[development] Irresponsible security researcher

Greg Knaddison greg.knaddison at gmail.com
Wed May 13 15:01:41 UTC 2009 

On Wed, May 13, 2009 at 8:14 AM, Joshua Rogers <me at joshuarogers.net> wrote:
> I can say that personally it does cause me to wonder about this "ethical
> hacker."  (It says so on his resume.  Really.)  Personally, by endangering
> those who use the software that he exams, I see him more as a passive-
> aggressive black-hat.  And maybe a little over jealous at that.

I'm not sure about "black-hat".  As far as I know he's not breaking
into sites...  He's a system admin for his employer and part of that
work is to identify vulnerabilities in their server sotware which
happens to include Drupal.  It's nice that he is putting effort into
finding weaknesses (that's often a huge part of the process). It would
be even better if he (and/or his employers) would allocate time to
fixing the bugs rather than just finding and shouting about it.

> http://drupal.org/node/372836 (which apparently he wasn't credited with)
> amounts to "if you let someone administer nodes they can change things."...
> Yes.  Better though was http://justin.madirish.net/drupal6-cck-vulnerability.
> It boils down to 'people with "Use PHP input field settings" permissions can
> run PHP'...  So...  I guess that makes this a un-bug report?  (Maybe an
> "Everything is working like it is supposed to." report?)

Exactly!  It's not a vulnerability so there's no need to credit
someone with finding it...

The security team tries to address issues within 2 weeks, but that's
often hard.  When there is a public disclosure we try harder to
address them quickly, but the extra attention and confusion it creates
doesn't help.  A lot of the decisions from the security team are
compromises - we do things for 5.x and 6.x that are guaranteed to
work, but are not clean enough to be accepted into Drupal in general
(see http://drupal.org/node/449078 for example).

The specific SA where Justin did not get credit was another situation
of making a compromise: the "vulnerability" was disclosed and nobody
on the team felt it was important enough to fix personally.  Justin
and his employer were unwilling to allocate their resources to fix it.

So, given that public disclosure had occurred and that the security
team wasn't going to fix it and that we wanted to respond in a timely
manner...we did a "public service announcement" reminding people that
admin means admin.

> At least now I know one less person that I have to take seriously (on a
> professional level.)

This is somewhat true, and I certainly don't have a lot of love for
Justin's online behavior.  However, it's easy to get pissed at people
online.  I imagine that if I got to hang out with Justin over a
delicious Philadelphia cheesesteak we'd be pretty friendly.  He's got
a different philosophy on security disclosure and doesn't prioritize
contributing patches the same way that a lot of us do.  That different
philosophy and lower value on contributing patches doesn't mean he's
unprofessional or an evil human.

Regards,
Greg

-- 
Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com
Cracking Drupal - Learn to protect your Drupal site from hackers
Now available from Wiley http://crackingdrupal.com

More information about the development mailing list