Researcher for whom exploit code means freedom of speech

January 15, 2004

Georgi Guninski is a man who is respected on vulnerability mailing lists. The Bulgarian security expert - and this is one instance when the word can be safely used - has spread himself wide when it comes to security but all of his vulnerability posts merit attention.

From kernel bugs to browser holes, Guninski has found them all. His advisories are terse and to the point but cause a predictable degree of consternation when they are put out. His own favourite discovery is a race condition in the OpenBSD kernel.

While many formerly independent researchers are slowly going over to the corporates, and in the process losing their ability to freely reveal details about flaws in proprietary software, Guninski has kept the faith. Indeed, his advice to other researchers is precisely that: "Keep the faith."

He is passionate about full disclosure and the posting of exploit code; he feels this is often the only way to get software vendors to patch buggy programs.

There is logic behind his rationale - according to him, some vendors wait six months before issuing a patch when a flaw is reported to them; on the other hand, in one case when an exploit was released in the wild (without the bug which it was exploiting being reported to the vendor), and military computers got broken into, the same vendor issued a patch in double quick time.

Guninski is often accused of being a publicity seeker but dismisses such talk by saying that it is merely put out by companies "and their puppies" who do not like him. To his credit, he does not favour this side or that - his own site has a long list of the vulnerabilities he's found and be it in open source or proprietary software, he sticks to his principles of disclosing things in full.

To those who try to offer the excuse that software will always be buggy, Guninski has one piece of advice - go and get a job at McDonald's.

He was interviewed by email.

How did you come to be interested in computer security? Was it in the family or were you one of those little nerdy boys who's always dying to find out how things work?

Not the family. I have always had an unexplainable passion for computers. And I am more interested to find how things don't work or work in "strange" ways than to find out how just things work ;).

How is Bulgaria in terms of technology, compared to countries in the west?

There are talented people in Bulgaria, but the country is poor and people migrate.

What led to your first IT job?

Karma. See below.

From your CV, it looks like you are mostly a self-taught researcher. Is this right or was there some guru who guided you?

No one guided me. Sure, I have learned a lot from the internet. One my favorite quotes is: "Education is an admirable thing. But it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde"

How come you didn't take up a career in finance or turn to teaching after studying international economic relations?

I have always been interested in computers, never been really interested in business or finance. Here is a joke quote from Terry Prachett with some truth in it (translated from Bulgarian, don't remember the exact book). "From conversation between two witches - 'You don't choose your profession, the profession chooses you'."

What was the first major vulnerability you discovered?

An AIX (Unix operating system by IBM) buffer overflow.

How long was it before you gained acceptance within the security community?

I can't answer this question, the community should answer.

Many people in the security industry accuse you of being a publicity seeker? What's your response?

This is false. I have not profited from publicity and I haven't sought publicity for a long time. Buggy software is out there and killing the messenger does not help anyone. Truth is, some companies and their puppies does not like me and they use false arguments to discredit me. I will enjoy posting from (an) anonymous account as much as I do now and if the time comes I'll do it.

What is your stand on the release of exploit code on mailing lists?

Exploit code should be released if the author wants. I consider exploit code "freedom of speech". There are some trends to try to stop publishing exploit code - I am disturbed by these trends to try to steal rights from the citizens. Exploit code is not the problem. The problem is buggy software. And I am not buying the "writing software is difficult, software will always be buggy" argument - those who think they cannot write good software better get a job at McDonald's.

What do you think is a reasonable period for a researcher to give a company before releasing details of an exploit?

This is up to the researcher. He decides. The exploit is his property, so he can do whatever he wants. It depends to whom is reported also.

You say that you prefer to work in open source projects? Why?

I just like open source. And I am selective about who profits from my skills.

What do you consider your favourite vulnerability - the one which really made you feel good when you discovered it?

I classify my bugs in two categories:
a) the ones which are discovered by examining the source code
b) the ones which are discovered "by chance" or by an irrational way.

My favorite ones are type b). I consider a) craftsmanship, which is not very interesting. Don't have a favorite one, but quite like the OpenBSD race condition bug.

How do you see the future of security research evolving? And the future of the internet?

About security - quote from Bon Jovi: "It's all the same, only the names will change". About internet - expect a decline of Microsoft products on the internet.

Has your choice of career affected you personally? Or socially? Many geeks say they are unable to get a date - how about you?

I am not very sociable, but believe I have a good social life. I don't complain about it.

If you had a chance to do it all over again, would you choose the same career? Whatever answer you give, why?

I doubt that one can escape his karma. I probably would have done it the same with small changes.

Any other interests apart from IT?

I like going to parties and bars. I have an amateur interest in mathematics.

If someone wanted to start out as a security researcher, what advice would you give them?

Be careful. Very careful.

Any famous last words?

Keep up the faith.