Brand-name software bugs with flashy public relations campaigns are commonplace since the Heartbleed vulnerability was announced in 2014 with a media-friendly name, logo, and web site.

But another bug is on the horizon that is setting a new bar for brand-name bug disclosures. It’s called Badlock and it’s already receiving a lot of controversial attention, even though the exact nature of the bug—and most importantly, the patches to fix it—won’t be disclosed for another three weeks.

The bug affects unknown versions of the Windows operating system and Samba, free open-source software that integrates Linux or Unix servers and Windows computers across a network. A pre-patch marketing campaign about the security hole includes a web site and logo that SerNet, the German company behind the bug discovery, says is meant to inform system administrators that patches are coming April 12 so they can prepare to update systems that day.

“Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date,” SerNet warned on its Badlock web site this week. “Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.”

But the campaign has caused many in the information security community to criticize the company for hyping the issue for profit—and, worse, for putting people at risk. The pre-patch campaign effectively gives hackers about three weeks to determine what the flaw might be and develop exploits to attack it before Microsoft and the Samba developer team can release patches.

Not How the System Should Work

“The bug disclosure process here is not doing anyone any favors,” says Dan Kaminsky, noted security researcher and chief scientist at White Ops. “What’s the call to action [for system administrators] other than pay attention? Even when we complain about [other] bugs with logos and with media attention, yeah there’s annoyance, but the core reality is there’s a problem, here’s a fix, people should act. … What are people supposed to do [in this case] other than applaud… or guess the flaw?”

Brian Martin, director of vulnerability intelligence at Risk Based Security, called it “pure, unadulterated marketing” on the part of SerNet. “People will start contacting them [seeking information and protection], and it opens up sales channels left and right.”

But not everyone opposes the three-week warning.

“I think it makes sense to give … notice for a flaw this widespread, if it turns out to be critical… [i]n other words, widespread, easy to exploit, and high impact,” says Chris Wysopal, cofounder and CTO of Veracode.

It’s not unusual for researchers who discover a vulnerability to publicly disclose it before a patch is available; it’s also not unusual for security companies that offer detection and protection services to market their products and services before a patch is released to help protect customers until a security hole gets sealed.

But Kaminsky and Martin say this one is different because SerNet has released hints that could help hackers figure out the security hole quickly. There are also, Martin notes, questions about whether the SerNet worker who discovered the hole had a role in creating it.

All We Know About Badlock: It’s Good For Business

The bug was discovered by Samba developer Stefan Metzmacher, who has been writing code for Samba since at least 2002 and now works for SerNet, which specializes in Samba training and consultation.

Metzmacher’s name appears in 463 Samba source code files, created between 2002 and 2014, and several other people at SerNet were also developers of the Samba software. This is part of the company’s selling point for its services—it can claim that few people and companies know Samba as well as Metzmacher and its other employees do.

But if it turns out that the Badlock flaw Metzmacher found is in a part of the Samba code he or other SerNet workers actually wrote, he and SerNet could face even more criticism for marketing the discovery of a bug they helped create through flawed programming.

“It is certainly eye opening when someone develops a piece of software for over a decade, then finds a critical vulnerability in it a couple years after … and will most likely capitalize on it directly,” Martin wrote in his blog post.

Others have expressed a similar sentiment.

@wpawlikowski
1. Introduce bug
2. Discover your own vulnerability
3. ???
4. Profit

— Gabor (@gszathmari) March 22, 2016

SerNet CEO Johannes Loxen has acknowledged the bug’s marketing value for his company on Twitter.

@SteveD3 A serious bug gets attention and marketing for us and our open source business is a side effect of course. #whynot #winwin #badlock

— Johannes Loxen (@jloxen) March 23, 2016

A Challenge to Hackers

Little is known about the Badlock flaw other than it’s a “crucial security bug” in Windows and Samba, according to SerNet’s Badlock web site, and Loxen has hinted on Twitter that it can give an attacker administrative-level privileges on a local network. Wysopal explains that, with only that knowledge to go on, this could be anything from another Conficker worm, “which spread using flaws in Windows file-sharing” and hit more than 9 million machines, to nothing very serious at all. “We have seen other named vulnerabilities that were hyped that turned out to be hard to exploit and not widespread in reality so we will have to wait and see,” he said.

But simply knowing it affects Windows and Samba narrows the possibilities of what the bug might be, Martin says, making it easier for hackers to figure out. He and others suggest the flaw may be in what’s known as the SMB protocol, or Server Message Block protocol, which lets computers read and write files over a local network. Windows uses a specific implementation of the SMB protocol known as CIFS, or Common Internet File System.

“We know it is almost assuredly [a remote-code execution flaw], and likely has to do with the implementation of the SMB/CIFS protocol,” Martin wrote in a blog post on Wednesday.

The Badlock name also might provide hints about the nature of the bug.

“The name Badlock is likely based on a file or resource locking mechanism within the SMB implementation, and the code that controls it,” Martin wrote.

If this is the case, it won’t take long for hackers to find it, which worries Kaminsky.

“At minimum they shouldn’t have named the flaw,” he says. “Now you’ve got a lot of people looking at the locking subsystem in SMB and maybe people find this particular Badlock flaw, maybe they find others.” Whatever they find, he says, “there’s a 12-day period in which everyone is on notice: ‘Large bug here; no patch.’”

Kaminsky isn’t new to big-bug controversies. He discovered and helped coordinate a massive multi-vendor patch operation for a serious DNS flaw in 2008 that affected nearly every web site and was known as “the worst internet security hole since 1997.” But even though he publicly revealed the existence of the bug at a press conference, he withheld details about it to give DNS server owners time to patch their systems. He had planned to reveal details of the bug a month later during a presentation at the Black Hat security conference in Las Vegas. But two weeks after the press conference a security firm inadvertently released details online, which allowed someone to create an exploit before the day was out. Kaminsky says the circumstances around his bug were different than Badlock’s, however, since many systems were already patched in his case.

“I don’t pretend that I did it right,” he told WIRED. “But the thing I didn’t do wrong was have all sorts of hackers out after my bug.”

Kaminsky says one of the biggest concerns with Badlock is that other variants of the flaw might be found before patches can be released. “Every bug has a hundred variants … that would show up across other platforms,” Kaminsky says. Martin points out that if the flaw is in the SMB protocol and not just a specific implementation of it, it could affect other software that use or include support in them for SMB, such as versions of Mac OS X, FreeBSD and Solaris.

Kaminsky also worries that Microsoft and Samba may encounter problems that prevent them from releasing their patches on the designated day. “As they’re doing the final testing on this patch, they might discover something wrong and they have no flexibility to move the [patch release] day,” he says. “[A]ny patch that comes out must come out on this particular day, because it’s a situation that’s now on fire. How is this protecting users; how does this have anything to do with users?”

Critics of SerNet say it’s certainly user-friendly to them, and to one other element: hackers.

Go Back to Top. Skip To: Start of Article.

In the small town of Fredericton, Canada, a woman crosses a quiet intersection in front of a church cathedral. Unbeknownst to her, a nearby webcam catches her in the street, along with the red light behind her—evidence of her crime.

The webcam’s public feed, like thousands of others like it, is accessible to anyone who can find its URL with a Google search. At an art gallery thousands of miles away, a tiny Raspberry Pi computer is streaming the video to a monitor while it analyzes the footage with a simple computer vision algorithm. It instantly snitches, flashing, “WOULD YOU LIKE TO REPORT THE JAYWALKER?” on the screen. If you’re a visitor at this gallery, you’ll face a choice: hit a red button in front of the computer, and it will send a screenshot of the incident in an email to the nearest police precinct, potentially costing her a $42 fine. Or you can let the oblivious lawbreaker go on her way.

This demonstration of surveillance-turned-art, titled “Jaywalking,” presents the sort of uncomfortably easy privacy invasion that Dries Depoorter has made his trademark. The 25-year-old Belgian artist has a talent for assembling widely accessible images and video streams into exhibits that feel provocatively intrusive. And he hopes they’ll spark his audience to consider the very real possibilities of using public data to invade personal privacy—or at least what we once believed to be private. “You have a choice, to send the screenshot to the police or not,” says Depoorter. “I wanted the visitors to think. To
get the feeling of having this power.”

On Saturday, a retrospective show assembling years of Depoorter’s surveillance-themed works opens at the Z33 gallery in Hassert, Belgium. It won’t actually include the real-time, three-screen jaywalking feed that he’s displayed in past shows. Instead, he’s taking a softer approach, selling framed prints of jaywalkers whom his webcam monitoring software has detected—each one priced at the cost of a jaywalking fine in the place where it was taken. (“I liked the idea that the money goes to the artist rather than to the police,” he says.) But Depoorter’s first solo exhibition will also include a collection of previous spying experiments, from those performed on himself to one that surveils broad swaths of an American city in real time.

Depoorter’s installation called “Seattle Crime Cams” streams real-time video from publicly accessible, city-owned traffic cameras in Seattle to a wall of monitors. Though the city’s online cameras were meant to show only a single still image updated every minute, he says he found the full video file in the site’s code and was able to instead access the continuous stream. He’s paired those surveillance feeds with police and fire alerts and dispatch audio made available as part of Seattle’s Open Data program. And he’s synched that feed to the screen so that the videos show the closest camera to the location described in the audio for a disturbingly voyeuristic experience. Visitors can choose whether to view video feeds with the most alerts or the least. As in “Jaywalking,” they become an active participant in the surveillance act. “I found it pretty strange, that the police were sharing all this data,” he says. “I had to show what you can do with this… You see just how much surveillance there is.”

Here’s a video of “Seattle Crime Cams” in action:

In the “Seattle Crime Cams” piece, Depoorter argues, it’s not any single feed of public data that leads to a sense of intrusion, but combining the images with real-time emergency services reports. He points to the same notion of combining two sources of public data to produce a privacy violation in another, older piece he calls “Tinder In,” which matches a person’s Tinder photos and neatly frames them with the same individual’s LinkedIn profile photo. The effect of that controversial series is to show how internet users live double lives, each on display simultaneously to anyone who looks. One of those “Tinder In” pairs shows Depoorter himself in his work context and a Amsterdam vacation photo he shows potential dates.

In fact, Depoorter began his explorations of privacy by violating his own. In his first experiment as an art student at the KASK School of Art in Ghent in 2010, he recorded all his conversations and the sounds around him for a 24-hour period and posted them online and in a gallery installation. Some conversations with friends and family that he considered more sensitive, however, he made private, and instead posted links to sell the audio based on its privacy value to him. Later, he set up a piece of software to track his iPhone’s locations for a month and post Google Streetview images from those locations to a page on his website.

In his most masochistic project, he set up his computer to capture a full screenshot at a random time every day and post it to Twitter, and allowed a friend to change his Twitter password so he wouldn’t be able to delete any images. Since he never knew when the screenshot would come, his Macbook became his own personal panopticon. He stopped visiting NSFW sites, shrunk his chat windows with friends to show only a single line of conversation, and even ceased googling certain questions that might be embarrassing. “You don’t want other people to see your stupid Google search queries,” he says. “There was this feeling that there’s always someone watching. It’s not the NSA, but my friends and family.”

Depoorter is hesitant to spell out his motivations for these stunts, instead preferring that people see them online or in the context of his show and come to their own conclusions. But in experiments like “Seattle Crime Cams” and “Jaywalking,” which use real-world data, he admits that he does want to warn his audience about what’s possible, and to hint how such perfectly legal and public forms of privacy violation won’t always be limited to art. “The police can automatically detect you jaywalking. They have much more knowledge than me. They can link it to a database, and tomorrow they can make this all automatic. You jaywalk and tomorrow you pay a fee,” he says. “Is it ok that the police can automatically give fines for crossing a red light? These are the important questions.”

Go Back to Top. Skip To: Start of Article.