Slashdot Mirror
Is Paying Hackers Good for Business?
Jenny writes "In the light of the recent QuickTime vulnerability, revealed for $10,000 spot cash, the UK IT Security Journalist of the Year asks why business treats security research like a big money TV game show. 'There can be no doubt that any kind of public vulnerability research effort will have the opportunity to turn sour, both for the company promoting it and the users of whatever software or service finds itself exposed to attack without any chance to defend itself. Throw a financial reward into the mix and the lure of the hunt, the scent of blood, is going to be too much for all but the most responsible of hackers. There really is no incentive to report their findings to the vulnerable company, and plenty not to. Which is why, especially in the IT security business, there needs to be a code of conduct with regard to responsible disclosure.' Do you think there's any truth to this? Or is it a better idea to find the vulnerabilities as fast as possible, damn the consequences?"
0-Day exploits are already big business on the black market, better for the companies to pay for disclosure and have a more secure product, than for the exploits to be sold off on the black market and only discovered after a significant portion of the user base has been compromised.
Curiosity was framed, Ignorance killed the cat.
Comment removed based on user account deletion
Is why would such contests HAVE to report what vulnerability successfully got through. Shouldnt the results be between the company holding the contest, the successful hacker, and companies whose software was involved in the vulnerabilities be the only ones who know?
Why couldn't one just announce "Joe Bob McHobo was the winner!" without publicizing the vulnerability itself before the softwares author gets a crack at it.
Humanity is weird.
Ice Cream has no bones.
The value of finding security holes is in disclosing them to everyone, particularly the affected vendor.
The most damaging holes are the ones that only the bad guys know about. This doesn't tend to advance security in software, it just allows people to take over your machine without your permission.
Security research or incentivization schemes that don't include a built-in mechanism to promote disclosure of the discovered problems won't help much.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
'Responsible disclosure' is a euphemism for 'we can't fix bugs fast enough, so if you keep the vulnerabilities a secret, it'll help us to save face.' And more time often means months, not days. Responsible disclosure is nothing more than security through obscurity. And security through obscurity is as good as no security at all. In the intervening months, you have a live, exploitable hole sitting there ripe for attack! And not just on that one system -- every like-configured system is vulnerable. I say, damn the consequences. Report as soon as possible no matter who it embarrasses. It'll either put more pressure on them to fix the bugs faster, or push users to more secure platforms, where security fixes don't take months and are usually found before their ever exploited in the wild.
My blog
why business treats security research like a big money TV game show
Maybe because the bugs they find are "showstoppers"?
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
What's the difference between you charging me for information , & me charging you for information ?
You quit charging me for your information, I'll quit charging you for mine.
Make no mistake, there's plenty of people out there perfectly willing to pay me for my information.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
The problem with your analogy is that "bounty hunters" in the infosec debate would actually be searching for the exploiters, not the exploits.
exactly...that's why the likes of Microsoft and Apple need to rely on 3l33t peeps with sk1llz like b0b4 f3++.
Remember the semi-cynical description of job descriptions? From a random job seeker's point of view all job descriptions are things that they're seeking to fit themselves to so that they can qualify for a job. In reality, though, job descriptions are the result of careful, diligent, and deliberate definition by HR departments who already have a candidate in mind. It is their goal, then, to write a job description which is sufficiently vague to put on a good show of interviewing candidates (and neutralizing any claims of discrimination, nepotism, or favoritism) while still being able to give the position to the (secretly) preordained favorite.
This is exactly what is happening with pay-for-vulnerability gigs. They already know who knows the vulns (usually someone in the pool of people who wrote the software or someone who, in years past, designed the hardware on which it runs) and they already have their preferred winner selected. The task is then on to construct the game show such that more money can be made off of parading the contestants around.
It's the same way insider trading is covered up. It's the same way that political elections are run.
the NPG electrode was replaced with carbon blac
My school would do this for me so I would stop getting suspended.
No. What you said is not an analogy. Normal bounty hunters would look for exploiters on the lamb.
Here's my view: the one and only point of trying to find a vulnerability is to find the vulnerability. You don't care how it's done, you want that vulnerability found while you still have SOME control over it instead of after it's been out in the wild, and you have to patch around it. What's the best way to find your vulnerabilities? Have outsiders working towards a prize. Not only is it good publicity, looks great on the winner's resume, you find just about everything wrong with your product. It's truly win-win.
Anything that is the most thorough way of eventually getting the programme secure is the best way to go about it. Period.
Let's stop dilly-dallying and just change "-1: Overrated" to "-1: Disagree" or "-1: Doesn't Subscribe to Groupthink".
Wow. How is it that an "ex-hacker" who now "specialises in security from the white hat side of the fence" (from the author's bio) can have so little clue about the responsible disclosure debate and the economics of modern vulnerability research? Maybe getting lambasted on Slashdot will be a wake-up call for him to actually do his homework before he spouts off.
Better to light a candle than to curse the darkness.
In the US, bounty hunters have legal protection to do what they do. If a company puts up a juicy reward for finding a security hole, the person coming forward could easily get the shaft and then be prosecuted under DMCA.
At least on the black market, you know, honor among thieves.
More Twoson than Cupertino
Nice way to take the situation out of context with the snippet here on /. I think the important question isn't whether public, for-pay security hunting is a good idea, but rather if it's ethical for an outside firm to pay for it. Would anyone have batted an eye if Apple had been the one advertising for a hack for the Mac? I don't think so, they'd probably have been lauded for having the wherewithal to offer good money to people to help them find exploits of their software.
Which is why, especially in the IT security business, there needs to be a code of conduct with regard to responsible disclosure.' Do you think there's any truth to this? Or is it a better idea to find the vulnerabilities as fast as possible, damn the consequences?"
Considering how quickly companies tend to SUE you for disclosing a vulnerability, I don't think there can be any true code of conduct between hackers and companies.. Not unless the companies start making it (public) policy that they WILL NOT sue you as long as you disclose a vulnerability to them first, and give them a reasonable time to fix it before going public.
I think that'll never happen though, and the only way to safeguard a hacker is to make legislation against those type of lawsuits.
I also think that'll never happen either, considering how firmly planted the lips of those companies are to the politician's ass... So *#@& 'em, we just need a good way to disclose anonymously.
-- If we don't stand up for our rights, now, there will be no right to stand up for them later.
No, that would be illegal. If a cop does it to you, it's entrapment, but in this case it would be... hell, I don't know what it would be. But by throwing the contest they're inviting people to attack their software, and unless your lawyer is utterly incompetent, the DMCA would not apply because you had express permission.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Not even that. Normal bounty hunters would look for accused exploiters on the lam. Or did we decide that if you are on bail then you are guilty. If so, why are we letting guilty go free for a short time?
Stop Global Warming!
Just say no to irreversible processes!
They released a product with security holes in it, they should pay to have them found.
If a construction company builds a bridge with defects that causes it to fall on someone, that someone can sue them.
If a software company makes an insecure product, and someone gets pwned because of it, that should be allowed to sue for damages.
Yes security holes aren't easy to find in big products, but it should never be an excuse for a company (especially those that make billions, wink wink) for them to release unsafe products.
I'm not an expert in the field and I expect to be criticized as such.
But I have always held to the simple and logical principle that if the can be fixed or patched, then the problem could have been avoided in the first place with good coding practice and code review.
I have heard from countless sources (like BugTraq and other security lists as well as professionals in the field) that 99.9% of these bugs come from lazy programmers writing code in ways that should [should] know better than to do. It happens when "quick and dirty" prototype code somehow makes it into production. It happens when the programmer it simply unaware of the problem. It happens for some reasons that are fairly understandable, but let's pause for a moment and consider why people still buy software over open source. Among the reasons, one common reason is that commercial code is "professional code" and as such is expected to have been created by trained professionals, using professional standards, methods and techniques. (It's public expectation, not the truth) But in my mind, if your product is to be considered worthy of public consumption and you would like to be considered nothing less than professional, then perhaps you should write code to professional standards and use professional methods and practices.
Yes, there are buggy libraries beyond the control of many programmers. But by definition, it's not the programmer's fault or responsibility unless, of course, the programmer KNEW about the problem and failed to work around it. But all these stack overflows, underflows, sideways-flows (I just made that up) and stuff like that is simply unforgivable when it comes from "professionals" selling their commercial wares. If they don't have the knowledge, then they should quit what they are doing until they have it. In architecture, medicine and many other professional fields, there are serious things that can happen to their licenses should they fail to behave and perform professionally. Somehow the profession of writing code has escaped that level of professional regulation... and well? Look at the consequences.
Well, that really depends on how exactly the contest is stated. If you discover a exploit and then make a announcement about it at the same time you try to claim the prize the company might turn around and sue you saying that you didn't have the right to announce the exploit to the general public without their express permission. If on the other hand you discover it and only tell them and they try to sue you, yes, then you could pretty much laugh them out of court.
Curiosity was framed, Ignorance killed the cat.
Sorry, America. I posted in the wrong topic thread. I meant to post it here. ;)
Of course paying hackers is a good idea, if you want to generate any interesting code... Oh, wait a minute. Slashdot has bought into the lowest common denominator usage of "hacker" to mean a cracker. And here I thought my opinion of the Slashdot moderators couldn't get any lower, after I had moderation privs revoked for daring to criticize them on other matters...
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
What's wrong with both?
Nothing. Both Cops and Dog the bounty hunter get cool TV shows. Clearly that is the solution.
So many of us are alluding to this, but so few are actually calling it out
“No incentive” !? Is $10,000 so lacking as to be deemed a non-incentive ? Why is this statement disagreeing with the premise of the article?
I believe the gist is this: When a developer opens the door to the community, and puts up a cash reward for finding vulnerabilities, what's to keep the “black hats” from keeping the exploits to themselves? (potentially selling them underground and making more in illicit revenues than the amount posted as a bona-fide reward) They attempt to introduce pseudo-psychological factors (which only help to confuse the matter) but essentially address the core morality of the coder community.
TFA seems just as confused as OP about the exact point they are both trying to make. I think the headline should read, How much is the color of your hat worth?
In the case of Apple, what if the hacker found a way to make $100,000 from the exploit, rather than just settle for the one-time $10,000 payoff? Would it have been enough to keep someone honest?
I think this brings us to a most compelling question. What's a “white hat” worth? What amount could be called a “standard bounty” for finding vulnerability in code? Also, support a stance on whether such rewards are a “bounty” or a “sellout price”.
(I can hear the knuckles cracking already...)
This post © Copyrite Duggeek, all rights reversed.
Buying vulnerability info from a third party is just outsourcing your QA. It's just buying testing + bug reporting.
If a third party demands money to keep QUIET about a vulnerability, that's extortion.
Much of the animosity here is that many security researchers specialize in breaking things--they haven't ever worked on engineering a large, complex system. They just don't understand how much time is required to test code before it is released. Also, the legal teams for many companies just don't understand that alienating security researchers by filing law suits is only going to make their situation worse.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
OK, let's suppose you were to have a standard "date" and didn't pay. You might think this is just dandy, perfectly fine business but in fact the hooker probably has some associates who would be willing to break your kneecaps for that money. So from that perspective, paying hookers is definitely good for business.
---GEC
I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
Well, that really depends on how exactly the contest is stated. If you discover a exploit and then make a announcement about it at the same time you try to claim the prize the company might turn around and sue you saying that you didn't have the right to announce the exploit to the general public without their express permission. If on the other hand you discover it and only tell them and they try to sue you, yes, then you could pretty much laugh them out of court.
At least, we'd like to believe so. Remember, justice != logic.
Thank God for evolution.
The problem with your argument is it's much harder to create a secure software product than it is to create a secure bridge. This is especially true because delaying construction of a bridge for a month can be done without competitors swooping in and taking the market.
I'm a UK cit, I work in infosec, and I've a friend who's an IT hack (er, that is, journalist :) ) I have no idea who the UKITSJotY might be. Mine non-UK SIJOTY is Bruce Schenier, same as last year and the year before that, with Peter Neumann a close second.
Everything I needed to know about life, I learnt from Blake's Seven
I'd *far* rather make $10,000 legally than $100,000 illegally. This is true of most people. The former is just a better long-term plan.
But this debate is a bit silly since there are any number of legal firms that pay bounties for exploits in popular software, then extort huge "security consulting" fees out of the vendors to reveal these exploits. hen the company offers the bounty directly it just cuts out the middle-man.
Socialism: a lie told by totalitarians and believed by fools.
Hey, n.p., I was with you all the way until you got into the stuff about girly-men ;p
Everything I needed to know about life, I learnt from Blake's Seven
Please mod up the "hacker-truth, moderator-bashing" post!
Come on, damnit, no whammies!
---GEC
I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
I have a better idea.
Why not hire a professional team of assessment professionals to look at your stuff?
I'm not talking a lame corporate-compliance team, but a highly experienced team of world-class hackers, who are employed by an extremely reputable company and managed by an experienced staff capable of communicating problems quickly and completely.
Try this one: www.accuvant.com
Then you don't have any of these issues.
Of course, that wouldn't necessarily be as cheap. I think $10,000 would definitely be on the extreme low end of a simple job.
Stew
There are 10 kinds of people in the world. Those who understand binary and those who don't.
"Responsible disclosure" would have been great, except that history has shown us that it usually doesn't work. When "responsible disclosure" has been tried the vulnerability has lingered (especially with the larger corporations). When the vulnerability has been openly disclosed, then suddenly the software gets a patch. If history had been different then perhaps we would give the idea consideration. But it wasn't, and it was a problem created by the software companies themselves, so here we are today reaping the seeds that were sown.
I'm sick of international people who use the word "American" to typify a country and cultural without considering that in fact they just characterized an entire geographic area with flame.
If I am incorrect to assume that you are from outside a place, which I can only guess is the United States of America due to your vague off-topic tirade, then:
FIRST: I owe you an apology for assuming that you arent from here. Threats like these either come from foreign governments or aspiring socialists.
SECOND: If you are a citizen, there are many places you can move to after you renounce your citizenship- which I encourage you to do ASAP. There is Canada and Venezuela if you don't want to travel too far- please note that these are both good choices for socialists and liberals alike.
In closing I would like to remind you that despite your cry for improvements, you have neglected your self imposed responsibility by not educating yourself on the finer points of education. First and foremost, you are not only speaking out of turn but severely off topic and in a secular forum. But secondly, you seem to have a contextual impression that everything is related to everything else, and there are no singular independences at work in the world that we live in.
Blame yourself for your own short-comings because there is not a single government (not even North Korea) that can compensate for a low investment in due dilligence that has fed your unusually low self esteem.
In short, you sir go fuck yourself, and I hope to God that there is a bus out there with your name on it waiting for that fateful day when you step off the curb without looking and runs you over.
God Bless America and all the legal citizens who belong here.
pay me now or pay me later... your call nub....
Security industry commentators fallaciously believe that it is the announcement of the existence of a vulnerability that puts users at risk, not the vulnerability itself. As an illustration, compare this QuickTime vulnerability with the Microsoft Windows Animated Cursor (ANI) vulnerability.
The ANI vulnerability was reported to Microsoft in December 2006 by Determina. Completely independently, this vulnerability was reported as being exploited in the wild on March 29th by Microsoft and on April 3, an official patch from Microsoft was released. It is unknown how long the vulnerability was being exploited in the wild before Microsoft's announcement.
In this case, the live demonstration of the QuickTime exploit at the conference was performed over a controlled network to prevent anyone else from sniffing the network traffic. The only details released over the weekend were, "A vulnerability affecting Safari on MacOS X". The fact that the vulnerability was in QuickTime's Java components was only revealed on the subsequent Monday, after the vulnerability had been reported to Apple. These details were revealed so that users could take appropriate action (disabling Java) to protect themselves in the meantime. Apple subsequently released a patch one week later.
With the ANI Vulnerability, Microsoft took 4 months to fix a very serious vulnerability. During that time, countless Internet users were compromised with attacks based on that vulnerability. With the QuickTime vulnerability, Apple took 1 week to fix the vulnerability, and there have been *no* reports Macs or PCs being compromised using that vulnerability, beyond the MacBook Pro at the contest.
The publicity of the contest actually sped up the process of addressing the vulnerability, thus putting less users at risk. Had Microsoft taken 1 week to address the ANI vulnerability, we would have avoided the rash of infections that came in mid to late March. Blame the vulnerability, not messenger.
If we can create a situation where bug disclosures are maximized, the products with the most serious security problems will die, and likely take their companies with them. So if you're a company that reasonably believes your products have few if any such bugs, your smartest bet is to encourage all companies to offer rewards to hackers - if you're right about the quality of your products, it will take your competition down and leave you standing.
As a customer, then, who should you buy from? The companies with the confidence in their products to offer hacker rewards, or the ones with so little confidence that they don't? Yes, some of the first will be wrong about their products; but virtually all of the latter will be correct.
"with their freedom lost all virtue lose" - Milton
More terminological abuse from Slashdot editors:
"Linux" instead of "GNU/Linux" (when not referring specifically to the Linux kernel)
"piracy" instead of "copyright infringement"
I am sure we could dig up more.
I'm not sure if people would agree, but in my opinion,
looking back at history, I think the consumers (which is most
of us I suppose?) got fed up with vendors not dealing with the
vulnerablities of their software (and some of them going out of
their way and sometimes calling it a "feature").
Pretty soon it became a trend to disclose known vulns -- for
leverage? -- everybody getting together because they wanted
a solution - a fix - so they stop getting screwed (again and
again) and here we are today, with added hype, and business
models which creates just another revenue stream.
Whether code of conduct or not (which the article seems to argue)
I'm not wise enough to boldly say which is good or bad, but if at
least someone nice enough discloses a problem, it would surely
make me feel a little better because I could make choices to
think about it and do something about it (and maybe help others?).
Thats another reason why I chose to use open source OSs/softwares
as much as possible (not that I'm siding with any side), because if
something needed done, I could open the hood up and see, think, and
most likely fix something about it, instead of "working around" some
problem and knowing that its not fixed.
just my opinion
(sorry if this was a little off topic)
GUI == Graphical User Interference
In humans in general, you get behaviors that are rewarded or reinforced. You reward hacking, cracking and exploits and you will get more of it. Mostly focused in directions you didn't even dream of originally.
And the new crop of victims will never know who to thank.
Basically, most EULAs will leave you hanging out to dry in this regard. They'll make sure you acknowledge that the company isn't responsible for security breaches, or at the very least you waive your right to sue for damages in such an instance.
Funtime Candy Wow! - my plan for eventually conquering Japan.
Generally, the accused but innocent don't take off. They stay in the state like they're supposed to, they show up to their trial, and then they most often get acquitted. Violating bail is, in fact, a crime, so a bail jumper is a criminal, regardless of whether or not he's guilty of the crime he put up bail for.
I see your informative link, and raise you a pithy comment.
I'm sick of international people who use the word "American" to typify a country and cultural without considering that in fact they just characterized an entire geographic area with flame.
I'm sure anti Americans regret any collateral damage they cause.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
"Normal bounty hunters would look for exploiters on the lamb"
;-)
You're going to feel sheepish when you realize that should be "on the lam".
A cheerful little bird is sitting here singing.
This is slashdot, so where's the car analogy?