[WEB SECURITY] another good guy is charged --- What I fear...

Dennis Groves dennis.groves at gmail.com
Mon May 22 20:31:50 EDT 2006 

On 4/26/06, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:

Eric McCarty uncovers a SQL Injection vulnerability in USC's website [1],
> collected a small amount of data to prove an exposure existed, and disclosed
> the issue with the assistance of SecurityFocus [2]. For his trouble he now
> faces computer intrusion charges [3]. This story is similar to that of
> Daniel Cuthbert's from last year [4]. The big difference seems to be that
> Eric actually gained access to sensitive information, although likely
> because USC initially didn't understand the issue until proof was shown.


----------8< snip -------------------------

I just stumbled upon the following:
http://www.cerias.purdue.edu/weblogs/pmeunier/policies-law/post-38/

Where he makes the following recomendations...

   1. If you find strange behaviors that may indicate that a web site is
> vulnerable, don't try to confirm if it's actually vulnerable.
>    2. Try to avoid using that system as much as is reasonable.
>    3. Don't tell anyone (including me), don't try to impress anyone, don't
> brag that you're smart because you found an issue, and don't make innuendos.
> However much I wish I could, I can't keep your anonymity and protect you
> from police questioning (where you may incriminate yourself), a police
> investigation gone awry and miscarriages of justice. We all want to do the
> right thing, and help people we perceive as in danger. However, you
> shouldn't help when it puts you at the same or greater risk. The risk of
> being accused of felonies and having to defend yourself in court (as if you
> had the money to hire a lawyer — you're a student!) is just too high.
> Moreover, this is a web site, an application; real people are not in
> physical danger. Forget about it.
>    4. Delete any evidence that you knew about this problem. You are not
> responsible for that web site, it's not your problem — you have no reason to
> keep any such evidence. Go on with your life.
>    5. If you decide to report it against my advice, don't tell or ask me
> anything about it. I've exhausted my limited pool of bravery — as other
> people would put it, I've experienced a chilling effect. Despite the
> possible benefits to the university and society at large, I'm intimidated by
> the possible consequences to my career, bank account and sanity. I agree
> with HD Moore, as far as production web sites are concerned: "There is no
> way to report a vulnerability safely".
>

This is very frustrating for me to read. This seems like good advice; but it
is to me the antithesis of the direction we want the industry to move in.
The reason for WASC & OWASP is to raise awareness of the problem and to
hopefully create enough of an atmosphere of education that we can begin to
see more secure publicly facing application. This will not make every
application problem free, and due to the fact that they are publicly facing
'untrusted, unauthorised users of that system will discover issues'. It
would seem to me that the proper procedure is for "us" (the experts) to
create a standard in the spirit of 'RFPolicy'. I propose the following: the
idea be pushed that in addition to a security policy a company that is
seriously concerned about web application security provide a mechanism for
anonymously reporting issues discovered by untrusted, unauthorised users of
that system. Perhaps the way to report a problem would be to access the
"site security policy" where the "report a problem" policy and procedure
would be written for users of that system and maybe this should be part of
every site security policy? I don't seem to recall ever seeing this issue in
any that I have read... (but I obviously haven't read every policy) I think
we (the web application security community) are easily in a position to
publish a recomendation. However, I think the idea needs more thought and
discussion and maturity.

What does the rest of the community think?

(If there is enough interest I would be happy to lead the charge on this.)

-- 
Dennis Groves
<a href="http://homepage.mac.com/dennisgr/FileSharing13.html">vcard</a>

Be who you are and say what you feel,
because those who mind don't matter
and those who matter don't mind.
Theodor Geisel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060522/83e94a7b/attachment.html>

More information about the websecurity mailing list