Why it sucks to be a Security Researcher

Because you don’t make a difference.

You audit some code, search for a logical bug, try to find an unexpected behavior of some functionality that could be exploited in certain scenarios, and then you find it. That’s the good and fun part of the job.

But then comes the bad and the ugly part: nobody cares

All bugs are different, but if it’s not as simple and dangerous as eval(params[:code]) you will have trouble explaining what the risks are and why they should fix it.

Unfortunately, insecure-by-default is not equal insecure for most developers. Instead, they choose to ignore you and claim “people should RTFM instead”. Some examples:

In Ruby there was no attempt to fix unexpected Regexp behavior that requires \A\z, rendering $^ useless. That led to critical injection in Mongo adapter for Ruby plus bunch of XSS here and there.

OAuth 2 had a strike of disastrously bad design and security decisions yet people still implement it, not much simpler and secure version, Sakurity OAuth. Some even still use it for authentication, and ignore researchers telling how bad this idea is.

Or how Mongo essentially implemented SQL injection again

Or how jQuery Mobile thinks open redirect is your own problem

Or how Rails has designed CSRF protection to be in the wrong controller that made dozens of libraries like doorkeeper or rails_admin vulnerable to CSRF.

etc etc etc. And I won’t even mention client side security, a complete circus over there, thankfully it’s all Low severity.

The Last Resort

As far as I know, the only way to fix a bad design is to demonstrate it. Meet mass assignment.

To deal with a response like this

There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

you need an argument like this

https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57

That makes me think being a black hat is only way to quickly fix something in the world.

Another great example, @taviso — he found and responsibly reported a critical vulnerability like in every antivirus in the world, and how many people stopped using the snake oil product called Anti Virus after that, 5? How many AV vendors started caring about security? 0!

So what is this post about, again?

I don’t have a fulfilling career.

It sucks to explain something that’s obvious to me to an open source team that gets dozens of idiots with “IMPLEMENT THIS NOW!” requests every day. They are tired, but I’m tired too. I know I’m right in the long term.

If you’re lucky and someone from the team is security aware, they will try to make a breaking and inconvenient change for the sake of security. (But if they have such person, it would probably be more secure from very beginning?).

But normally your “opinion” doesn’t matter, you’re an outsider. Doing what you say won’t make them any money (or make more popular, if open source ) now (but will in long term future).

That’s very understandable, even products like Linux prioritize usability over security.

But I wholeheartedly believe you can and should have both, balanced. And that’s why I choose to stop chasing ever-growing number of vulnerabilities, because it’s no different from garbage collector’s job, and best way to get rid of garbage is to stop the litter.

Let’s break coding style (looks remotely insecure == insecure from now on), break standards, break ways browsers talk to servers, fix how we run random unverified software/dependencies on our computers, kill disgusting stone-age of passwords (that’s what I plan to start with)… let’s stop chasing bugs and change what’s underlying.

Recap

  1. security people are ignored, or even threatened. Our research on something long-term / our design recommendations don’t make any difference.
  2. exploitation in the wild is the best possible way to fix a problem in a timely fashion.
  3. I am now 100% focused on stopping the litter, not on collecting it.

Disclaimer 1. By Blackhat I never mean acting maliciously. No, you shouldn’t start install your ransomware all over the place, just make your point clearly and in non-destructive way. And anonymously, of course (tor, whonix, vps, bitcoin). Use it only as your last resort.

Disclaimer 2. Rails team is great, never blaming them. But communicating with them has been hit or miss for me.

Disclaimer 3. The title that this job absolutely sucks is an exaggeration. It pays ok and you get to meet awesome people. I love security community, love criticizing things on Twitter, we are on the same page. But let’s find a way to make people care not about the finger but about where the finger is pointing, before it’s too late.