Hacking: responsible disclosure
Forgive me father, for I have sinned.
Unless you’ve been living under an internet-shaped rock for the last few weeks, you would have seen a handful of security issues disclosed online in New Zealand. Wheedle, ListSellTrade, Geta, and more recently the Ministery for Social Development (MSD).
I joined the gleeful pile-on around the auction sites in particular, which was amplified by the apparent stupidity of trying to compete with Trade Me using a half-assed webite.
In retrospect, I should have been more circumspect (put your hands in the air and say yeah).
In case you didn’t know, there are protocols around responsible security disclosure. The Organization for Internet Safety has a weighty tome on the matter, but here’s a simplified overview:
- Discover a flaw.
- Do not exploit it.
- Notify the owner of the flaw in private, giving them enough detail to find and resolve the flaw.
- Give the owner of the flaw enough time to reasonably notify their users and/or resolve the flaw.
- After waiting for the time above, disclose the flaw so that users can make themselves safe, and so that others can learn from it.
It’s pretty clear that in the case of the MSD flaw, both Keith Ng and Ira Bailey acted responsibly by notifying the MSD (step 2) and not going public until MSD had undertaken to close the kiosks (step 4). In fact, listening to Ira discuss the disclosure on Radio NZ (hear it here), I’d like to apologise and withdraw my accusations of d*****baggery.
But I still have questions about bug bounties. Read on.
In the cases of Wheedle et al, exploits were being thrown around on Twitter with abandon (by myself and others), and this was wrong.
In our defense, the sites were all brand new and fundamentally flawed, so the voracious takedown was low-risk. But it was still wrong. I was aware of others notifying the site owners properly (@dylanreeve is a stand-up guy for example, trying harder than I would to get hold of people behind the scenes), so I didn’t bother to do so myself.
About those bug bounties
In some cases, companies provide a “bug bounty” for users that discover security flaws. This is for a couple of reasons: firstly because there is value in having these flaws discovered and resolved before they are made public; and secondly it acts as an incentive for “black hat” hackers to move from step one to step two above. Hackers can opt for a quick, legitimate pay-off, rather than exploiting the flaw for possible dubious gain.
In my opinion, it’s totally kosher to ask a private company for a bug bounty. It’s in their interest to close the hole, and most responsible companies should have a public bounty policy, because even the best operational security is not going to keep up with every single exploit.
But a government department? I’m not sure about this one. On the one hand I think it’s our social responsibility to help these guys out as much as we can. Maybe I’m a wet pinko liberal socialist, but we’re all in this s*itfight called the internet together, and I think it’s a bit much to ask for a bug bounty on an issue that affects the most vulnerable in our society.
But then I read about $50,000 for a two-week Delloite review and think that maybe a $2000 reward per bug would go a long way to making that review irrelevant.
Software developer Ben Gracewood is a former principal architect at Datacom and lead architect at Intergen. He is currently Practice Lead at mobile-specialist Marker Metro, and director and co-founder of the Codemania conference. He blogs at www.ben.geek.nz.
Back to home
Back to top
Print
Latest
NBR SERVICES
SUBSCRIPTIONS
Sign up for NBR subscriber content or email alerts
Comments and questions9
when hacking is the only way to get info about what our governments are doing in our name it is a sad day.... TPP is the current MAJOR law that is being rushed through behind closed doors.
Wikileaks gave us insight into the war crimes and was shut down. Who are the evil actors in this equation? the people spreading the truth or the people hiding it to protect their own interests
You don't answer the obvious questions
Ira Bailey is a person with a political agenda, Keith Ng download lots of private information onto a USB key; whether it was a government department or a private company or your home computer it is theft. Thats not just illegal its also morally wrong.
As a left wing pinko socialist which we all know you are, how about having the guts to defend the law, because if you don't there is nothing but chaos left in our society
Jeez listen to yourself - lets not have the bigger picture of IT security get in the way of a rant.
"Keith Ng download lots of private information onto a USB key; whether it was a government department or a private company or your home computer it is theft."
No it isn't, it is evidence. And the rest of your comment is crap.
"$50,000 for a two-week Delloite review."
You'll be able to add a couple of zeros to that before this is over.
Agreed - would have been cheaper to put the kiosks up at the Armageddon Expo this weekend with a grand prize on offer to properly test. Always the problem with beta testers, they know too much to properly see if they can break it.
If someone rang me saying they had found a hole I would shake the hand.
> both Keith Ng and Ira Bailey acted responsibly by notifying the MSD
Really? The guy phoned MSD, told them that they had a security flaw and asked for money. When none was forthcoming, he passed the details to a blogger.
I think he's lucky not to have been arrested.
I dont think you have thought it through. Any half competent organisation would have at minimum in the first place invite him in for a coffeee and sticky bun to find out whether he was a nut or kosher. THe reason he is not arrested is he has done nothing illegal.