June 20, 2011

Exploits Are Like Guns

Posted in Exploits, Guns tagged , , at 18:39 by Alex McGeorge

This inaugural post is an expansion on a tweet I sent out that got some folks curious, at less than 140 characters it is the tl;dr distillation. If you get it, and I think you’ll know immediately if you do, then there probably isn’t much in the rest of the post for you.

Selling exploits is like selling a firearm. People can use it to help protect themselves or to hurt others. I sleep fine either way. [0]

I was teaching the online CANVAS 101 course to a single student recently and he didn’t have a whole lot of experience in the pen-testing world. I really like running into these types of people when I teach one-on-ones because they ask very fresh questions that are sometimes larger than just the technical content. On the second day we were running through some of the advanced CANVAS features, the exercise is neat because you get a bunch of shells and screenshots and passwords all at once. When I get to a break in the lecture he asks me “Alex, how is selling this legal!”

My go to analogy, which I have to use frequently when I run into people who aren’t familiar with what’s possible in this corner of the world, is to compare it to the sale of a firearm.  Colt sells you a firearm but how you use it isn’t their problem. I’m sure they prefer that you don’t use their gun to murder someone but they’re not responsible if you do. The reason they can take this moral position is that guns have various legitimate and important uses. Self defense, sustenance hunting, liberation from tyranny, and to a much lesser extent recreational shooting and enjoyment along with dozens of others.

Exploits work the same way. I sell you an exploit and you do have the option to use it for something illegal and potentially harmful, I would prefer you didn’t but I have no control over that. We’re in the same position here as Colt, exploits have a variety of important and legitimate uses: I can test and improve my own defenses, I can learn how to improve my own code, I can hold vendors accountable to provide fixes or can use them in my lab for my own satisfaction.

Guns, like exploits, are also force multipliers. Say for instance five professionally trained fighters are rushing you, to defeat them barehanded you need incredible martial prowess that few people possess. If I hand you a riot gun you now have a high chance of winning regardless of your experience. As your enemy I have to spend resources to even the odds in my favor again. More on this thought in a later post.

Exploits and to a larger extent frameworks/interconnected tools like CANVAS or Core or Metasploit allow that same force multiplier ability. I can put you in front of five vulnerable webservers, all different software, OSes and architectures and you’d have to be a rockstar to write reliable exploits for them under pressure, in reasonable time and from scratch. But if I give you the right tools you can dismantle those servers in minutes.

So what about the arms dealer scenario, people who are willing to sell whatever to whomever so long as the price is right? This gets into murky moral waters and I will defer to the excellent movie Lord of War [1] for a more in depth discussion. I will add however that when you’re going to arm a revolution you don’t go to your neighborhood gun shop and ask to order in bulk [2]. You also take the same approach if you’re looking to kick off a genocide. Sometimes progress needs the black market, this can hold true with our little spidery world as well.

Interestingly though, Colt really has no control over if their guns end up getting re-sold as part of a large scale arms deal. Even if the Colt stamp isn’t on the weapon, how many AR-15 clones exist at virtually any price point? As a manufacturer [3] of exploits I have to recognize that information wants to be free and eventually our secret sauce is going to end up in someone else’s exploit. Once the exploit is written and public, even to just our customers, that information is out there and feeding the world wide exploit development cycle for a particular vulnerability.

So we’ve seen some similarities between firearms and exploits, the US Government in the wake of certain recent events is considering hacking (exploiting vulnerabilities for criminal purposes) an act of war to be met with real life missiles [4]. The comparison between firearms and exploits then seems sound, at least conversationally.

So what allows me to sleep well at night? It is impossible for you to guarantee me that you won’t misuse our product. Realistically a background check doesn’t mean shit about someone’s intentions, just like having the word ‘ethical’ associated with what I do for a living doesn’t mean fuck all. Do you think I’m going to reflect deeply upon a piece of paper I signed before taking a class or getting a certification if I’m sitting on a server that controls the flow of millions of dollars? I assure you I don’t. What keeps me from being a twat is another post all together. If you ever see me at a bar buy me a scotch and soda and then ask me why I’ve been wearing my ‘unethical hacking’ bracelet since Defcon 2008. (Yes I wash it)

Like any other merchant we have the ability to choose who we sell to.  I listen to my gut, I do a bit of research and I make my recommendations. In cases where I’m wrong I try to reexamine my criteria so I’m more likely to make the right choice in the future. That works for me and that works for people who sell weapons that make it easier to go from idea to death. I couldn’t become the exploit selling version Nicolas Cage’s character in Lord of War (at least not without the help of all that cocaine) and though they’re nominally in the same business I don’t think many gun store owners could either.

[0] Twitter
[1] http://www.imdb.com/title/tt0399295/
[2] http://dlvr.it/X0h1m
[3] To clarify I’m speaking here as a part of Immunity who produces exploits as a product. I do not write the exploits that ship with CANVAS, we have a wonderfully talented group of folks who do that. Someday maybe I’ll be in that group who can write good commercial grade exploits
[4] WSJ Article


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: