Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information. Having recently left the National Security Agency, the security professional decided to try his hand at …
Markets and Makers
The players mentioned seem not to distinguish between an efficient and an inefficient market.
My principle courses on asset evaluation mentioned Aristotle as authoring the first case analysis of value. There have been many attempts to define value but the schoolboy stuff generally suggest value is derived from timely information in an open market. An open market is one without barriers to trade where knowledgeable sellers and buyers act without duress. The culmination of such theories is to be found in the seminal and venerable 'Security Analysis' by Benjamin Graham and David Dodd. 'Security Analysis' is perhaps more widely known because Warren Buffet of the Berkshire Hathaway Fund touted it. The underlying philosophy was one of rolling up your sleeves and digging deep into the affairs of a company to find value. As of the 70's the authors of 'Security Analysis' suggested their methods were antiquated in the face of the theory of the Efficient Market Hypothesis which holds that markets are information efficient.
Generally neither the ideas behind 'Security Analysis' or the Efficient Market Hypothesis hold for selling one off security flaws. All bets are off when trying to determine value where there are barriers to trade and information. Reputation and who you know become crucial. Working in such a market and wishing it like to one more efficient is whimsical.
Really, I'm a bit torn on this issue. On the one hand, I do see a real need for security researchers, as software developers obviously do not harden their code as they should. But on the other hand, I just can't feel bad for this guy. He's crying "poor me" because Microsoft actually fixed a bug in their code which left people vulnerable. In my eyes, this guy is no better than the black hats who exploit a flaw and knowingly sell it (or use it) for illicit purposes. Both of them are actively trying to exploit a flaw, and neither of them want the flaw to be fixed. Real security researchers WANT flaws fixed; that's why they do the job. This guy is just in it for the money. Wanting to get paid a fair price for your work is fine. Trying to blackmail/exploit companies is not.
And would someone please tell this idiot that there is no specific "value" for a flaw/exploit? He saw that himself when one agency offered him $10,000 and another agreed to $80,000. "Value" is specific to each individual. When you're dealing with something as rare as software vulnerabilities, there is no such thing as "fair market value".
No matter what the field of human endeavour, there'll always be parasites trying to screw over their fellow Man. The best thing to do is break their legs when you catch them.
Facilitating crime a crime in itself?
To me, this guy sounds like a security researcher in the same way as a guy who figures out how to break into a bank vault, defeat burglar alarms systems, or enter the Whitehouse grounds illegally is a "security researcher".
The aim is to make money by selling information that will facilitate the commission of a crime -- industrial espionage, corporate extortion, or internal and external espionage by government spy agencies (which would be a crime in the country being spied on).
I would like to see an article by a lawyer on this issue. I think that in most countries, knowingly committing an act that facilitates a crime is a crime.
Sounds like a lazy researcher to me...
Basically, in a market wherein the value of an exploit is based on the time-critical nature of obscure information, the author is complaining that it's hard to find accurate pricing information in a timely manner. Well duh...
In other markets where the price negotiations are beyond the capability of the "talent", the typical solution is to hire an agent. Why does the author expect that the problem of pricing ought to be easier for him?
Isn't there a moral problem here?
There's something fishy about this way of making money. Could one actually sell a method to perpetuate a crime? Worse, if something was to happen, and it was found out that this researcher hadn't devulged what he knew, could he not be held, at least partially, liable? IANAL, but I think that in some situations it would be a crime to not devulge information about a "vulnerability". If for example, you knew someone could get hurt and you didn't warn them when you had the chance, you could probably be held legally negligent. Perhaps this particular case could even be called extortion. If this business practice isn't actually illegal, then isn't there at least a moral problem here?
I can think of other situations where a similar business plan would most likely be illegal. A doctor, for example, telling a patient that he knows of something very bad which is likely to happen to you, and then demanding a large sum of money to tell you what it is. If the doctor actualy has this information, could he not be in trouble if he didn't tell you?
What does the US government do with this?
Some unspecified US government dept. is paying people for finding exploitable vulnerabilties. Why?
I suppose they could be using this to help secure thier own systems, but, why the reluctance to disclose the vulnrability to the suppliers. Besides
other recent stories colclude that US gov. departments pu a very low priority on securing thier data.
On can only conclude that the US is activly spying on its citizens.
If an engineer were to find a problem with a product in there field of expertise that was potently dangerous they would be morally and ethically bound to report it, no money, no glory, just doing the right thing. Why do programmers think that it is ok to blackmail people over this? "Recompense for time spent"? Please... How can you live with yourself? And any programmer that b****s about M$ having so many vulnerabilities is a hypocrite. Given the complexity of modern programs I dont believe that there is any programmer that can honestly turn around and say, "All my work is 100% correct, stable and secure".
Re: Markets and Makers
Greg Nelson, your "principle courses on asset evaluation" sound like a laugh a minute. Could you supply a bibliography for me to avoid?
Blackmailers should not prosper
This is blackmail, pure and simple. One should not ask what the value of the information is, but what the researcher will do if the vendor does not pay the price.
They should be out being more productive, or asking for a job from the firms, rather than being so destructive.
I'd be surprised if such blackmail isn't illegal. If it is, the boys in blue should get involved. If, for some reason it isn't, whilst I couldn't condone it, I do wonder how many exploits they can investigate when their fingers are broken?
...should be on the software vendor for not testing code well enough to secure it against attacks.
Only when the likes of Microsoft face damaging lawsuits for every potential security hole (and a LOT of cash to be paid in compensation for each one), we'll start seeing software that is finally secure by design.
Unfortunately, the Internet is the biggest reason why we have insecure and buggy software: Back in the old days when software had to be shipped on CD or floppy disc, if you had a bug in your product, you had to replace an awful lot of media (at great expense). So, understandably, QA was extremely important to companies because the consequences of a big bug could be devastating. Nowadays, I regularly see software shipped without even cursory testing...
But now you can just post a fix on the Internet and expect your users to download it. I think this is unreasonable - and companies should be expected to be penalised for software that requires patches on a regular basis. End users should not be treated as beta testers: Our data is important to us, and should never be placed in jeopardy. Software should be treated as any other product, and be liable for compensation if it found faulty.
The likes of Microsoft should be made to pay big money each and every time a security vulnerability is found. If facilitating a crime is indeed a crime, then Microsoft would be liable. If a hole in IE or a service of Windows allows a hacker to intercept my Amazon.com order and take the keystrokes for my credit card number, I would hold Microsoft responsible for the holes - since their insecure software facilitated the attack.
The Internet is the biggest reason, my arse
It simply made the problem worse, rather than being the root cause of the problem.
The real cause is very simple : people do not want to pay for solid software development, and they definitely do not want to wait long enough to properly test the code, so inferior products are released.
In particular, people do not want to pay for security, or any other insurance/protection package (such as backup, anti virus, firewalls etc) that provides no immediate benefit, but protects from some nasty consequences.
Given that customers will not pay for secure software, and will happily buy insecure or buggy software that is released before a properly architected solution the only sensible business decision is to release a product that is a good enough tradeoff between functionality, security and stability. To do otherwise is commercial suicide, unless a product has significant advantages or is written under a sensibly priced contract specifically requesting watertight security and stability.
Morally ambigious my arse
This is the real world. What these guys are doing is effectively free-lance bug testing where they only get paid if they discover a vulnerability.
The morally ambigious part (if there is one) is that M$ (or equivalent) don't already have a program whereby researchers can sell their info direct to the manufacturer of the product (rather than relying on 3rd parties).
If this is to become a legitimate business, by it's very nature it needs to be regulated.
I find it strange how this article refers to "the government" as if there were only one. Did this security researcher try contacting the Chinese government, for example? I'd definitely try talking to them if I had a good vulnerability to sell.
Some other government?
And what if China made him an even better offer? Or someone broke into his office and stole it? Or, while he's attempting to sell it, someone offs him?
Selling vulns might be like selling drugs. He's dealing with some shady characters.
I don't believe there is a blackmail or moral issue
As long as certain conditions are met.
For me the most important issue is shown by the second person in this article - making sure whomever he sells the vulnerability to informs the vendor/developer, handing them the details of the vulnerability.
Obviously there should be no dealing with those that would use these vulnerabilities for malicious purposes, and obviously there is no "that's not fair" if the vulnerability is fixed before they can sell it to those that want to protect themselves.
It seems to me they have a right to make a living - many of the exploits fixed by major developers have been routed out by security researchers so their work is of benefit to everyday users. It also seems to me as long as they meet the conditions of informing the developer of the software and not selling to malicious buyers then they are perfectly entitled to charge whatever they please.
It's up to the buyer to determine whether they can make use of the information and if so, how much it's worth in terms of protecting themselves vs waiting for a patch.
Is this criminal? I believe these people are covered by fair use rights under the guise of research. It's a bit dodgy, but there's so much precedence in their favour, and most major vendors accept their existence provided they are informed of the vulnerability for a reasonable amount of time prior to making it public - therefore I don't think they have much to worry about on that score.
Oh, boo hoo!
People are fixing software faster than you can make a quick buck.
Are you for real?
Get a real job!
Playing the Game and keeping yourself Right
"Selling vulns might be like selling drugs." ....... Whoa, hold your horses, Mr Dillon.
Vulns are knowledge and they are ideas you buy, for of course, you never know what they are worth until they are exploited...... so it is always best to sell them on to whoever wants them, whether to put in a fix or to use them as an exploit. Of course that then takes you into XSS territory too.... Cross Site Scripting for IT is a hand in glove thing, with the two bugs, ZerodDay Words and XSS invariably being joined at the hip.
Seems like the best plan is to have the best experts on your side, and in a capitalist system that would be as simple as paying them shed loads of money, which they are only going to put back into the system anyway but then they are working for the System probing vulnerabilities by tempting Systems to find out just how SMART they want to become. Ye olde poacher turned gamekeeper ploy
It allows for a "peek" inside other Systems, should they be aware of what is being probed.
If the System does not buy what the System has created, you cannot blame anyone other than the System, if IT travels elsewhere. And it is a pretty dumb System in need of repair, if it fails to pay handsomely, for its own Protection, for in Reality, IT is costing them nothing.
Ok Rant over...I just thought that needed to be shared .