June 21, 2011

Exploits are like Guns: PT 2

Posted in Exploits, Guns at 03:11 by Alex McGeorge

Word Count: 550

@miaubiz asked a question: what about a Tec 9? Rather than focus on the specifics of this firearm we’ll label it for discussion as a full auto machine gun (which it isn’t, but I think this is a better example).

Why does anyone need access to machine guns? As a defender you really need access to them to test your defenses and protect yourself. Can the armor on your vehicles handle a 7.62mm bullet hose? Your adversaries have this capability so you have to test. As a noble attacker, automatic weapons are the physical tools of revolution.

If you were waging cyber war having a tool available that could quickly engage and neutralize multiple targets (i.e. a machine gun) is invaluable. An 0day which is wormable (that is to say, in a popular service) has the ability to affect a lot of people. It’s almost like the language virus Neal Stephenson was talking about in Snow Crash, rather than die once targets are exposed to the worm they instantly become converts (i.e. I owned them) to my cause, much more useful.

Is it moral to build this technology yourself? Of course, no one can stop you from finding bugs and creating new technology. Selling it isn’t any less moral because you’re always free to profit from your invention. Where morality comes is in how that technology you created is used.

@krsec asked if I had any thoughts about @VUPEN and similar companies. As it happens they can fit in this analogy too, custom weapons shops are really common and the US military has used them for decades to develop solutions to very specific problems.

Boutique exploit shops are not new, they’ve been around for years. They exist to solve very specific technical problems. For practical purposes what distinguishes VUPEN from the others is their marketing. I imagine a lot of boutique shops have very targeted and non-public sales efforts and their business grows slower by discretely as a result, VUPEN is taking a different tactic. They’re advertising and publishing what they have but (to my understanding) only selling to government/military customers. Because we see neither their finished product nor customer reviews of their product it’s easy to label it as BS and FUD. Johnny the fed ain’t hopping on twitter to glow over a VUPEN 0day.

I don’t have any problem with what VUPEN does or how it markets itself, I would imagine they’re trying to attract the attention of international government organizations rather than strictly those in their home country. As a business practice it’s fine, smart even. From a technical perspective they’re annoying because they make a claim and I want to know if it’s true but there’s not enough public information to do that. So I tend to ignore them, not out of distaste or malice but because I probably won’t ever know if they’re bluffing. So long as their marketing stays marketing and is not interpreted as fact then I’m ok.

Based on my experiences in this security niche what VUPEN claims is certainly possible (0days in popular browsers? Heavens!) and I suspect they can probably do it. But I’m not wetting the bed when they make an 0day press release either.

This post brought to you by: TV On The Radio – Wolf Like Me


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: