Bermudan coins and Coke machines
Day One of the Software Security Summit kicked off with a keynote from Herbert “Hugh” Thompson, chief security strategist at People Security, and one of the most innovative (and funny) people in our industry. He told a great story which I think illustrates the nature of security vulnerabilities — and the people who find them.
Back when he was a student in his native Bermuda, Hugh said, his high school got a shipment of used U.S. Coke machines. They were set up to give you a nice cold soda in exchange for four U.S. quarters. That wasn’t a problem, because U.S. coins are pretty common in Bermuda, due to the tourist trade, and because the Bermuda dollar is kept at parity with the U.S. dollar.
Hugh reported that one day, he and his high-school buddies discovered that the odd-shaped Bermudan ten-cent coin would trick the Coke machine, whose weight-and-diameter test thought that it was a U.S. quarter. After getting lots of sodas at a discount, one of the students learned that if you put in four Bermudan ten-cent pieces and pressed the “coin return” button, the poor machine would give you back four U.S. quarters. Not bad!
What to do about it? Hugh described three of his friends, who represented the three ways that attackers or security researchers can respond to the discovery of a vulnerability:
• Responsible disclosure: “Let’s go tell the school administrators, so they can fix the problem before anyone else finds out.”
• Full disclosure: “Let’s tell everyone, although some folks might exploit this bug before it’s fixed.
• No disclosure: “Let’s get some Bermudan coins and go make some easy money!”
It’s that third type, of course, who are really scary.
It’s important to remember, Hugh said, that most sane, rational hackers want something – and hacking is just their way to get it.
Hugh also talked about the nature of the vulnerability. Was the Coke machine broken or defective? No it took coins and give you cold sodas. However, the algorithms used to authenticate user credentials was flawed, because the system used to validate U.S. coins didn’t do a good job.
Hugh gave a solid and entertaining keynote – thanks for launching the conference!
Some people would argue that you should go the so-called responsible disclosure route. However, if you believe that the vulnerability might already known to other people (who might be exploiting it), or if you don’t believe that the bug will be addressed in a timely manner by the administrators, then full disclosure places the most pressure to bear on the problem — and might get it fixed more quickly.