Friday, March 21, 2014

Together, we can make a difference

A couple of weeks back, I released a popular spreadsheet which lists many of the Adobe Flash Player 0-days used to harm people in the wild since 2010. I counted 18 and countless kind Twitterers pointed out some I may have missed. It was an interesting exercise, of course with an ulterior motive!

Looking beyond the raw counts, the spreadsheet shouts two items:
  • We should want to make a difference. The harm done from all these 0-days is just a litany of awfulness. We have harm to democracy activists and the human rights organizations that try to help these people. We have harm to American defense interests, aka. espionage. We have harm to corporations, aka. theft and economic damage.
  • We can make a difference! If you look at the data, you'll see 7 memory corruption 0-days in a year, starting mid-2010. After this year, Tavis Ormandy's famous Flash security rampage landed (80+ fixes), with follow-up patches such as 7 fixes here. Almost a year passes between Flash memory corruption 0-days after Tavis' work. You should call him a hero. (You should also call Mateusz Jurczyk, Gynvael Coldwind and Fermin Serna heroes too. They continued Tavis' work, have a look at the CVE count in this Adobe advisory to appreciate their work.)
Whilst it's true that Flash 0-days have seen a resurgence in Dec 2013 - Feb 2014, this does not invalidate the data that the whitehat community made a difference in 2010 - 2011 onwards. If anything, the data suggests that attackers have regrouped and refocused their research efforts to target areas that are still fertile. We can certainly do the same and put down this resurgence.

How you can help make a difference

Join us in the whitehat world. When you entered the greyhat world, they told you you'd be helping catch terrorists, didn't they? Recent and ongoing revelations show that no, in fact the biggest use of your work was enabling mass surveillance, the compromise of foreign nations and even the compromise of foreign corporations. If you want to make an actual difference, see above for where defensive help is needed.

Join us working on Flash and other important software. Many of us are working hard to provide reasonable avenues of reward for those who work on important software in the whitehat community. For example, the Internet Bug Bounty includes Flash as a category. For Flash vulnerabilities where exploitability is near-certain, we're rewarding up to $10,000 -- we have rewarded at this level three times already. We also anticipate $5,000 as a popular reward level for vulnerabilities that are likely exploitable but not proven. I previously blogged about $10,000 example here.

What are you waiting for? Join us and we'll make a difference. You'll get some good coin as a side-effect.