Friday, August 10, 2007

Putting up, then shutting up

It appears Billy Hoffman is at it again, trying to start trouble about something that isn’t there. Billy claims that RSnake and I stole Ed Felton's work (from 2000), Timing Attacks on Web Privacy (browser history stealing), because we used a “timing attack” in our Black Hat presentation to do browser port scanning without JavaScript. We’re then accused of either willingly omitting Felton’s work of failing to do proper research on the topic up front. Finally Billy confronts us, well RSnake, to “Put up or shut up", because he was ousted for copying our last years research on JavaScript port scanning.

Before putting up, admittedly over the last 7 years I’ve occasionally released stuff that others had previously published, which I had not known about. This is common for web security researchers due to the number of vast number of unresolved attack techniques, papers, and the liberal use of obscure terminology. CSRF for example, how many “novel” papers and names have their been over the years? When incidents are brought to my attention I’ve had no problem backtracking and quickly updating everything to cite the earlier work as the original source. Often people help out in the blog comments. In my experience, so has RSnake.

Back to Felton’s paper: This was not the first text introducing “timing attacks”. I don’t know what was, but I did find “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.” published 4 years prior to Felton's. Felton’s paper also doesn’t cite any other timing attack paper, nor did it need to in my opinion. So to my mind RSnake and I would not be compelled to reference Felton’s paper because our browser port scanning technique used a completely different kind of timing attack and also had nothing to do with browser history stealing. And, we made NO claim to invent timing attacks in general. Sheesh, so much drama.


mh said...

-sigh- somehow i feel like we sparked this one off :(

Jeremiah Grossman said...

I don't see how. BTW, loved your paper, I plan to blog it.

Anonymous said...

I've written about and tested for timing-based attacks on the web for years, completely different to Jer's, Rsnake's, and Felton's. Most recently was some notes on this in the HEWA 2nd Edition book, which Rsnake blogged about.

I've never read Felton's papers. I got the *original* ideas I experimented with from something David Litchfield told me he was doing in a completely different direction /years/ ago. And I've told everyone that asked that I credit David L for stimulating the thoughts in that direction.

Later someone blasted me for copying and failing to credit work done IN THE 1970's on timing-based attacks against UNIX systems. Yikes! I don't even /remember/ what the web apps back then /looked like/.

So if 'tis true: that I too am guilty of ignorance and lack of due-dilligence... that does not change the fact that this latest BH 2.0 thread is simply silly and sad.

Anonymous said...

He just keeps pissing people for no reasons. He's definitelly not the one who should accuse people of taking credit for work they didn't do.

Anonymous said...

He's a wanker, and this comes from a WebInspect user.

I saw the BlackHat presentation and read the XSS book - content's clearly different from Felton's paper.

I wouldn't be suprised he if attacked Sensepost's timing attack presentation - after all, they discuss how timing attacks apply to web security..