Let’s talk about vulnerability research for a moment
Vulnerability research is widely defined as identifying previously unknown security flaws (also known as “zero days”) in software products. Needless to say, this type of research can be challenging and, at times, have little to show for the amount work put into it.
Vulnerability researchers sometimes spend days, weeks, or months trying to find vulnerabilities or bugs, and turn up empty-handed. Sometimes researchers will take to Twitter, or their social media platform of choice, as an outlet for their work frustrations or to rant about the softwares they’ve analyzed. Due to this, there have been some recent… rumblings in regard to how vulnerability researchers should conduct themselves in the public eye.
The claim is that vulnerability researchers bear a responsibility to not grumble about their work and just fix the problems.The concern is that the jokes, memes, and offhand comments connected to the software that has vulnerabilities, could be taken out of context–basically, to be used as a justification by your average consumer to not use that software at all: ‘some cybersecurity bloke says they’re not secure, so I’m not using one.’
Allow me to introduce “Taviso”
Tavis Ormandy (aka “Taviso“), who is an extremely successful vulnerability researcher, and is also employed by Google as a part of their Project Zero initiative, is a large part of why this blog post exists. If you’re not familiar with Project Zero, it’s an initiative that focuses on identifying zero day vulnerabilities and responsibly disclosing them to vendors, so that they may be fixed in a timely manner.
Anyway, Tavis has torn apart security products by a number of vendors–Sophos, ESET, Kaspersky, Avast, FireEye, AVG, Comodo, Malwarebytes, Avira, TrendMicro, Symantec, and McAfee. He found the vulnerabilities, made some snappy comments in the Project Zero bug tracker, as well as on social media, the issues got fixed, then the details got released. No harm, no foul. Nobody seemed to have a problem with it at the time. Maybe it was because most security researchers treat antivirus with disdain. After all, antivirus is dead, right?
Enter: The password manager bug situation
What’s interesting is that the TrendMicro vulnerability, linked in the paragraph above, piqued the interest of other security researchers. They specifically asked Taviso to have a look at password managers. So he did and, to nobody’s surprise, he found bugs.
The difference is, this time (for reasons that baffle me entirely) his reaction to finding password manager bugs was taken harshly. There was some considerable backlash about his lack of professionalism and how his statements could impact the adoption of password managers (note: I’m not going to bother linking to the discussion, because social media arguments are little more than the forum ‘flame wars’ of yesteryear. Besides, if you want to see it yourself, it’s not hard to find).
Password managers are applications that are used for keeping track of passwords for various websites, systems, and applications. They are seen as a more secure alternative than password re-use. Most even include password generators, where you can define a password length and character set, to allow the password manager to create a random password for you and just add it to its database of managed credentials.
Usually, password managers utilize a single master password and/or other authentication factors for accessing the collection of stored credentials for other services within. The convenience cannot be denied; however, it essentially promotes the concept of dumping all of your eggs into one basket: You had better hope the basket doesn’t have any gaping holes in it…
Taviso was asked to look for holes, and he found them.