Security Vigilantes Becoming Small-Time Terrorists


Vulnerability disclosure is such a painful issue.  However, some people are trying to make it as painful as possible.  They slap and kick people with the release of 0-day vulnerabilities, and tell them it’s for their own good.  In their fantasies, sometime in the future, we’ll be thanking them.  In reality, they make me feel sympathy for the vendors. 

They cite disillusionment with the “responsible disclosure” process.  They believe that this process forces them somehow to wait indefinitely on the pleasure of the vendor.  Whereas it is true that many vendors won’t and don’t fix known issues unless they are known publicly or are threatened with a public disclosure, it bemuses me that these people are unwilling to give the vendor a chance and wait a few weeks.  They use the excuse of a few bad vendors, or a few occurrences of delays in fixes, even “user smugness”, to systematically treat vendors and their clients badly.  This shows recklessness, impatience, intransigence, bad judgment and lack of discernment. 

I agree that reporting vulnerabilities correctly is a thankless task.  Besides my previous adventure with a web application, when reporting a few vulnerabilities to CERT/CC, I received no replies ever, not even an automated receipt.  It was like sending messages into a black hole.  Some vendors can become defensive and unpleasant instead.  However, that doesn’t provide a justification for not being gallant, and first giving an opportunity for the opposite side to behave badly.  If you don’t do at least that, then you are part of the problem.  As in many real life problems, the first one to use his fists is the loser.

What these security vigilantes are really doing is using as hostages the vendor’s clients, just to make an ideological point.  That is, they use the threat of security exploits to coerce or intimidate vendors and society for the sake of their objectives.  They believe that the ends justify the means.  Blackmail is done for personal gain, so what they are doing doesn’t fit the blackmail category, and it’s more than simple bullying.  Whereas the word “terrorism” has been overused and brandished too often as a scarecrow, compare the above to the definition of terrorism.  I realize that using this word, even correctly, can raise a lot of objections.  If you accept that a weaker form of terrorism is the replacement of physical violence with other threats, then it would be correct to call these people “small-time terrorists” (0-day pun intended).  Whatever you want to call them, in my opinion they are no longer just vigilantes, and certainly not heroes.  The only thing that can be said for them is, at least they didn’t try to profit directly from the disclosures.

Finally, let me make clear that I want to be informed, and I want disclosures to happen.  However, I’m certain that uncivil 0-day disclosures aren’t part of the answer.  There is an interesting coverage of this and related issues at C/NET.


Posted by Sicurezza, ICT ed altro » Blog Archive &raqu
on Thursday, January 4, 2007 at 12:48 PM

[...] Un articolo del CERIAS che mi trova completamente d’accordo: disclosure, ma responsabile. Del resto, a me pare che la diatriba fra disclosure e non-disclosure si sia ormai conclusa con l’affermazione della prima, e quindi non c’è più niente da dimostrare. [...]

Posted by e
on Friday, January 5, 2007 at 06:07 AM

More abuse of the T word to sensationalise a point of view. Very dissapointing.

I suppose the comparison to terrorism has become the Godwin’ law of the 00’s.

There is much that can be said for not using
a “responsible disclosure” process and by all
means it should be said.

However “irresponsible” disclosure most certainly does not meet the definition of terrorism. Not the definition as linked, nor as
defined in any reputable dictionary.

Posted by Pascal Meunier
on Friday, January 5, 2007 at 08:36 AM

e, I knew I’d have reactions like yours.  It would have been nice if you pointed out *how* what those people are doing and advocating doesn’t meet either the definition I linked to, or one you think better.  I can’t find a more appropriate word to describe it.  Can you?

I have no problem with people saying what they want.  I do have problems though when they make decisions on their own that negatively impact the security of my own systems.

Posted by e
on Friday, January 5, 2007 at 07:53 PM

Hi Pascal,

Whilst there is no agreed upon set of criteria that defines an act of terrorism, the absolutely key criterion is that an individual labeled as a terrorist is a threat.

A threat is a party that has both the capabilities and intention to exploit a vulnerability in an asset.

Security vulnerabilty researchers have the capability to exploit a vulnerability, however they do not have the intention (nor ever threaten) to actually exploit the vulnerability. Thus they fail the definition of a threat thus failing the key criteria for the definition of being a terrorist.

The remaining criteria used to define a terrorist are thus irrelevant.

So what are security vulnerabilty researchers who do not follow the “responsible disclosure” process actually doing ?

Arguably, the end result of their disclosure procedure is to unduly increase the risk to end users from the real threats (i.e criminals or terrorists).

I think you could fairly call them “cyber crime facilitators”. I suppose a lawyer would perhaps use one of the terms “Accessory to cyber crime”, “willful blindness”, or “criminal negligence” to label their acts.

Unfortunately I don’t have a cool word or catch phrase to describe a security vulnerability researcher who chooses not to follow the commonly accepted “responsible disclosure” procedures.

Perhaps you could create a new word from a mash of ego, vulnerability, negligence, cyber-crime to help you spread the meme that non-compliance of the “responsible disclosure” procedure is anti social.


Posted by Pascal Meunier
on Monday, January 8, 2007 at 04:51 AM

e, Thanks for coming back and explaining your post, which had left me puzzled.  I see that you make a distinction whether the realization of the threat is direct or indirect.  Let’s go back to the concept of blackmail.  Blackmail can be based on the threat of revealing some embarrassing or incriminating information, so the reasoning is close enough and should be applicable to our problem.  The indirect threat is that of what other people will do with the information, such as firing the victim of the blackmail. The “blackmailer” (if there is such a word) will not directly carry out the firing or other consequences.  Yet, the blackmail threat is real enough.  So, by the same reasoning I claim that 0-day disclosures are a real threat.  The people involved in the months of bugs are aware as well that what they are doing is a threat.  They even word it clearly as the punishment phase of a threat being carried out.  Then there is the implied but very clear follow-up threat (to the vendors):  “You’d better improve your security practices or else we’ll endanger your clients and embarass you again”.

I think that even though the threat of giving weapons to your enemies is not the same as the threat of killing you, it still is a very significant threat.  When that threat is used to advance an agenda by intimidating or coercing a population, then that meets the definition of the “T” word.  Because there is no physical violence in this case, maybe it deserves another word.  “Accessory to cyber crime” and such would equally apply to a single event and do not carry the meaning that a large number of people were threatened simultaneously to advance an agenda.  Appending the “M” word in front (“M” for “mass”) sounds bad (“facilitators of mass cyber crime”?) and could be done for profit, so it’s not a good fit.  So, I still can’t find a better word than the “T” word. 
When you start going down the slope of threatening people for an agenda, and the first threats don’t work, there’s a possibility of escalation if you’re fanatic enough about the agenda.  In my mind there is a possibility (although I don’t think it’s likely at this point) that some of these people will escalate their threats.  I hope they don’t.

Leave a comment

Commenting is not available in this section entry.