AOH :: ISNQ4006.HTM|
Interview with Rain Forest Puppy
Interview with Rain Forest Puppy
Interview with Rain Forest Puppy
Site design & layout copyright © 1986-2014 CodeGods
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
May 1, 2007
Antonio `s4tan` Parata, software security researcher and member of the
ush team interviews Rain Forest Puppy, famous bug hunter, specialized in
web application assessment. It=E2=80=99s a pleasure for us to publish the full
interview, in this case talk is not cheap.
Antonio =E2=80=9Cs4tan=E2=80=9D Parata (ap): Hi Rain Forest Puppy, many thanks for this
interview. You are considered one of the fathers of web security and the
inventor of the SQL injection attack. Anyway in the year 2003 you
decided to publicly retire from the security field (to get more infos
http://www.wiretrip.net/rfp/txt/evolution.txt). Can you briefly sum your
Rain Forest Puppy (rfp): My decision to retire from the public eye was
based on a lot of reasons; overall, the amount of resources & energy
required to release and maintain advisories and tools was just getting
to be too large. It wasn=E2=80=99t fun anymore=E2=80=93and why pursue a hobby if you=E2=80=99re
not enjoying it?
Plus, the security industry was becoming commercialized. Advisories and
exploits are now bought and sold; performing security research in the
first place can land you in legal waters. The intellectual value of the
security research performed has been reduced to a single severity
rating, which=E2=80=A6if not high enough=E2=80=A6causes the entire research to be
dismissed. I really enjoy security from the intellectual angle; to me,
it=E2=80=99s all just a big mental challenge=E2=80=A6a puzzle, if you will. So when the
creativity and intellectual aspect of it started to fade away, I decided
to go with it.
As for being the =E2=80=9Cfather of web security=E2=80=9D, there were many people
working on web security prior to me (for example, see Lincoln Stein=E2=80=99s
classic WWW Security FAQ). And I didn=E2=80=99t invent SQL injection. I may have
been one of the first to publicly explain it in tutorial fashion, but it
existed for as long as SQL itself existed; it was just that few people
saw the security implications of it. But that may be because SQL wasn=E2=80=99t
ubiquitous like it is today, so it had limited impact in limited
ap: 4 years elapsed and the web changed radically. Phrack is dead, Owasp
testing guide raised, the web is filled with blogs and the web 2.0
buzzword is on everybody lips. How did your thought change in these
years and what do you think about nowadays security world, who works in
it and researchers?
rfp: Well, the good news is that there is an increased awareness for the
need for security. That=E2=80=99s a good thing. Even consumers are starting to
understand the need for personal firewalls and the need to be vigilant
The flip side of that awareness is that people now care when they have
security=E2=80=93or more importantly, when they don=E2=80=99t. Combined with the
litigious society we=E2=80=99ve become, and now you have the very real threat of
someone pursuing legal action against you for informing them they have a
security problem. Now that security can be linked to tangible dollar
losses, and security regulation violations can have drastic impacts,
I=E2=80=99ve witnessed first-hand companies who felt it better to be in the dark
and cover up any signs of security issues rather than having those
security problems disclosed and thus being forced to deal with it. It=E2=80=99s
the Enron approach to security.
But, like I said in my Evolution essay (a.k.a. rant), security is now a
big-time commercial business. There=E2=80=99s money to be made in having it,
improving it, breaking it, exploiting it, etc. That=E2=80=99s probably the
biggest change. Although, I suppose I=E2=80=99m part of the problem, having a
security-related day job. :)
ap: At the moment are you working for a security company or are you an
rfp: I work for a security company. In fact, at the beginning of this
year, I started working for a security software vendor. Prior to that, I
worked at the same small security services company for 7 years,
performing pen-tests, web app assessments, source code reviews, etc.
ap: What do you think about companies like gleg (http://www.gleg.net/)
or iDefence (http://labs.idefense.com/), parties that make part of their
profits from the selling of 0day exploits?
rfp: Well, I have mixed feelings. Part of it is how you frame it too=E2=80=A6
saying iDefense and 3Com sell 0day is only half right. Sure, they inform
people of those 0day problems. But, they also handle the overhead of
dealing with the vendor, coordinating advisories, etc. All that stuff
takes time and resources, and can be particularly frustrating if you
happen to deal with a vendor who doesn=E2=80=99t understand the security
disclosure process (see my previous answer about Enron-style security
silliness). So, being someone who likes to find bugs, and wants to do
the right thing (i.e. inform the vendor) but doesn=E2=80=99t necessarily like
the hassle of dealing with the vendor, iDefense & 3Com seem to be a
win-win situation: they deal with the vendor, and you get paid for your
research time (and the dwindling of low-hanging fruit and increased
complexity means more research/time is required for each bug).
Part of my answer to this question ties into the next question=E2=80=A6
ap: You are the creator of rfpolicy
(http://www.wiretrip.net/rfp/policy.html), globally recognized as the
policy to follow for the vulnerability disclosure. What do you think
about mailing lists that practice full disclosure like FD
rfp: In the end, it all comes down to the motive of the researcher:
* Trying to make the world a more secure place
* Trying to make a buck
* Trying to impress their friends/peers
Each of those has it=E2=80=99s own response. If you=E2=80=99re truly trying to make the
world a safer place, then the only way to do that is to pursue a fix
(and that typically means dealing with the vendor/author); if, for some
reason, the discussions with the vendor are going horrible and you=E2=80=99ve
exhausted all other options, then full disclosure to the public is a
last-ditch effort to at least get the warning out.
If you=E2=80=99re trying to make a buck, well, sell it to the highest bidder.
There=E2=80=99s been a lot of media reporting in the last 6 months about 0day
black markets, and iDefense/3Com occasionally hold specials where you
get paid extra for certain types of vulns (remote Vista bugs in
If you=E2=80=99re trying to impress your friends/peers, then just run straight
to the disclosure lists/venues. You=E2=80=99ll have your five minutes of fame
until the next bug comes out. Hopefully though, you won=E2=80=99t pursue a
security job down the road with a company who has negative feelings
towards full disclosure=E2=80=A6your efforts to build your =E2=80=98cred and impress
your friends now may backfire later when you look to start doing it
professionally. Remember, the Internet archives everything these days=E2=80=A6
What probably bugs me the most is that a lot of people have the =E2=80=9Ctrying
to make the world a more secure place=E2=80=9D facade, even though that=E2=80=99s not
really their true intention. I call it the =E2=80=9CMS. America =E2=80=98World Peace=E2=80=99=E2=80=9D
phenomenon, after all the pageant contestants who say they want world
peace because that=E2=80=99s what they=E2=80=99re supposed to want in this age of
political correctness. If a researcher truly wants to make the world a
more security place, then they need to attempt to get a solution to
their problem, and that usually means making some attempt to work with
The moral to my long-winded answer: full disclosure is a tool, not a
solution. Use it wisely, and where appropriate. If you truly want to be
part of the =E2=80=99security solution=E2=80=99, then offer a (realistic) solution when
you have a problem to disclose. Be responsible. We control our own fate:
if we run around like Internet Anarchists, then laws and regulations are
going to tighten and make things more difficult. If we act responsibly,
we may be able to continue with what we=E2=80=99re doing as-is.
But you can=E2=80=99t have it both ways.
ap: What policy to apply in the case of public site vulnerability
research? Should the researcher avoid it completely, apply the rfpolicy
or the full-disclosure way is viable too?
rfp: Funny, because I was just mulling this over recently. It=E2=80=99s one
thing to have a security problem in something you control, such as a
device or a piece of software installed locally. There=E2=80=99s the potential
for you to enact a workaround or introduce another mitigating control.
Public websites are another matter. The only one who can fix the problem
is typically the web site. There=E2=80=99s no mitigating strategy users can
usually do other than forego use of the site. You think everyone is
going to cease to use MySpace because they have an XSS hole? No way.
So thinking that it=E2=80=99s better to tell the world about a security problem
in a public site than to tell the site owners is being part of the
problem, and not the solution. Again, full disclosure is a tool, and is
a worst-case/last-ditch scenario after all else fails.
ap: You are the author of the libwhisker library
(http://www.wiretrip.net/rfp/lw.asp), widely used to create assessment
perl scripts. What do you think about nowadays products related to web
application assessment? What about some open source software (like
parosproxy or nessus) changed to closed-source?
rfp: I have to choose my words carefully, because I very recently
started working for a security software vendor. :)
Having had open source projects, I will say this: it is very hard to
bootstrap a development community, and achieve the same level of polish,
quality (as in QA), and implementation thoroughness as a commercial
product. This isn=E2=80=99t necessarily because commercial software vendors are
better coders; the dynamics are just different.
Open source coders are usually working on their own donated time. That
means contributions are often catch-can and best-effort. Open source
(when not sponsored by a commercial entity) are typically limited in
resources (with time being the critical one).
Commercial companies, on the other hand, don=E2=80=99t necessarily have a
constraint on resources and time, because they can be bought. And they
are bought with the money used to purchase the software. However,
because the software is purchased, they have the additional obligation
of making sure it satisfies the user and the user=E2=80=99s experience. That
usually means better UIs and usability, full feature sets, and
thoroughly implemented features with all the bells and whistles a normal
user would expect for that type of product.
If anything, I would say the bar is set higher for commercial products,
because purchased software has certain additional expectations and
obligations to live up to. If you grab a free suite of open source
software, and something in it is broken or it doesn=E2=80=99t implement some
basic functionality which you deem fundamentally necessary=E2=80=A6 well, your
only recourse is to submit a bug report or feature request. It=E2=80=99s free,
and because of that, there=E2=80=99s not necessarily an obligation to satisfy
you as a user. But if a commercial software package is broken, or it=E2=80=99s
missing something fundamental, you can ask for your money back, or make
a request to the vendor to fix it with a reasonable expectation that
they will. If they don=E2=80=99t, you have recourse with entities such as the
Better Business Bureau (in the US).
Given all of that, I have made a few observations on how open source
relates to commercial products:
* Commercial vendors don=E2=80=99t draw from a different, exclusive pool of
uber-developers. Good, smart developers can exist on both sides of the
fence; in fact, often times they play both sides. So the concept that
commercial vendors magically have better coders that are more capable
of solving a problem or being innovative is a fallacy. An open source
project can be just as innovative as anything a commercial company
pushes out; the difference is that the commercial company can usually
push it out farther and wider.
* The really good/innovative open source projects often go on to either
form a commercial entity, or gain commercial sponsorship. This almost
makes open source a research incubator and proving ground for new
ideas (which, IMHO, is great). The good ones take off and develop into
large entities (Apache, Samba, MySQL, etc.) and the rest live out the
remainder of their lives on SourceForge. :) But once an open source
company gets commercial backing, there then becomes the requirement to
satisfy the conditions of that commercial backing=E2=80=A6so the sponsorship
usually provides resources in exchange for better meeting the
obligations/expectations that come with traditional commercial
In that sense, sponsored open source sits on the fence between normal
open source and commercial software, probably getting the best (and
worst) of both worlds.
* I made indication of it in my previous answers, but despite open
source being free and best-effort, many users still hold it to a
commercial product expectation of quality, implementation
thoroughness, etc. This is where I think a lot of problems arise. Yes,
open source software should be as good (or better) than commercial
software, even though it is constrained by resources. But we all know
that=E2=80=99s usually not the case=E2=80=A6something as simple as a clean UI and
better documentation is all it takes to give something a
commercial-level appeal/feel. My personal experience with open source
is that these are the areas where they most often tend to lack.
So, going back to your original question about security tools: the
security industry is such a hot topic, that everything is in such a
state of flux, that it=E2=80=99s hard to say. Established open source tools have
migrated to commercial backing (nmap, Nessus, ParosProxy, etc.).
There=E2=80=99s a lot of tools which are the byproducts of commercial research,
and/or being used for marketing purposes (all the great Foundstone
tools, HTTPrint, etc.) Some of these have no identical/suitable
commercial counterpart. And yet there are many commercial tools which
don=E2=80=99t have effective open source counterparts (I haven=E2=80=99t seen a good
open source static source code analysis tool yet on par with Coverity,
Fortify, or Klocwork). There=E2=80=99s no open-source equivalent for what
AppScan and WebInspect fully do.
In the end, I=E2=80=99ve developed my own personal approach. All I care about is
whether the tool works and/or gets the job done. I=E2=80=99ve spent so much
wasted time trying to get a screwdriver to do a hammer=E2=80=99s job, and vice
versa. I really don=E2=80=99t care if a tool is open source or commercial; I let
the job dictate the tool, and not the other way around. Of course, there
are certain artificial restrictions on this (like price limitations),
but in general, I think there are some things that currently only exist
in free & open source tools, and there are some things that currently
only exist in commercial tools.
So use both wisely and get the best of both worlds. :)
ap: What=E2=80=99s your method to keep yourself updated on security news?
rfp: There=E2=80=99s just too many sources of information these days to digest.
I have a very large RSS feed list I try to keep on top of, and I keep
tabs on a few traditional mailing lists. I find that, if something is
big enough, it will usually trickle down onto the security mail lists or
one of the popular security blogs, which tips me off and I do further
research on it from there.
So I suppose a good analogy is: rather than waiting to hear about stuff
from the horse=E2=80=99s mouth (especially when there are many horses), I wait
to see what interesting things the manure handlers heard or found after
it passed through the horse. :) (note: I can neither confirm nor deny
the intentional comparing of manure to the information content on some
of today=E2=80=99s blogs=E2=80=A6)
ap: Which books have you read lately? Is there any book that has to be
rfp: I currently like =E2=80=9CDeveloping More-Secure Microsoft ASP.NET 2.0
Applications=E2=80=9D by Dominick Baier. Rather than being a =E2=80=99security 101=E2=80=B2
approach filled with lots of overhead most seasoned security
professional already know, this book is almost like a collection of
technical tips and insights into little topics, all with security
relevance. I like to think it fills in the remaining small gaps that the
seasoned pros might have.
Nowadays though I really don=E2=80=99t read books in the traditional
manner=E2=80=A6there=E2=80=99s just too many coming out. And to make matters worse,
they=E2=80=99re expensive and often don=E2=80=99t contain material that satisfy me. So I
use O=E2=80=99Reilly=E2=80=99s Safari, which lets me search for specific topics across a
whole library, and just download PDFs of the chapters I need. It=E2=80=99s more
efficient and cost-effective. Occasionally I=E2=80=99ll check out the
bookstore=E2=80=99s selection for books that aren=E2=80=99t hosted by Safari, but Safari
has a good selection overall.
ap: Is your life style Infosec related even in your spare time or do you
have extra IT&C hobbies?
rfp: A lot of things have changed since I faded out of the public eye in
2003. At the height of my =E2=80=98RFP days=E2=80=99, I was a bachelor spending all day
doing security work, and then all night doing security
research=E2=80=A6sometimes not even sleeping. Now I have a family, and I give
all my spare time to them; so my security-related pursuits tend to be
limited to just work-hours, with the occasional evening or weekend for a
special security project.
ap: Will the Infosec community have a chance to see you back to the
scenes like in the past?
rfp: Well, there=E2=80=99s two ways to look at that question. When you consider
the qualifier =E2=80=9Clike in the past=E2=80=9D, then no. Don=E2=80=99t expect wiretrip.net to
start spewing out new advisories or tools. But will the Infosec
community see me involved in it? Sure. Actually, I never left. I still
post to the security venues, I still publish, I still work with vendors
to get things fixed, etc. I would say I=E2=80=99m still very active in the
security community=E2=80=93but in a way that has nothing to do with the name
ap: Thanks rfp for the interview!
rfp: Thanks for the thought-provoking questions!
Content-Type: text/plain; charset="us-ascii"
Subscribe to InfoSec News