When is a 0-day not a 0-day? (Or: why implementations matter.)

[maradydd]

When it's been a publicized vulnerability since at least 2003, but nobody's had the good sense to actually pay attention to it, you assholes.

Avi Rubin on the Christopher Soghoian fake-boarding-pass generator kerfluffle:

RUBIN: When we find a security vulnerability, we think about how to publish that information responsibly, and what information we may need to omit. When we find an exploit, the first thing we do is have a meeting about who to tell and how.

Avi, this is all well and good if you're talking about a brand new exploit that nobody's ever imagined before, or even if you combine a few old attacks in a new and unexpected way. But Christopher Soghoian only did one new thing: he implemented an attack which had only been described in theory, even though that attack was already easy enough for the average thirteen-year-old with a MySpace to pull off in practice. Now it's easy enough for the average kindergartner. You cannot possibly give a convincing argument that our nation's security is under appreciably greater risk from the grade-school age bracket than it was last week. Nor, I believe, can you give a convincing argument that terrorists who have the technical savvy to coordinate dozen-man attacks haven't figured out how to edit a webpage or hire someone who can.

No, this is a matter of practice getting better press than theory. I'm willing to believe that not a single one of the 535 members of the U.S. House and Senate was reading Crypto-Gram back in August 2003 and that none have happened across Schneier's article since. I'm less willing to believe that no member of Congress reads Slate magazine, which covered the same issue last year -- especially since Sen. Charles E. Schumer (D-NY) issued a press release about the loophole a mere six days after the Slate article came out. But theoretical attacks make people's eyes glaze over, especially people who can't be bothered to learn anything about the systems which make those attacks possible. If people have to do actual work to see that the emperor has no clothes, most of them will gladly continue to believe whatever the emperor wants them to think. Soghoian reduced the process to "push button => naked emperor," and now people are scared of something they should have already been clamouring about for the last three-plus years.

Keep this one in mind, all you academics out there. By and large, you don't care about whether your work ever gets implemented or not, as long as it works out on paper. But the Christopher Soghoian incident should stand out as a reminder and a warning: your work is only going to affect the rest of the world if someone puts it into practice. That someone might be you, or it might be somebody else's grad student; it's up to you to decide who's going to get the recognition.

Assuming, that is, it's the kind of recognition you want.

Comments

[enochsmiles.livejournal.com]

I just submitted a comment to BoingBoing about this. I hope my advisor doesn't get pissed at me for using a bad word in reference to Avi, but, he deserved it.

I'm sorry to have to say this about a member of my field I respect
greatly, but Avi Rubin is full of shit. Firstly, he's presenting the "full
disclosure" debate as though there's anything resembling consensus on how
vulerability disclosure should be handled. When he says "we" in his
remarks, readers should note that his use of the world is in the "royal"
sense. Other security researchers routinely produce full, working exploits
for the vulnerabilities they discover. (A few years ago, I joined numerous
other security researchers at Stanford for a workshop on this issue, and
with the exception of a few speakers, such as a shill from Microsoft, the
general consensus was that full disclosure is essential to security.)
http://cyberlaw.stanford.edu/security/

Every vulnerability is different. When releasing details about the nature
and extend of the security flaw, the researcher must weigh the risks of
being coy vs. the risks of revealing all. In the case of the boarding pass
hack, a) the existance or even the wide-spread use of the boarding pass
generator does not actually impact the security of our airports. It is an
exploit showing the nature of the security theatre, not an exploit in
security. Furthermore, it's been published numerous times in the past, as
Boingboing has noted, including being highlighted by a congressman.
How much more attention could this possibly get, without an actual
demonstration?

Professor Rubin is either speaking under the guise of authority about a
incident of which he is woefully ignorant of the details, or he's simply
scared of having his own house raided in the middle of the night by FBI
thugs, and saying what he thinks the people in power want to hear. I'm not
sure which disturbs me more, but either way, he should be ashamed of
himself for condemning a fellow security researcher for doing the
responsible thing.

[crabbyolbastard.livejournal.com]

Avi is behind the times on this as a 0day. He is not behind the times where it comes to the theory of 0day where the government, military, and of course more to the point, our current crop of dullards in office come into play.

Sure, this exploit has been around a long time but as you can see NOTHING was done about it by DHS, the congress, and the TSA. Perhaps they just thought it was a thought experiment? Maybe they just didn't give a shit? MAYBE they just can't read? Who the fuck knows, but I really blame lackadaisical attitudes and less than stellar thinkers in charge of these agencies.

So, here we have someone who actually gets perhaps tired of "thought experiments" or has a PhD to finish and actually uses the exploit, charts the experience, and writes about it online. He proves that it is possible to actually use such a "low hanging fruit" approach to foil (*insert snidely Whiplash and Dudley Dooright imager here**) and whadd'ya know he gets the FBI on his ass at 2am searching his premises.

INCONCEIVABLE!

So, given the waters he has chummed, Soghoian has opened himself to a shitload of trouble concerning not only fraud against the TSA/Gov/DHS and airlines, but also perhaps giving support to terrorist entities. This under the Patriot Act, could land his ass in a rendition program (*ok extreme and not likely, but at least a possible enemy combatant US citizen**)

So, there you have the crux of the matter. Sure, you can tell these people and agencies that the problem exists (*mmm as you cite all those earlier posts/articles on this very issue circa 2003**) but NOTHING was done. The lethargic and often spiteful system that is the government did not try to change things to prevent this "sploit"

This brings me back to Avi... Yeah, he is behind the times, but he is at least pointing out the problem. This was a known element. It was out there. The government did nada... Until someone proved it could work and embarrassed their asses. Then they unleashed the hounds.

Damned if you do...damned if you don't.

I have been there more than a few times in my career and it is why I will NOT work for the government as a consultant auditing them ever again. It only takes me a couple times of being told by a government head to "forget about what you found" in so many words for me to just walk away angry.