Slashdot Mirror
Is Paying Hackers Good for Business?
Jenny writes "In the light of the recent QuickTime vulnerability, revealed for $10,000 spot cash, the UK IT Security Journalist of the Year asks why business treats security research like a big money TV game show. 'There can be no doubt that any kind of public vulnerability research effort will have the opportunity to turn sour, both for the company promoting it and the users of whatever software or service finds itself exposed to attack without any chance to defend itself. Throw a financial reward into the mix and the lure of the hunt, the scent of blood, is going to be too much for all but the most responsible of hackers. There really is no incentive to report their findings to the vulnerable company, and plenty not to. Which is why, especially in the IT security business, there needs to be a code of conduct with regard to responsible disclosure.' Do you think there's any truth to this? Or is it a better idea to find the vulnerabilities as fast as possible, damn the consequences?"
0-Day exploits are already big business on the black market, better for the companies to pay for disclosure and have a more secure product, than for the exploits to be sold off on the black market and only discovered after a significant portion of the user base has been compromised.
Curiosity was framed, Ignorance killed the cat.
Comment removed based on user account deletion
LOL, teh funnay was made complete with the 's' replaced with '$'.
Is roasting Juden good for acid rain?
What is it, Obvious Question Day on Slashdot?
Is why would such contests HAVE to report what vulnerability successfully got through. Shouldnt the results be between the company holding the contest, the successful hacker, and companies whose software was involved in the vulnerabilities be the only ones who know?
Why couldn't one just announce "Joe Bob McHobo was the winner!" without publicizing the vulnerability itself before the softwares author gets a crack at it.
Humanity is weird.
Ice Cream has no bones.
The value of finding security holes is in disclosing them to everyone, particularly the affected vendor.
The most damaging holes are the ones that only the bad guys know about. This doesn't tend to advance security in software, it just allows people to take over your machine without your permission.
Security research or incentivization schemes that don't include a built-in mechanism to promote disclosure of the discovered problems won't help much.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
'Responsible disclosure' is a euphemism for 'we can't fix bugs fast enough, so if you keep the vulnerabilities a secret, it'll help us to save face.' And more time often means months, not days. Responsible disclosure is nothing more than security through obscurity. And security through obscurity is as good as no security at all. In the intervening months, you have a live, exploitable hole sitting there ripe for attack! And not just on that one system -- every like-configured system is vulnerable. I say, damn the consequences. Report as soon as possible no matter who it embarrasses. It'll either put more pressure on them to fix the bugs faster, or push users to more secure platforms, where security fixes don't take months and are usually found before their ever exploited in the wild.
My blog
why business treats security research like a big money TV game show
Maybe because the bugs they find are "showstoppers"?
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
What's the difference between you charging me for information , & me charging you for information ?
You quit charging me for your information, I'll quit charging you for mine.
Make no mistake, there's plenty of people out there perfectly willing to pay me for my information.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
The problem with your analogy is that "bounty hunters" in the infosec debate would actually be searching for the exploiters, not the exploits.
exactly...that's why the likes of Microsoft and Apple need to rely on 3l33t peeps with sk1llz like b0b4 f3++.
Remember the semi-cynical description of job descriptions? From a random job seeker's point of view all job descriptions are things that they're seeking to fit themselves to so that they can qualify for a job. In reality, though, job descriptions are the result of careful, diligent, and deliberate definition by HR departments who already have a candidate in mind. It is their goal, then, to write a job description which is sufficiently vague to put on a good show of interviewing candidates (and neutralizing any claims of discrimination, nepotism, or favoritism) while still being able to give the position to the (secretly) preordained favorite.
This is exactly what is happening with pay-for-vulnerability gigs. They already know who knows the vulns (usually someone in the pool of people who wrote the software or someone who, in years past, designed the hardware on which it runs) and they already have their preferred winner selected. The task is then on to construct the game show such that more money can be made off of parading the contestants around.
It's the same way insider trading is covered up. It's the same way that political elections are run.
the NPG electrode was replaced with carbon blac
My school would do this for me so I would stop getting suspended.
No. What you said is not an analogy. Normal bounty hunters would look for exploiters on the lamb.
Here's my view: the one and only point of trying to find a vulnerability is to find the vulnerability. You don't care how it's done, you want that vulnerability found while you still have SOME control over it instead of after it's been out in the wild, and you have to patch around it. What's the best way to find your vulnerabilities? Have outsiders working towards a prize. Not only is it good publicity, looks great on the winner's resume, you find just about everything wrong with your product. It's truly win-win.
Anything that is the most thorough way of eventually getting the programme secure is the best way to go about it. Period.
Let's stop dilly-dallying and just change "-1: Overrated" to "-1: Disagree" or "-1: Doesn't Subscribe to Groupthink".
Wow. How is it that an "ex-hacker" who now "specialises in security from the white hat side of the fence" (from the author's bio) can have so little clue about the responsible disclosure debate and the economics of modern vulnerability research? Maybe getting lambasted on Slashdot will be a wake-up call for him to actually do his homework before he spouts off.
Better to light a candle than to curse the darkness.
In the US, bounty hunters have legal protection to do what they do. If a company puts up a juicy reward for finding a security hole, the person coming forward could easily get the shaft and then be prosecuted under DMCA.
At least on the black market, you know, honor among thieves.
More Twoson than Cupertino
Nice way to take the situation out of context with the snippet here on /. I think the important question isn't whether public, for-pay security hunting is a good idea, but rather if it's ethical for an outside firm to pay for it. Would anyone have batted an eye if Apple had been the one advertising for a hack for the Mac? I don't think so, they'd probably have been lauded for having the wherewithal to offer good money to people to help them find exploits of their software.
Which is why, especially in the IT security business, there needs to be a code of conduct with regard to responsible disclosure.' Do you think there's any truth to this? Or is it a better idea to find the vulnerabilities as fast as possible, damn the consequences?"
Considering how quickly companies tend to SUE you for disclosing a vulnerability, I don't think there can be any true code of conduct between hackers and companies.. Not unless the companies start making it (public) policy that they WILL NOT sue you as long as you disclose a vulnerability to them first, and give them a reasonable time to fix it before going public.
I think that'll never happen though, and the only way to safeguard a hacker is to make legislation against those type of lawsuits.
I also think that'll never happen either, considering how firmly planted the lips of those companies are to the politician's ass... So *#@& 'em, we just need a good way to disclose anonymously.
-- If we don't stand up for our rights, now, there will be no right to stand up for them later.
Yes, I think there is some truth to this. Wait...Huh? What did he say? This summary is incomprehensible.
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
No, that would be illegal. If a cop does it to you, it's entrapment, but in this case it would be... hell, I don't know what it would be. But by throwing the contest they're inviting people to attack their software, and unless your lawyer is utterly incompetent, the DMCA would not apply because you had express permission.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm 24 years old. I don't want to go through the next 50 years of my life living in an international air of worry and uncertainty. I don't want to live in a permanent state of fear, generated by a megalomaniacal American government taking advantage of the majority low IQ populous' capacity for being brainwashed.
I don't want to live like Israel, fighting militant Muslims round every corner. The problem of Muslim extremists exists and needs to be dealt with, not encouraged by invading innocent countries and waging war on people who have done nothing to deserve it. I want my children to grow up in a world free from military oppression and I want a government that understands that the wars of the future are guerrilla ones which can never be won, even if they are waged for noble purposes (which theirs never are).
The world is fu*cked up enough as it is. The food chain has been poisoned so badly the average human is full of chemicals normally found in plastics and toxic waste. I'm sick of global warning and environmental damage to the planet and the fact the all this time the greenies were right. I'm sick of America being the biggest wilful contributor to the pollution of the planet.
I'm sick of an American school system that produces children who are brought up to believe that America IS the world and anything that goes on outside is irrelevant. Children so stupid they think America invented the Internet, computer, motor car, light bulb, telephone etc ad infinitum....
The Internet or it's successor is the future of entertainment and I'm sick of stupid low IQ, ignorant Americans infecting every corner of it with their insular, jingoistic mindsets, their whiny voices and manifestations of their low self esteem driven by the fact that despite it being their turn as the world's super power, no one actually takes them seriously or gives them the respect that the British or the Ancient Greeks got because a superpower best known for producing mass produced crap is never going to get the respect that one who gave the world Shakespeare, culture, philosophy or mathematics will get.
I'm sick of hypocrisy and two facedness. I'm sick of Gangsta Rap and hamburgers, Political Correctness and TV programmes that begin with 'When' and end in 'go bad and attack people'. I'm sick of reality TV and I'm sick of news programmes that are more censored than accurate. I'm sick of tokens, token minorities, token universities, token degrees, token attempts at the truth, tokens. I'm sick of fat people, ugly people, stupid people, gay people, coloured people, female people, whiny people all complaining they don't have the opportunities in life they would like and it must be someone else's fault. I'm sick of women that act like men and femininity being a crime, unless you're a man in which case you're a new man which nobody ever wanted because there was nothing wrong with the old one. I'm sick of people falling over and suing the ground and people watching nipples and suing the TV and I'm sick of coffee cups with 'don't pour over yourself, you may get burnt' on the side to try and counter this.
I'm sick of stupid Americans who don't know the difference between patriotism and jingoism and who think flag waving should be an Olympic event. I'm sick of Americans who cry that people hate them or are jealous of them or who are anti them because someone dares to point out that the America they've been programmed to believe in from birth bears no relation to the one that exists in real life.
Not even that. Normal bounty hunters would look for accused exploiters on the lam. Or did we decide that if you are on bail then you are guilty. If so, why are we letting guilty go free for a short time?
Stop Global Warming!
Just say no to irreversible processes!
They released a product with security holes in it, they should pay to have them found.
If a construction company builds a bridge with defects that causes it to fall on someone, that someone can sue them.
If a software company makes an insecure product, and someone gets pwned because of it, that should be allowed to sue for damages.
Yes security holes aren't easy to find in big products, but it should never be an excuse for a company (especially those that make billions, wink wink) for them to release unsafe products.
I'm not an expert in the field and I expect to be criticized as such.
But I have always held to the simple and logical principle that if the can be fixed or patched, then the problem could have been avoided in the first place with good coding practice and code review.
I have heard from countless sources (like BugTraq and other security lists as well as professionals in the field) that 99.9% of these bugs come from lazy programmers writing code in ways that should [should] know better than to do. It happens when "quick and dirty" prototype code somehow makes it into production. It happens when the programmer it simply unaware of the problem. It happens for some reasons that are fairly understandable, but let's pause for a moment and consider why people still buy software over open source. Among the reasons, one common reason is that commercial code is "professional code" and as such is expected to have been created by trained professionals, using professional standards, methods and techniques. (It's public expectation, not the truth) But in my mind, if your product is to be considered worthy of public consumption and you would like to be considered nothing less than professional, then perhaps you should write code to professional standards and use professional methods and practices.
Yes, there are buggy libraries beyond the control of many programmers. But by definition, it's not the programmer's fault or responsibility unless, of course, the programmer KNEW about the problem and failed to work around it. But all these stack overflows, underflows, sideways-flows (I just made that up) and stuff like that is simply unforgivable when it comes from "professionals" selling their commercial wares. If they don't have the knowledge, then they should quit what they are doing until they have it. In architecture, medicine and many other professional fields, there are serious things that can happen to their licenses should they fail to behave and perform professionally. Somehow the profession of writing code has escaped that level of professional regulation... and well? Look at the consequences.
Well, that really depends on how exactly the contest is stated. If you discover a exploit and then make a announcement about it at the same time you try to claim the prize the company might turn around and sue you saying that you didn't have the right to announce the exploit to the general public without their express permission. If on the other hand you discover it and only tell them and they try to sue you, yes, then you could pretty much laugh them out of court.
Curiosity was framed, Ignorance killed the cat.
Of course paying hackers is a good idea, if you want to generate any interesting code... Oh, wait a minute. Slashdot has bought into the lowest common denominator usage of "hacker" to mean a cracker. And here I thought my opinion of the Slashdot moderators couldn't get any lower, after I had moderation privs revoked for daring to criticize them on other matters...
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
What's wrong with both?
Nothing. Both Cops and Dog the bounty hunter get cool TV shows. Clearly that is the solution.
Buying vulnerability info from a third party is just outsourcing your QA. It's just buying testing + bug reporting.
If a third party demands money to keep QUIET about a vulnerability, that's extortion.
Much of the animosity here is that many security researchers specialize in breaking things--they haven't ever worked on engineering a large, complex system. They just don't understand how much time is required to test code before it is released. Also, the legal teams for many companies just don't understand that alienating security researchers by filing law suits is only going to make their situation worse.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
OK, let's suppose you were to have a standard "date" and didn't pay. You might think this is just dandy, perfectly fine business but in fact the hooker probably has some associates who would be willing to break your kneecaps for that money. So from that perspective, paying hookers is definitely good for business.
---GEC
I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
Well, that really depends on how exactly the contest is stated. If you discover a exploit and then make a announcement about it at the same time you try to claim the prize the company might turn around and sue you saying that you didn't have the right to announce the exploit to the general public without their express permission. If on the other hand you discover it and only tell them and they try to sue you, yes, then you could pretty much laugh them out of court.
At least, we'd like to believe so. Remember, justice != logic.
Thank God for evolution.
The problem with your argument is it's much harder to create a secure software product than it is to create a secure bridge. This is especially true because delaying construction of a bridge for a month can be done without competitors swooping in and taking the market.
I'm a UK cit, I work in infosec, and I've a friend who's an IT hack (er, that is, journalist :) ) I have no idea who the UKITSJotY might be. Mine non-UK SIJOTY is Bruce Schenier, same as last year and the year before that, with Peter Neumann a close second.
Everything I needed to know about life, I learnt from Blake's Seven
Please mod up the "hacker-truth, moderator-bashing" post!
Come on, damnit, no whammies!
---GEC
I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
I have a better idea.
Why not hire a professional team of assessment professionals to look at your stuff?
I'm not talking a lame corporate-compliance team, but a highly experienced team of world-class hackers, who are employed by an extremely reputable company and managed by an experienced staff capable of communicating problems quickly and completely.
Try this one: www.accuvant.com
Then you don't have any of these issues.
Of course, that wouldn't necessarily be as cheap. I think $10,000 would definitely be on the extreme low end of a simple job.
Stew
There are 10 kinds of people in the world. Those who understand binary and those who don't.
"Responsible disclosure" would have been great, except that history has shown us that it usually doesn't work. When "responsible disclosure" has been tried the vulnerability has lingered (especially with the larger corporations). When the vulnerability has been openly disclosed, then suddenly the software gets a patch. If history had been different then perhaps we would give the idea consideration. But it wasn't, and it was a problem created by the software companies themselves, so here we are today reaping the seeds that were sown.
pay me now or pay me later... your call nub....
Security industry commentators fallaciously believe that it is the announcement of the existence of a vulnerability that puts users at risk, not the vulnerability itself. As an illustration, compare this QuickTime vulnerability with the Microsoft Windows Animated Cursor (ANI) vulnerability.
The ANI vulnerability was reported to Microsoft in December 2006 by Determina. Completely independently, this vulnerability was reported as being exploited in the wild on March 29th by Microsoft and on April 3, an official patch from Microsoft was released. It is unknown how long the vulnerability was being exploited in the wild before Microsoft's announcement.
In this case, the live demonstration of the QuickTime exploit at the conference was performed over a controlled network to prevent anyone else from sniffing the network traffic. The only details released over the weekend were, "A vulnerability affecting Safari on MacOS X". The fact that the vulnerability was in QuickTime's Java components was only revealed on the subsequent Monday, after the vulnerability had been reported to Apple. These details were revealed so that users could take appropriate action (disabling Java) to protect themselves in the meantime. Apple subsequently released a patch one week later.
With the ANI Vulnerability, Microsoft took 4 months to fix a very serious vulnerability. During that time, countless Internet users were compromised with attacks based on that vulnerability. With the QuickTime vulnerability, Apple took 1 week to fix the vulnerability, and there have been *no* reports Macs or PCs being compromised using that vulnerability, beyond the MacBook Pro at the contest.
The publicity of the contest actually sped up the process of addressing the vulnerability, thus putting less users at risk. Had Microsoft taken 1 week to address the ANI vulnerability, we would have avoided the rash of infections that came in mid to late March. Blame the vulnerability, not messenger.
If we can create a situation where bug disclosures are maximized, the products with the most serious security problems will die, and likely take their companies with them. So if you're a company that reasonably believes your products have few if any such bugs, your smartest bet is to encourage all companies to offer rewards to hackers - if you're right about the quality of your products, it will take your competition down and leave you standing.
As a customer, then, who should you buy from? The companies with the confidence in their products to offer hacker rewards, or the ones with so little confidence that they don't? Yes, some of the first will be wrong about their products; but virtually all of the latter will be correct.
"with their freedom lost all virtue lose" - Milton
More terminological abuse from Slashdot editors:
"Linux" instead of "GNU/Linux" (when not referring specifically to the Linux kernel)
"piracy" instead of "copyright infringement"
I am sure we could dig up more.
I'm not sure if people would agree, but in my opinion,
looking back at history, I think the consumers (which is most
of us I suppose?) got fed up with vendors not dealing with the
vulnerablities of their software (and some of them going out of
their way and sometimes calling it a "feature").
Pretty soon it became a trend to disclose known vulns -- for
leverage? -- everybody getting together because they wanted
a solution - a fix - so they stop getting screwed (again and
again) and here we are today, with added hype, and business
models which creates just another revenue stream.
Whether code of conduct or not (which the article seems to argue)
I'm not wise enough to boldly say which is good or bad, but if at
least someone nice enough discloses a problem, it would surely
make me feel a little better because I could make choices to
think about it and do something about it (and maybe help others?).
Thats another reason why I chose to use open source OSs/softwares
as much as possible (not that I'm siding with any side), because if
something needed done, I could open the hood up and see, think, and
most likely fix something about it, instead of "working around" some
problem and knowing that its not fixed.
just my opinion
(sorry if this was a little off topic)
GUI == Graphical User Interference
In humans in general, you get behaviors that are rewarded or reinforced. You reward hacking, cracking and exploits and you will get more of it. Mostly focused in directions you didn't even dream of originally.
And the new crop of victims will never know who to thank.
Basically, most EULAs will leave you hanging out to dry in this regard. They'll make sure you acknowledge that the company isn't responsible for security breaches, or at the very least you waive your right to sue for damages in such an instance.
Funtime Candy Wow! - my plan for eventually conquering Japan.
Generally, the accused but innocent don't take off. They stay in the state like they're supposed to, they show up to their trial, and then they most often get acquitted. Violating bail is, in fact, a crime, so a bail jumper is a criminal, regardless of whether or not he's guilty of the crime he put up bail for.
I see your informative link, and raise you a pithy comment.
"Normal bounty hunters would look for exploiters on the lamb"
;-)
You're going to feel sheepish when you realize that should be "on the lam".
A cheerful little bird is sitting here singing.
This is slashdot, so where's the car analogy?