Saturday, September 13, 2008

The Citect Exploit: A Week Later

I resisted the temptation last week but this article sent me over the edge

Desautels said he stands by the decision.

First the exploit will motivate people to patch by giving them a way to test their systems against the vulnerability, he said. Second, it will encourage SCADA software developers to write more secure code.

"I think releasing the exploit code was actually necessary," he said. "He's actually doing a free service. I would believe Kevin has actually reduced risk."

This is 2008 right? Spare us your simplistic 1998 BUGTRAQ arguments. Please. You can't be serious. This, like most vulnerability disclosures are all about the marketing and rattling the cages. There is nothing richer than consultant/researchers that have not clue about designing, developing, shipping, and supporting products spouting application security cliches that are easier said than done: "add security to your development process", "get rid of stack based overflows," "do security testing before your release."

The CORE disclosure was handled professionally, but this is amateur hour. But you knew that if you follow SCADASEC or read Kevin's adolescent rant.

And actually that was my key problem with the release. Not what was released, but how it was released. All the posturing. Listing all the impacted sites and end users? All the little sarcastic comments and the NRA-inspired rhetoric.

Release the exploit, fine. Not a bad thing. But spare us the bullshit, it just undermines your credibility.


Anonymous said...

Perhaps I missed an important detail, but there is a venom underlying your vitriol that hints at a more personal hatred of this person.

What did he do to you?

Matt Franz said...

Nah, nothing personal (at least in terms of any grudges against Kevin or Adriel). Perhaps some self-loathing, since there are no ideas as vile as those you used to believe yourself ;)

So forgetting about my unfair and unwarranted attacks on Netragard, you don't have any issues with the style or substance of

Anonymous said...

$ w3m -dump| wc -w

I guess the fact that it took 4,500 words to say "hey guys, I found a stack overflow" speaks volumes by itself (no pun intended) :P

Anonymous said...

Well, I can't comment on Kevin, but I can tell you that its good press for Netragard. If you ran a businesses like that wouldn't you advertise it any chance you got?

Matt Franz said...

Obviously. And that way my point. Call a spade a spade. Vuln disclosures are about marketing despite all the "we're doing this for the good of the industry" nonsense.

It is a questions of how you want to be perceived and for what.

Released self-rightous, unprofessional Phrack-style write-ups


work with .gov/.org coordination centers to help the industry along.

It is all a questions of your branding ;)