Let’s talk about security research, discoveries and proper discussion etiquette on Twitter

Yesterday (December 4th, 2018) I tweeted this:

This tweet got a lot of traction, many replies, likes, and retweets. But there was also another kind of comments, such as this one:

Now, Gary O’leary-Steele is right and wrong at the same time — this isn’t anything new, this thing is totally documented, it’s been around for ages and many people know it. So why is he [also] wrong? He’s wrong because he assumed that I acted as if I claimed that I discovered something undocumented (which I never did) and he chose to mention the fact that I included an IDA screenshot as if I’m trying to look all “bad-assy” showing off my 1337 IDA skills. However, Gary doesn’t know the back story. During the day I work for Cybereason, a company that develops an EDR solution and provides various services such as monitoring, IR, security research and so on and in my role as the head of security research of the services group (which we call “Nocturnus”), the team and I constantly look at how attackers (either interactively or via malware) are trying to bypass security systems and we’re also trying to find ways to bypass our own solution because, obviously, that’s how we as a company can get better.

As a part of these efforts my teammate and I are working on a project that iterates over binaries and tries to find “exploitable” features, be it a “lolbin” or a lolbin-like capability or something else. We’re doing it by parsing various binaries and applying some automatic disassembling and solving in order to find out such “features”. Yesterday, during one of our first runs, our project marked the shell() function in ftp.exe as a potentially exploitable function, within less then two minutes we realized that it’s the “!” trick with ftp.exe. We ran some PoCs and we’ve determined that the “!” trick is pretty neat and that it could be used to bypass some app whitelisting solutions (and some other tools as well).

I then proceeded to tweet about it (the tweet is on the top of this very post) and I have included two images there: A screenshot of a part of the shell() function and a screenshot of the process hierarchy as instrumented by process hacker. As I mentioned before, the tweet got a lot of traction and many people replied saying this discovery wasn’t new and nothing to be excited about because they assumed that the fact that they knew something before someone else (which is myself in this story) it makes entitled to also respond in a way that is a bit… Well, not worthy of a response because it does not promote a constructive discussion. Nevertheless, many of those people have just decided that “Today I found out” is the same as “This is an undocumented feature”, those people never even bothered to look at some of my own replies, such as this reply that I wrote back to @gleeda, complimenting me about the finding:

And this brings me to the whole point of this post — The discussion etiquette on Twitter in general and in infosec-twitter in particular. As you can clearly see, my tweet about the ftp.exe has nothing that even remotely insinuates that this was an undocumented feature that I discovered, my tweet starts with the sentence “today I found out”. So yeah, while this feature is well documented (see screenshot), I didn’t know about it and I found about about it from the project that my teammate and I are working on.

I, like many other people in the infosec industry, enjoy sharing my knowledge (on twitter and elsewhere) because I truly and wholeheartedly believe that sharing our knowledge takes us forward, not only as individuals but as a society (which includes our industry/community/whatever you want to call it within it as well) and in order to move forward, be better at our jobs, and to make computers safer we need to be able to share our knowledge in an environment that provides and promotes polite and constructive discussions. Without being able to share knowledge and have constructive discussions about it like adults we would all end up stagnant, surrounded in negativity and in a constant state of self defense because every tweet has the potential to become a flame war over nothing, especially when it’s a tweet that’s all about sharing knowledge and helping other people learn new things.

At the end of the day, I’ve been doing security research for about half of my lifetime. There are things that I know and very little people know and there are things that I don’t know and other people do know. If you’re reading a tweet/article/forum post/blog post/whatever which contains information that was already known to you — don’t assume that the author was trying to score “coolness points”, try to look at it as if someone was trying to share his knowledge and to document it for future reference. What might look totally trivial for you as a penetration tester/red teamer or whatever, might not be as trivial to a person that is practicing a different discipline of security research, such as myself.

The fact is that many people (and I’m still overwhelmed by the sheer amount of interactions with this tweet in the form of comments, likes, and RTs) found that tweet useful and just like me, learned a new thing. And yes, Mr. Oleary-Steele wasn’t the only one that had his reservations about this tweet but we can all talk about it like adults — that’s why we’re here for (I hope):

Our industry has enough drama and misconduct as it is, don’t promote and provoke it just to make yourself look more knowledgeable — try to look at the broad picture, try to promote a positive change around the discussion etiquette in our industry and especially around infosec-twitter. It really is the only way that all of us can move forward.

Thank you for taking the time to read this post.