researchers. They specifically asked Taviso to have a look at password managers. So he did and, to nobody’s surprise, he found bugs. The difference is, this time (for reasons that baffle me entirely) his reaction to finding password manager bugs was taken harshly. There was some considerable backlash about his lack of professionalism and how his statements could impact the adoption of password managers (note: I’m not going to bother linking to the discussion, because social media arguments are little more than the forum ‘flame wars’ of yesteryear. Besides, if you want to see it yourself, it’s not hard to find).
Password managers are applications that are used for keeping track of passwords for various websites, systems, and applications. They are seen as a more secure alternative than password re-use. Most even include password generators, where you can define a password length and character set, to allow the password manager to create a random password for you and just add it to its database of managed credentials.
Usually, password managers utilize a single master password and/or other authentication factors for accessing the collection of stored credentials for other services within. The convenience cannot be denied; however, it essentially promotes the concept of dumping all of your eggs into one basket: You had better hope the basket doesn’t have any gaping holes in it...
Taviso was asked to look for holes, and he found them.
The real problem? "Folksec"
As stated above, there was worry that his statements regarding issues he found with password managers might cause your everyday consumer to shy away from password manager applications. However, I don’t think this is a problem of professional conduct. This is a problem with folksec and media spin, more than anything. Even if Taviso had never found any vulnerabilities at all, the fact of the matter is that "Folksec", a term I am appropriating from a dear friend Eric Rand, is a massive problem in consumer security practices that is exacerbated by media misinformation.
Folksec is defined as, "Well-meaning advice passed along by non-professionals that is intended to help other non-professionals secure their information systems, but which is of little help or potentially damages security." If you combine this with the fact that the media of today has a ‘shoot now and post corrections/redactions later’ (after the damage has already been done) mentality, you have everything you need for folksec to take root. Every media outlet has a spin and an agenda they want to push. Most consumers are content to take that message at face-value, without any fact-checking or critical thinking, assuming that the media outlet of their choice has already done that for them.
I could easily see a news outlet taking a quote from a social media platform and turning it into a headline to be taken out of context. Something like:
"'You're on your own' says Google researcher on password manager security'.
Of course, they wouldn't bother to mention the context of the message is that he had been experiencing backlash and reprimands over his supposed lack of professionalism, in spite of following the rules of responsible disclosure.
Vulnerability researchers are human beings, not automatons
If a vulnerability researcher can’t joke around or blow off steam after reporting a finding, then what is this world coming to? We’re human beings, not automatons. Sometimes, we just want people to relate to our struggles. To be clear here, Taviso never gave out any vulnerability details over social media, with regards to any password managers Yet, he was still criticized. I guess it's fine to crack wise about unpacking malware in kernel memory, but talking smack about password managers is verboten.
Whether or not you think Taviso’s hijinks are funny, or lack professionalism or not, the fact still remains: He was asked to analyze password managers, he did so, followed responsible disclosure guidelines, and is being criticized for what amounts to blowing off steam.
Ultimately, Taviso's work is a net positive
Taviso’s work, as well as the work of the rest of Google’s Project Zero team, is a massive net positive when you consider the alternative avenues a competent vulnerability researcher could have utilized instead.
Lawful Intercept organizations like Hacking Team, and NSO Group exist. Zerodium and other organizations that buy and sell zero days exist as well, not to mention hawking your 0days on the “dark web” is also an option. I could sell my zero day to an LI group or a zero day brokerage, get phat wads of cash, and never have to care where the 0-day ends up. Or, I can choose responsible disclosure/bug bounties, a steady paycheck and public scrutiny for trying to do the world a favor.
I guess if there is a moral to this post, it’s that the fact of the matter that Taviso, or someone with his skill-set, could’ve found the 0days on his own, sold them (instead of disclosing), and the likelihood is that you’d never know where those 0days came from -- even if they were to get exposed in the future (A la Hacking Team, NSO Group and/or EQUATIONGROUP). Even then, its the 0days that get exposed, (in some cases, nearly a decade later) not the researcher who found them.
Sometimes, I have a bad day too.