I told Joshua Aaron, developer of ICEBlock, that he was running a vulnerable version of Apache on his server.
-
@micahflee Can you clarify whether you have any reason to believe it's actually vulnerable to anything? Most of those vulns only affect wacky configurations, commercial hosting environments where the customers are untrusted and may be running malicious serverside code, and particular types of web application stuff (vs static content).
Personally I tend to look unkindly on vuln reporters who assert that something of mine is vulnerable based on some checklist for the version they find running rather than actual analysis.
They definitely do not have any reason and this is a bad-faith post for clicks. If you read the post they did zero followup work to confirm any vulnerability and just spent all their time instead complaining about being ignored. Instead of doing anything constructive, this person just bullied a stranger based entirely on a scan banner.
We have this automated where I work; it's called Nessus, and everyone hates it, because like this person, it lacks context, doesn't understand the things it alerts on, and we'd be better off without it.
CC: @micahflee@infosec.exchange
-
@micahflee @khm I didn't see any legitimately critical CVEs there.
-
@micahflee @khm I didn't see any legitimately critical CVEs there.
not to mention the fact, as mentioned, it's not possible to ascertain which CVEs apply based on an arbitrary version string or nmap fingerprint. now this jerk is victim-blaming the person who was bullied into reinstalling software because some clout-chasing beancounter needed something to tiktok into a camera about.
like of course this dude had to do something, he had some twerp with a basement full of followers shit-talking him with zero evidence and then shit-talking him again for correctly blocking an ignorant gadfly.
this whole thing is an embarassment and it's the worst kind of pedantic bullshit "cybersecurity" that helps nobody but a self-aggrandizing parasite.
CC: @micahflee@infosec.exchange
-
Just to be clear:
1) You think he should've conducted an unauthorized pen test against the server to confirm the vulnerability?
2) You think "You seem to be running Apache httpd 2.4.57 [...] this version of Apache has multiple critical CVEs which could take over your server" is "bullying"?
3) You think an enterprise would be better off not using a tool like Nessus to alert on potential vulnerabilities that should be reviewed?
lol. "supercomputing engineer" lmao
-
Just to be clear:
1) You think he should've conducted an unauthorized pen test against the server to confirm the vulnerability?
2) You think "You seem to be running Apache httpd 2.4.57 [...] this version of Apache has multiple critical CVEs which could take over your server" is "bullying"?
3) You think an enterprise would be better off not using a tool like Nessus to alert on potential vulnerabilities that should be reviewed?
lol. "supercomputing engineer" lmao
1. Nobody said that. My assertion is this dipshit didn't have sufficient evidence for anything more than an email worrying about the Apache version. Once. Not a series of histrionic blog posts about it.
2. Nobody said that. It was the rest of the behavior that constituted bullying. You're going to have to come up with a better approach than "inaccurately summarizing my arguments" to get anywhere here.
3. Yes, I do, because Nessus as deployed at many agencies is a box-checking exercise used in place of proper security engineering. I can provide dozens of real-world examples of poorly-configured Nessus scans doing more harm than good, but I don't think you're making a good-faith argument here, so it's probably not worth my time.
lol. "easily verifiable claims" lmao
CC: @dalias@hachyderm.io @micahflee@infosec.exchange
-
just for shits and giggles, I'll give a sterling example regarding this kind of bullshit being problematic in an actual working environment.
normally, when one purchases a RHEL license, you purchase a license for the major version. You're expected to roll along from e.g. 9.2 -> 9.3 etc. However, for precisely-engineered things like supercomputers, this is not a good idea, because it subjects you to performance regressions that aren't tested for in the mainline distro. Red Hat's solution to this is to offer "EUS" licenses -- extended update support. This means you can stick on e.g. 9.2 far longer than the normal contract, because Red Hat does the work backporting security patches. What doesn't change is the upstream version numbers tagged on the packages.
For an inexcusably long time, Nessus didn't support this unless you had a full-time person on the backend identifying the package versions (including release and/or build versions), which almost nobody does.
The result? You follow all the STIGs, you've got vendor security support, your node bringup health-check runs POC code to confirm known vulns are covered, and you still get angry emails with six hundred false positives from whatever peabrain is lazily running the Nessus scan. Now, instead of doing actual administration, you have to write memos, rehashing the arguments you made last time, because the kind of "security engineer" who hits the panic button behind some bullshit lasts about six months on the job, but the badly-configured Nessus deployment outlives them to be run by the next box-checker to warm that seat.
This is exactly the same scenario. Some low-information box-checker gets angry because nobody listens to their baseless whining. The only difference is it's happening on some asshole's blog instead of in an Outlook thread with everyone's managers CCed.
CC: @jazzhandmedowns@mastodon.sdf.org @dalias@hachyderm.io @micahflee@infosec.exchange
-
You criticized Micah for having done "zero followup work to confirm any vulnerability" but by what means are you suggesting he do so?
This isn't the agency you work for; it's some rando's app. Sure, it's POSSIBLE that his Apache had a backported patch, but it's JUST AS POSSIBLE that he doesn't know how to secure his shit.
You're assuming it's the former because you're projecting frustrations from your JOB onto a wholly unrelated scenario—that's some sadfuck shit!
-
You criticized Micah for having done "zero followup work to confirm any vulnerability" but by what means are you suggesting he do so?
This isn't the agency you work for; it's some rando's app. Sure, it's POSSIBLE that his Apache had a backported patch, but it's JUST AS POSSIBLE that he doesn't know how to secure his shit.
You're assuming it's the former because you're projecting frustrations from your JOB onto a wholly unrelated scenario—that's some sadfuck shit!
I'm not suggesting any means by which he follow up, because it's not his fucking place to follow up. That's why I said what I said -- the shit he found warranted one friendly email and no more. The complete lack of information about the operating environment possessed by Captain Blogsalot is a Very Large Signpost that this rando is not the person to publicly pillory some other rando. That's my entire point! It doesn't even matter who is right, because there is nothing here to be right about.
I'm assuming it's the former because I have no reason to believe it's the latter. What you're deriding as "frustrations from my JOB" is what is known in the industry as "professional experience," which is the arcane lore that you asked about and which allows me to recognize when some blogger fuck is sticking his nose where it is not helpful. I hope this context brings you peace.
CC: @dalias@hachyderm.io @micahflee@infosec.exchange
-
So your initial criticism was that he "did zero followup work to confirm any vulnerability"
but now you're saying "it's not his fucking place to follow up"?
Which one is it?
Given your anger management issues and winning personality, it's becoming clearer that the security engineers at your agency are using nessus scans just to bust your balls, lol
-
So your initial criticism was that he "did zero followup work to confirm any vulnerability"
but now you're saying "it's not his fucking place to follow up"?
Which one is it?
Given your anger management issues and winning personality, it's becoming clearer that the security engineers at your agency are using nessus scans just to bust your balls, lol
My initial criticism was "zero followup work," thus rendering the blog posts baseless fearmongering, and now I'm saying it's not his place to follow up, which is consistent because the blog posts are a bad idea which should not have been posted to begin with.
Not sure why this is confusing for you, but given that you think you can read emotions through social media posts, I'm sure a lot of things are confusing for you
CC: @dalias@hachyderm.io @micahflee@infosec.exchange
-
counterpoint : don't assume malice for what can be explained by ignorance..
-
Oh dear, you're unable to read emotions through social media posts?
And you think that's the normal experience of most people?
There's something you really need to know about yourself, but honestly, I shouldn't be the one to tell you.
-
Oh dear, you're unable to read emotions through social media posts?
And you think that's the normal experience of most people?
There's something you really need to know about yourself, but honestly, I shouldn't be the one to tell you.
I presume the deflection indicates I've got through to you and you finally understand my argmuent. Glad we got there in the end!
CC: @dalias@hachyderm.io @micahflee@infosec.exchange
-
counterpoint : don't assume malice for what can be explained by ignorance..
in a world with unfettered access to massive stores of knowledge, most ignorance is malicious
CC: @dalias@hachyderm.io @micahflee@infosec.exchange
