This was a rough weekend for Egor Homakov. Right now, some of you are questioning my framing of this weekend’s events as rough for Egor and not Github. After all, he went and violated Github’s ToS. There’s a tone of arrogance that rings through in his posts, but I suspect a portion of this can be attributed to his broken English. Recognition may be what motivated him to take the path he did (public disclosure), but I don’t mean to judge him. I can identify with Egor to some degree, because I’ve worn his shoes for about a year now.
Some time late last year, while working on a systems automation project, I discovered a DoS vulnerability in a fairly common piece of voice network hardware. This particular hardware is commonly used in telecommunications to provide voice interconnets between VoIP networks and legacy systems. There are thousands (maybe tens of thousands) sitting on public IP addresses. This particular vulnerability causes the gear in question to crash spectactularly, invoking a core dump and cold boot. The really nasty part is that the “exploit” doesn’t require any special skill. I’d say there’s a fairly high likelihood that someone else could stumble upon this, just like I did, provided they were using the same toolchain. Maybe they have.
I disclosed the vulnerability to the vendor in March of last year (2011). Last time I tested, the issue remains. I disclosed through a third-party that has a VAR relationship with the manufacturer, so I don’t have any direct insight in to their handling of the issue. There’s a small part of me that desires to make an example out of one, or the both, of them.
It makes me pretty angry. I have some idea of how many of these devices are out in the wild. They’re in use by some very large companies. Exploiting the vulnerability causes the device to become unavailable for 3-5 minutes at a time. An attacker would only need a handful of hosts to keep a device offline for a long while, even if the device operator actively blocked attacking hosts. Mitigating the attack would take some pretty significant retooling of the network configuration because of the service that is exploited. This is telecommunications hardware. Imagine taking down a large company’s entire call center for a couple of hours. How big of a check do you think they’d write to make you go away?
So here I sit, knowing that this problem exists, but worrying public disclosure could make me an outsider really quickly. Maybe Egor is just young and naive. Maybe he has guts. I don’t know him, so I can’t say, but I can tell you that knowing about a major security exploit is an uncomfortable position to be in. This is doubly so when you are ignored after disclosing it.
Before you judge him for the way he handled the situation, take a step back and make sure you understand which side of the table you’re sitting on.