Comments on: Humble Helps

By: Michael Hamilton

Michael Hamilton — Fri, 25 Jun 2010 03:39:21 +0000

Excellent post. I agree completely that consulting skills are important during a negotiation on something so sensitive as vulnerability disclosure. I would note that the product vendor also has something to learn here.

– mkh

By: Daniel

Daniel — Sun, 20 Jun 2010 00:35:00 +0000

The latest version of OpenCart 1.4.8 does not have a problem with CSRF attacks. It is very secure.

By: Senta

Senta — Tue, 01 Jun 2010 21:21:39 +0000

I found this blog post very thoughtful, and very wise. And for the record, I thought along the same lines as Norbert did.

Patrick: I think the approach you (& Norbert) outlined will help more people in the end. And to me, that’s what’s important.

By: Norbert Griffin

Norbert Griffin — Tue, 25 May 2010 11:43:05 +0000

Hi Patrick

I can’t help but think about the Dale Carnegie book “How to win friends and influence”.

If Ben’s goal was to get the CSRF issue, fixed then really he needs to change his approach. Each one of the 12 items below can apply.

Twelve Ways to Win People to Your Way of Thinking
1. Avoid arguments.
2. Show respect for the other person’s opinions. Never tell someone they are wrong.
3. If you’re wrong, admit it quickly and emphatically.
4. Begin in a friendly way.
5. Start with questions the other person will answer yes to.
6. Let the other person do the talking.
7. Let the other person feel the idea is his/hers.
8. Try honestly to see things from the other person’s point of view.
9. Sympathize with the other person.
10. Appeal to noble motives.
11. Dramatize your ideas.
12. Throw down a challenge & don’t talk negative when the person is absent, talk about only positive.

So much of what we do as security professional requires this. I’m sure the majority of technical people feel their systems are secure. Who wants to admit they don’t understand what they are doing? Who wants to be told they screwed up? There is a better way.

We have to be influential in our approach. Showing respect and being friendly are always important.

Good work on the article

Cheers,
Norbert Griffin

By: Patrick Thomas

Patrick Thomas — Mon, 24 May 2010 18:16:08 +0000

Hi All,

Thanks for commenting. Yes, I’m with you guys; I think Ben did a good thing, and actually did go above and beyond (further than I’d probably have gone before authoring this post). With the post I was just trying to think about how far beyond one would have to go to get through to the truly truculent.

Ali,
Yup; public disclosure always has to be on the table in our minds, but there’s no need to whip it out in the first email.

Rafal,
The patch-breaking behavior just does it for me: that’s beyond ridiculous, though it does show that ego is in play I think that probably vindicates Ben that nothing would have made the difference, but my post was a bit of a thought experiment anyway.

CG,
Yes! OWASP FTW! Though, I did note that the countermeasures discussion on the CSRF page is java-centric. The ideas are of course portable, but maybe the page should make that clear. (http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet)

Good to see some new faces!

Cheers,
~PST

By: Psychology of "Secure Code" - Following the White Rabbit - A Practical Security Blog -

Mon, 24 May 2010 15:08:29 +0000

[...] Recently I've seen a few good posts out there that reminded me just how and why this is such a difficult battle. The matter of the [...]

By: CG

CG — Mon, 24 May 2010 13:10:08 +0000

i agree with having tact and being cognizant of others feelings (especially developers–it is their baby you are beating up on). BUT if you sell a product and have customers especially when processing payments is involved the developer may need to swallow some pride when confronted with a security issue, you owe it to your customers who paid for your product.

Daniel should be happy that Ben even sent him an email about the problem before going public or blogging on it. The lack of knowledge about basic web attacks also means that the opencart team should probably spend some time on the OWASP site.

By: Rafal Los

Rafal Los — Mon, 24 May 2010 13:08:48 +0000

Interesting perspective … I do see both sides of it . The escalation into the 5-year-old playground mentality when the developer (purposely?) breaks the patch is just stupid though. I’m not sure I could believe attributing that to the early offensive take by Ben.

Sad.

/Raf

By: 0xAli

0xAli — Mon, 24 May 2010 12:38:36 +0000

It’s not only OpenCart, even “big” some vendors *cough* microsoft *cough* ignore some reports and such.
And IMHO the only way to deal with security-by-obscurity vendors is publishing vulnerabilities [after a note/letter/email].

Ben went very very far, i don’t think i’d go like that

-0xAli

By: Tweets that mention Coffee To Code » Blog Archive » Humble Helps -- Topsy.com

Tweets that mention Coffee To Code » Blog Archive » Humble Helps -- Topsy.com — Mon, 24 May 2010 06:58:36 +0000

[...] This post was mentioned on Twitter by Roer.com – the Blog!, kakroo. kakroo said: Humble Helps http://bit.ly/aqY9Wc #Security [...]