Earlier this month, employees for LinkedIn, a social network site that caters to business people, received an unusual proposition from a security researcher who had just uncovered a vulnerability that put many of its users at serious risk. "If you are interested in the bug, we would like to give you first right of refusal to …
Code of practice
It seems that there is room here for an industry agreed code of practice on both sides here. Clearly the vendor of any product that has a potentially disastrous bug in it has a duty to their customers to fix it. On the other hand any one who discovers the bug should not just blackmail the vendor, although in this case he did act ethically in as much as ,he offered the fix to the vendor first and not to the highest bidder whoever they were.
With out some kind of protocol to cover incidents like this, eventually there will be chaos.
Blackmail is how business is done
Almost all of medical care is extortion
nearly every bit of insurance especially
vehicle insurance is blackmail actually
so what makes this any worse taxes
are extortion on and on almost anything
that people are forced to do to safeguard
others has to be sold to them in a strongarm
way given a choice the average businessman
will choose to not safeguard his customers
so you don't give him any choice this doesn't
make you a bad person it's just reality live with
"its users, many of whom are high-net worth individuals, were put at a higher risk"
Hmm, that phrase makes the whole thing stink of the "these are rich, important people, so the problem is more important" mentality.
As a member of the LinkedIn community invited by three different people, I am thus a potential victim of the bug, whatever it is. As an aside, I rather hate these social network sites that rely on the personal relations of their users to increase their importance. I would never have joined LinkedIn on my own, but because three different people I know and am sympathetic with invited me, I had to respond and sign in (otherwise, you know, they might take it the wrong way - business relations and all that).
Now there is a bug. Well that hardly surprises me, which is why I filled out the bare minimum in my profile. There is nothing there that I mind if it gets out because it is already public information.
I do not trust any site with personal information, not even my email. I think it is inevitable that sites be cracked at one point or another (and success increases the likelihood of being a target), so why feed the monster ?
Re: Blackmail is how business is done
"nearly every bit of insurance especially vehicle insurance is blackmail actually"
No, blackmail would be an insurer calling you and telling you if you don't insure with them they'll come round and smash in your car. Which, they don't. So, no it's not blackmail. Should we allow people to drive their cars without insurance? As a driver, cyclist, and pedestrian I would prefer not.
Oh and what's with the double spaced lines?
Can there ever be a moral justification for posting Proof of Concept Code?
There's an argument for making the bug public, sure, but publicly posting proof of concept code is surely morally reprehensible.
I was recently invited to join Linkedin
but, I declined and flagged the sender as SPAM, being unsolicited commercial email.
Perhaps it was a wise move.
Code of Practise?
Is a code of practise really necessary?
Surely this is similar to someone conatcting a high street store and saying they know a way of disabling their shutters. They will not disable their shutters but will tell everyone how to do it if the store doesn't pay up
Or even; I know a bunch of people who'd like to smash up your office if you don't pay me not to tell them. That's called protection.
If Jared had been contracted by LinkedIn to find bugs that's one thing but he didn't do that.
bang on.It's a shake down. "Pay up or your good name is trashed". Then again isn't this exactly the kind of corporate business that is going on in the courts vis a vis Intellectual Property...... "I hold IP regarding x,y,z, cough up or I drag you through the courts". With the latter example you essentially play poker - Do you have an idea as to whether any such IP is contained in your product, do you have sufficient resources to withstand a sustained attack in the courts ?
It's no longer business, it's gangsterism. War by other means....
"Surely this is similar to someone conatcting a high street store and saying they know a way of disabling their shutters. They will not disable their shutters but will tell everyone how to do it if the store doesn't pay up."
Yes but (to continue the analogy) he stood outside the shop shouting to everyone how to disable the shutters, even the security guards (LinkedIn) heard how to do it and fixed the shutters accordingly.
What he didnt do was whisper to the baker on how to do it.
So LinkedIn didn't test their code? They released a product into the public arena that contained a flaw. Who would *directly* suffer if this flaw was exploited? Not LinkedIn; the users.
So someone comes along and finds the flaw. They spend time making sure it is a flaw. It is. They notify LinkedIn and ask for compensation for their work. LinkedIn refuse (why should they pay, *they* aren't at risk and they get it for free in a few days anyhow).
If LinkedIn (or any business) had confidence in their site then they'd have a policy of paying for such exploits - after all there aren't any are there? They do continually penetration test the site don't they? Oh wait, no. The risk is external (as Schneier would say).
Jared was being responsible - there is no 'bobby on the beat' who knocks at your door and says "did you know your windows are unlocked around the back". So Jared has become an entrepeneur - he walks the beat and finds problems. The community doesn't pay him for this service so he asks for (not demands) support from those he helps.
What other motivation do LinkedIn have to fix their problem? None. They were told that there was a problem and obviously did not have the expertise to fix it *even knowing it was there*.
Eventually, when they realise that designing and testing the site properly would be cheaper than paying Jared, his job is done.
The approach Jared used seems to be beyond reproach.
Ask yourself - what would LinkedIn say if they discovered Jared had approached NatWest with a way to undetectably remove funds from the LinkedIn business account; and NatWest had told him to take a hike?
"Unprofessional. Practically criminal! That's *our* money!!"
Attention Jared DeMott:
"I have found a way to break into your home, and would like to give you the right of first refusal. If you wouldn't like to buy it then we are happy to re-sell or release as a full disclosure ... perhaps to the Russian mob for 100k or someone who would like to kill you in your sleep? I would more then gladly provide a proof of concept, perhaps by p1ssing on your bed while you are out at the mall sometime."
Sounds scary now doesn't it, but it is essentially tantamount to the same thing. Just because you can point your browser to a website doesn't mean you have the right to muck about on it, or try exhort money from the webmaster.
And and RE the query on the double spaced post, it's quite obviously an haikuesque ode and conforms to iambic pentameter! ;)
Seriously- Bounty Hunter
“That's too bad”, says Forslof with Tipping Point’s Zero Day Initiative……. the incident was a missed opportunity.
Are you telling me you would be willing to represent someone who exploited a privately owned website on the open internet? I read this story in utter disbelief. Yes, it was a missed opportunity - to prosecute an illegal hacker.
There’s something fundamentally wrong when there are not only people providing unsolicited research, “hacking”, but there are third party companies who set themselves up to exploit both the hacker and the company being hacked for a profit. There is a name for this and it is called extortion commonly practiced by organized crime.