Slashdot Mirror
Is Paying Hackers Good for Business?
Jenny writes "In the light of the recent QuickTime vulnerability, revealed for $10,000 spot cash, the UK IT Security Journalist of the Year asks why business treats security research like a big money TV game show. 'There can be no doubt that any kind of public vulnerability research effort will have the opportunity to turn sour, both for the company promoting it and the users of whatever software or service finds itself exposed to attack without any chance to defend itself. Throw a financial reward into the mix and the lure of the hunt, the scent of blood, is going to be too much for all but the most responsible of hackers. There really is no incentive to report their findings to the vulnerable company, and plenty not to. Which is why, especially in the IT security business, there needs to be a code of conduct with regard to responsible disclosure.' Do you think there's any truth to this? Or is it a better idea to find the vulnerabilities as fast as possible, damn the consequences?"
0-Day exploits are already big business on the black market, better for the companies to pay for disclosure and have a more secure product, than for the exploits to be sold off on the black market and only discovered after a significant portion of the user base has been compromised.
Curiosity was framed, Ignorance killed the cat.
Comment removed based on user account deletion
Is why would such contests HAVE to report what vulnerability successfully got through. Shouldnt the results be between the company holding the contest, the successful hacker, and companies whose software was involved in the vulnerabilities be the only ones who know?
Why couldn't one just announce "Joe Bob McHobo was the winner!" without publicizing the vulnerability itself before the softwares author gets a crack at it.
Humanity is weird.
Ice Cream has no bones.
The value of finding security holes is in disclosing them to everyone, particularly the affected vendor.
The most damaging holes are the ones that only the bad guys know about. This doesn't tend to advance security in software, it just allows people to take over your machine without your permission.
Security research or incentivization schemes that don't include a built-in mechanism to promote disclosure of the discovered problems won't help much.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
'Responsible disclosure' is a euphemism for 'we can't fix bugs fast enough, so if you keep the vulnerabilities a secret, it'll help us to save face.' And more time often means months, not days. Responsible disclosure is nothing more than security through obscurity. And security through obscurity is as good as no security at all. In the intervening months, you have a live, exploitable hole sitting there ripe for attack! And not just on that one system -- every like-configured system is vulnerable. I say, damn the consequences. Report as soon as possible no matter who it embarrasses. It'll either put more pressure on them to fix the bugs faster, or push users to more secure platforms, where security fixes don't take months and are usually found before their ever exploited in the wild.
My blog
why business treats security research like a big money TV game show
Maybe because the bugs they find are "showstoppers"?
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
What's the difference between you charging me for information , & me charging you for information ?
You quit charging me for your information, I'll quit charging you for mine.
Make no mistake, there's plenty of people out there perfectly willing to pay me for my information.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
The problem with your analogy is that "bounty hunters" in the infosec debate would actually be searching for the exploiters, not the exploits.
Remember the semi-cynical description of job descriptions? From a random job seeker's point of view all job descriptions are things that they're seeking to fit themselves to so that they can qualify for a job. In reality, though, job descriptions are the result of careful, diligent, and deliberate definition by HR departments who already have a candidate in mind. It is their goal, then, to write a job description which is sufficiently vague to put on a good show of interviewing candidates (and neutralizing any claims of discrimination, nepotism, or favoritism) while still being able to give the position to the (secretly) preordained favorite.
This is exactly what is happening with pay-for-vulnerability gigs. They already know who knows the vulns (usually someone in the pool of people who wrote the software or someone who, in years past, designed the hardware on which it runs) and they already have their preferred winner selected. The task is then on to construct the game show such that more money can be made off of parading the contestants around.
It's the same way insider trading is covered up. It's the same way that political elections are run.
the NPG electrode was replaced with carbon blac
My school would do this for me so I would stop getting suspended.
No. What you said is not an analogy. Normal bounty hunters would look for exploiters on the lamb.
Here's my view: the one and only point of trying to find a vulnerability is to find the vulnerability. You don't care how it's done, you want that vulnerability found while you still have SOME control over it instead of after it's been out in the wild, and you have to patch around it. What's the best way to find your vulnerabilities? Have outsiders working towards a prize. Not only is it good publicity, looks great on the winner's resume, you find just about everything wrong with your product. It's truly win-win.
Anything that is the most thorough way of eventually getting the programme secure is the best way to go about it. Period.
Let's stop dilly-dallying and just change "-1: Overrated" to "-1: Disagree" or "-1: Doesn't Subscribe to Groupthink".
Wow. How is it that an "ex-hacker" who now "specialises in security from the white hat side of the fence" (from the author's bio) can have so little clue about the responsible disclosure debate and the economics of modern vulnerability research? Maybe getting lambasted on Slashdot will be a wake-up call for him to actually do his homework before he spouts off.
Better to light a candle than to curse the darkness.
In the US, bounty hunters have legal protection to do what they do. If a company puts up a juicy reward for finding a security hole, the person coming forward could easily get the shaft and then be prosecuted under DMCA.
At least on the black market, you know, honor among thieves.
More Twoson than Cupertino
Nice way to take the situation out of context with the snippet here on /. I think the important question isn't whether public, for-pay security hunting is a good idea, but rather if it's ethical for an outside firm to pay for it. Would anyone have batted an eye if Apple had been the one advertising for a hack for the Mac? I don't think so, they'd probably have been lauded for having the wherewithal to offer good money to people to help them find exploits of their software.
Which is why, especially in the IT security business, there needs to be a code of conduct with regard to responsible disclosure.' Do you think there's any truth to this? Or is it a better idea to find the vulnerabilities as fast as possible, damn the consequences?"
Considering how quickly companies tend to SUE you for disclosing a vulnerability, I don't think there can be any true code of conduct between hackers and companies.. Not unless the companies start making it (public) policy that they WILL NOT sue you as long as you disclose a vulnerability to them first, and give them a reasonable time to fix it before going public.
I think that'll never happen though, and the only way to safeguard a hacker is to make legislation against those type of lawsuits.
I also think that'll never happen either, considering how firmly planted the lips of those companies are to the politician's ass... So *#@& 'em, we just need a good way to disclose anonymously.
-- If we don't stand up for our rights, now, there will be no right to stand up for them later.
No, that would be illegal. If a cop does it to you, it's entrapment, but in this case it would be... hell, I don't know what it would be. But by throwing the contest they're inviting people to attack their software, and unless your lawyer is utterly incompetent, the DMCA would not apply because you had express permission.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Not even that. Normal bounty hunters would look for accused exploiters on the lam. Or did we decide that if you are on bail then you are guilty. If so, why are we letting guilty go free for a short time?
Stop Global Warming!
Just say no to irreversible processes!
They released a product with security holes in it, they should pay to have them found.
If a construction company builds a bridge with defects that causes it to fall on someone, that someone can sue them.
If a software company makes an insecure product, and someone gets pwned because of it, that should be allowed to sue for damages.
Yes security holes aren't easy to find in big products, but it should never be an excuse for a company (especially those that make billions, wink wink) for them to release unsafe products.
Well, that really depends on how exactly the contest is stated. If you discover a exploit and then make a announcement about it at the same time you try to claim the prize the company might turn around and sue you saying that you didn't have the right to announce the exploit to the general public without their express permission. If on the other hand you discover it and only tell them and they try to sue you, yes, then you could pretty much laugh them out of court.
Curiosity was framed, Ignorance killed the cat.
Of course paying hackers is a good idea, if you want to generate any interesting code... Oh, wait a minute. Slashdot has bought into the lowest common denominator usage of "hacker" to mean a cracker. And here I thought my opinion of the Slashdot moderators couldn't get any lower, after I had moderation privs revoked for daring to criticize them on other matters...
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
What's wrong with both?
Nothing. Both Cops and Dog the bounty hunter get cool TV shows. Clearly that is the solution.
So many of us are alluding to this, but so few are actually calling it out
“No incentive” !? Is $10,000 so lacking as to be deemed a non-incentive ? Why is this statement disagreeing with the premise of the article?
I believe the gist is this: When a developer opens the door to the community, and puts up a cash reward for finding vulnerabilities, what's to keep the “black hats” from keeping the exploits to themselves? (potentially selling them underground and making more in illicit revenues than the amount posted as a bona-fide reward) They attempt to introduce pseudo-psychological factors (which only help to confuse the matter) but essentially address the core morality of the coder community.
TFA seems just as confused as OP about the exact point they are both trying to make. I think the headline should read, How much is the color of your hat worth?
In the case of Apple, what if the hacker found a way to make $100,000 from the exploit, rather than just settle for the one-time $10,000 payoff? Would it have been enough to keep someone honest?
I think this brings us to a most compelling question. What's a “white hat” worth? What amount could be called a “standard bounty” for finding vulnerability in code? Also, support a stance on whether such rewards are a “bounty” or a “sellout price”.
(I can hear the knuckles cracking already...)
This post © Copyrite Duggeek, all rights reversed.
Buying vulnerability info from a third party is just outsourcing your QA. It's just buying testing + bug reporting.
If a third party demands money to keep QUIET about a vulnerability, that's extortion.
Much of the animosity here is that many security researchers specialize in breaking things--they haven't ever worked on engineering a large, complex system. They just don't understand how much time is required to test code before it is released. Also, the legal teams for many companies just don't understand that alienating security researchers by filing law suits is only going to make their situation worse.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
OK, let's suppose you were to have a standard "date" and didn't pay. You might think this is just dandy, perfectly fine business but in fact the hooker probably has some associates who would be willing to break your kneecaps for that money. So from that perspective, paying hookers is definitely good for business.
---GEC
I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
Well, that really depends on how exactly the contest is stated. If you discover a exploit and then make a announcement about it at the same time you try to claim the prize the company might turn around and sue you saying that you didn't have the right to announce the exploit to the general public without their express permission. If on the other hand you discover it and only tell them and they try to sue you, yes, then you could pretty much laugh them out of court.
At least, we'd like to believe so. Remember, justice != logic.
Thank God for evolution.
I am a security analyst by profession and education [not that it matters, but as a distinction of the previous poster's non-security background].
... there are vast categories of vulnerabilities that end up compiled in code unnecessarily. And a great place to start for anyone looking to weed these unforgiveable buffer overrun types of issues out of their code is to use a static analyzer on their code. Essentially, static analysis tools attempt to catch these obvious (or sometimes not so obvious) bugs before the code is shipped to customers. Fortify Software is a great place to look for such a tool.
You are somewhat correct. Sloppy coding techniques do lead to security vulnerabilities which lead to exploit code which eventually lead to websites burning, etc. However, that is only one category of security flaws. If you look at, say the GDI flaws Microsoft had last year (for example), you'll notice that vulnerability is actually a design flaw-- allowing executable code to live embedded in file objects was the problem [the embedded code's trustworthiness had no mechanism to be measured and therefore any user double-clicking on a malicious code-within-an-image file would have their system compromised]. Design flaws are much more tricky to prevent and most experts attempting to solve this problem suggest that development houses should leave the design aspects of their code to people with a background in security principles, or at least have some sort of design-time security review. This is mostly what formalized threat modeling attempts to do.
But you are right
The problem with your argument is it's much harder to create a secure software product than it is to create a secure bridge. This is especially true because delaying construction of a bridge for a month can be done without competitors swooping in and taking the market.
I'm a UK cit, I work in infosec, and I've a friend who's an IT hack (er, that is, journalist :) ) I have no idea who the UKITSJotY might be. Mine non-UK SIJOTY is Bruce Schenier, same as last year and the year before that, with Peter Neumann a close second.
Everything I needed to know about life, I learnt from Blake's Seven
I'd *far* rather make $10,000 legally than $100,000 illegally. This is true of most people. The former is just a better long-term plan.
But this debate is a bit silly since there are any number of legal firms that pay bounties for exploits in popular software, then extort huge "security consulting" fees out of the vendors to reveal these exploits. hen the company offers the bounty directly it just cuts out the middle-man.
Socialism: a lie told by totalitarians and believed by fools.
Hey, n.p., I was with you all the way until you got into the stuff about girly-men ;p
Everything I needed to know about life, I learnt from Blake's Seven
Please mod up the "hacker-truth, moderator-bashing" post!
Come on, damnit, no whammies!
---GEC
I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
I have a better idea.
Why not hire a professional team of assessment professionals to look at your stuff?
I'm not talking a lame corporate-compliance team, but a highly experienced team of world-class hackers, who are employed by an extremely reputable company and managed by an experienced staff capable of communicating problems quickly and completely.
Try this one: www.accuvant.com
Then you don't have any of these issues.
Of course, that wouldn't necessarily be as cheap. I think $10,000 would definitely be on the extreme low end of a simple job.
Stew
There are 10 kinds of people in the world. Those who understand binary and those who don't.
"Responsible disclosure" would have been great, except that history has shown us that it usually doesn't work. When "responsible disclosure" has been tried the vulnerability has lingered (especially with the larger corporations). When the vulnerability has been openly disclosed, then suddenly the software gets a patch. If history had been different then perhaps we would give the idea consideration. But it wasn't, and it was a problem created by the software companies themselves, so here we are today reaping the seeds that were sown.
If we can create a situation where bug disclosures are maximized, the products with the most serious security problems will die, and likely take their companies with them. So if you're a company that reasonably believes your products have few if any such bugs, your smartest bet is to encourage all companies to offer rewards to hackers - if you're right about the quality of your products, it will take your competition down and leave you standing.
As a customer, then, who should you buy from? The companies with the confidence in their products to offer hacker rewards, or the ones with so little confidence that they don't? Yes, some of the first will be wrong about their products; but virtually all of the latter will be correct.
"with their freedom lost all virtue lose" - Milton
More terminological abuse from Slashdot editors:
"Linux" instead of "GNU/Linux" (when not referring specifically to the Linux kernel)
"piracy" instead of "copyright infringement"
I am sure we could dig up more.
In humans in general, you get behaviors that are rewarded or reinforced. You reward hacking, cracking and exploits and you will get more of it. Mostly focused in directions you didn't even dream of originally.
And the new crop of victims will never know who to thank.
Basically, most EULAs will leave you hanging out to dry in this regard. They'll make sure you acknowledge that the company isn't responsible for security breaches, or at the very least you waive your right to sue for damages in such an instance.
Funtime Candy Wow! - my plan for eventually conquering Japan.
Generally, the accused but innocent don't take off. They stay in the state like they're supposed to, they show up to their trial, and then they most often get acquitted. Violating bail is, in fact, a crime, so a bail jumper is a criminal, regardless of whether or not he's guilty of the crime he put up bail for.
I see your informative link, and raise you a pithy comment.
I'm sick of international people who use the word "American" to typify a country and cultural without considering that in fact they just characterized an entire geographic area with flame.
I'm sure anti Americans regret any collateral damage they cause.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
"Normal bounty hunters would look for exploiters on the lamb"
;-)
You're going to feel sheepish when you realize that should be "on the lam".
A cheerful little bird is sitting here singing.
This is slashdot, so where's the car analogy?