Zero-day sales not 'fair' - to researchers

I'm torn

Really, I'm a bit torn on this issue. On the one hand, I do see a real need for security researchers, as software developers obviously do not harden their code as they should. But on the other hand, I just can't feel bad for this guy. He's crying "poor me" because Microsoft actually fixed a bug in their code which left people vulnerable. In my eyes, this guy is no better than the black hats who exploit a flaw and knowingly sell it (or use it) for illicit purposes. Both of them are actively trying to exploit a flaw, and neither of them want the flaw to be fixed. Real security researchers WANT flaws fixed; that's why they do the job. This guy is just in it for the money. Wanting to get paid a fair price for your work is fine. Trying to blackmail/exploit companies is not.

And would someone please tell this idiot that there is no specific "value" for a flaw/exploit? He saw that himself when one agency offered him $10,000 and another agreed to $80,000. "Value" is specific to each individual. When you're dealing with something as rare as software vulnerabilities, there is no such thing as "fair market value".

Parasites

No matter what the field of human endeavour, there'll always be parasites trying to screw over their fellow Man. The best thing to do is break their legs when you catch them.

Facilitating crime a crime in itself?

To me, this guy sounds like a security researcher in the same way as a guy who figures out how to break into a bank vault, defeat burglar alarms systems, or enter the Whitehouse grounds illegally is a "security researcher".

The aim is to make money by selling information that will facilitate the commission of a crime -- industrial espionage, corporate extortion, or internal and external espionage by government spy agencies (which would be a crime in the country being spied on).

I would like to see an article by a lawyer on this issue. I think that in most countries, knowingly committing an act that facilitates a crime is a crime.

Sounds like a lazy researcher to me...

Basically, in a market wherein the value of an exploit is based on the time-critical nature of obscure information, the author is complaining that it's hard to find accurate pricing information in a timely manner. Well duh...

In other markets where the price negotiations are beyond the capability of the "talent", the typical solution is to hire an agent. Why does the author expect that the problem of pricing ought to be easier for him?

Isn't there a moral problem here?

There's something fishy about this way of making money. Could one actually sell a method to perpetuate a crime? Worse, if something was to happen, and it was found out that this researcher hadn't devulged what he knew, could he not be held, at least partially, liable? IANAL, but I think that in some situations it would be a crime to not devulge information about a "vulnerability". If for example, you knew someone could get hurt and you didn't warn them when you had the chance, you could probably be held legally negligent. Perhaps this particular case could even be called extortion. If this business practice isn't actually illegal, then isn't there at least a moral problem here?

I can think of other situations where a similar business plan would most likely be illegal. A doctor, for example, telling a patient that he knows of something very bad which is likely to happen to you, and then demanding a large sum of money to tell you what it is. If the doctor actualy has this information, could he not be in trouble if he didn't tell you?

What does the US government do with this?

Some unspecified US government dept. is paying people for finding exploitable vulnerabilties. Why?

I suppose they could be using this to help secure thier own systems, but, why the reluctance to disclose the vulnrability to the suppliers. Besides

other recent stories colclude that US gov. departments pu a very low priority on securing thier data.

On can only conclude that the US is activly spying on its citizens.

Another example.

If an engineer were to find a problem with a product in there field of expertise that was potently dangerous they would be morally and ethically bound to report it, no money, no glory, just doing the right thing. Why do programmers think that it is ok to blackmail people over this? "Recompense for time spent"? Please... How can you live with yourself? And any programmer that b****s about M$ having so many vulnerabilities is a hypocrite. Given the complexity of modern programs I dont believe that there is any programmer that can honestly turn around and say, "All my work is 100% correct, stable and secure".

Re: Markets and Makers

Greg Nelson, your "principle courses on asset evaluation" sound like a laugh a minute. Could you supply a bibliography for me to avoid?

Blackmailers should not prosper

This is blackmail, pure and simple. One should not ask what the value of the information is, but what the researcher will do if the vendor does not pay the price.

They should be out being more productive, or asking for a job from the firms, rather than being so destructive.

I'd be surprised if such blackmail isn't illegal. If it is, the boys in blue should get involved. If, for some reason it isn't, whilst I couldn't condone it, I do wonder how many exploits they can investigate when their fingers are broken?

The Internet is the biggest reason, my arse

It simply made the problem worse, rather than being the root cause of the problem.

The real cause is very simple : people do not want to pay for solid software development, and they definitely do not want to wait long enough to properly test the code, so inferior products are released.

In particular, people do not want to pay for security, or any other insurance/protection package (such as backup, anti virus, firewalls etc) that provides no immediate benefit, but protects from some nasty consequences.

Given that customers will not pay for secure software, and will happily buy insecure or buggy software that is released before a properly architected solution the only sensible business decision is to release a product that is a good enough tradeoff between functionality, security and stability. To do otherwise is commercial suicide, unless a product has significant advantages or is written under a sensibly priced contract specifically requesting watertight security and stability.

Morally ambigious my arse

This is the real world. What these guys are doing is effectively free-lance bug testing where they only get paid if they discover a vulnerability.

The morally ambigious part (if there is one) is that M$ (or equivalent) don't already have a program whereby researchers can sell their info direct to the manufacturer of the product (rather than relying on 3rd parties).

If this is to become a legitimate business, by it's very nature it needs to be regulated.

Which government?

I find it strange how this article refers to "the government" as if there were only one. Did this security researcher try contacting the Chinese government, for example? I'd definitely try talking to them if I had a good vulnerability to sell.

Some other government?

And what if China made him an even better offer? Or someone broke into his office and stole it? Or, while he's attempting to sell it, someone offs him?

Selling vulns might be like selling drugs. He's dealing with some shady characters.

I don't believe there is a blackmail or moral issue

As long as certain conditions are met.

For me the most important issue is shown by the second person in this article - making sure whomever he sells the vulnerability to informs the vendor/developer, handing them the details of the vulnerability.

Obviously there should be no dealing with those that would use these vulnerabilities for malicious purposes, and obviously there is no "that's not fair" if the vulnerability is fixed before they can sell it to those that want to protect themselves.

It seems to me they have a right to make a living - many of the exploits fixed by major developers have been routed out by security researchers so their work is of benefit to everyday users. It also seems to me as long as they meet the conditions of informing the developer of the software and not selling to malicious buyers then they are perfectly entitled to charge whatever they please.

It's up to the buyer to determine whether they can make use of the information and if so, how much it's worth in terms of protecting themselves vs waiting for a patch.

Is this criminal? I believe these people are covered by fair use rights under the guise of research. It's a bit dodgy, but there's so much precedence in their favour, and most major vendors accept their existence provided they are informed of the vulnerability for a reasonable amount of time prior to making it public - therefore I don't think they have much to worry about on that score.

Oh, boo hoo!

People are fixing software faster than you can make a quick buck.

Are you for real?

Get a real job!

Playing the Game and keeping yourself Right

"Selling vulns might be like selling drugs." ....... Whoa, hold your horses, Mr Dillon.

Vulns are knowledge and they are ideas you buy, for of course, you never know what they are worth until they are exploited...... so it is always best to sell them on to whoever wants them, whether to put in a fix or to use them as an exploit. Of course that then takes you into XSS territory too.... Cross Site Scripting for IT is a hand in glove thing, with the two bugs, ZerodDay Words and XSS invariably being joined at the hip.

Seems like the best plan is to have the best experts on your side, and in a capitalist system that would be as simple as paying them shed loads of money, which they are only going to put back into the system anyway but then they are working for the System probing vulnerabilities by tempting Systems to find out just how SMART they want to become. Ye olde poacher turned gamekeeper ploy

It allows for a "peek" inside other Systems, should they be aware of what is being probed.

If the System does not buy what the System has created, you cannot blame anyone other than the System, if IT travels elsewhere. And it is a pretty dumb System in need of repair, if it fails to pay handsomely, for its own Protection, for in Reality, IT is costing them nothing.

Ok Rant over...I just thought that needed to be shared .