Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Paying Hackers Good for Business?

Posted by Zonk on from the moral-quandry dept.

Jenny writes "In the light of the recent QuickTime vulnerability, revealed for $10,000 spot cash, the UK IT Security Journalist of the Year asks why business treats security research like a big money TV game show. 'There can be no doubt that any kind of public vulnerability research effort will have the opportunity to turn sour, both for the company promoting it and the users of whatever software or service finds itself exposed to attack without any chance to defend itself. Throw a financial reward into the mix and the lure of the hunt, the scent of blood, is going to be too much for all but the most responsible of hackers. There really is no incentive to report their findings to the vulnerable company, and plenty not to. Which is why, especially in the IT security business, there needs to be a code of conduct with regard to responsible disclosure.' Do you think there's any truth to this? Or is it a better idea to find the vulnerabilities as fast as possible, damn the consequences?"

16 of 94 comments (clear)

  1. Too late by orclevegam · · Score: 5, Insightful

    0-Day exploits are already big business on the black market, better for the companies to pay for disclosure and have a more secure product, than for the exploits to be sold off on the black market and only discovered after a significant portion of the user base has been compromised.

    --
    Curiosity was framed, Ignorance killed the cat.
    1. Re:Too late by lgw · · Score: 3, Insightful

      There's a simple solution to this. Stop writing sloppy, insecure, poorly-managed code, and actually MAKE a product that works as advertised and is fairly secure. Hackers go after the low-hanging fruit. This is nothing more than a product of the 'get it out the door as quick as possible, damn the consequences' software industry mentality. While this comment is more flaming than is perhaps strictly necessary, this is certainly the heart of the problem. Security best practices are no longer a dark art. In my experience, people often do extra work to create security holes in their products.

      If it were just the case that companies were ignoring the security issues in development because it was cheaper, well, that's business for you, but the reverse is commonly true. I'm simply amazed by the frequency with which people write their own products from scratch in areas where products that have already had all the "low hanging fruit" patched are freely available for commercial use!

      Here's a hint: you're not going to save any money by writing your own user authentication mechanism, or your own RPC infrastructure, or your own file encryption software, or your own network traffic encryption software. You're spending money to re-invent the wheel, and you're getting a trapezoid with an off-center axel!
      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  3. What i fail to understand by Adambomb · · Score: 3, Insightful

    Is why would such contests HAVE to report what vulnerability successfully got through. Shouldnt the results be between the company holding the contest, the successful hacker, and companies whose software was involved in the vulnerabilities be the only ones who know?

    Why couldn't one just announce "Joe Bob McHobo was the winner!" without publicizing the vulnerability itself before the softwares author gets a crack at it.

    Humanity is weird.

    --
    Ice Cream has no bones.
  4. Responsible disclosure by morgan_greywolf · · Score: 3, Insightful

    'Responsible disclosure' is a euphemism for 'we can't fix bugs fast enough, so if you keep the vulnerabilities a secret, it'll help us to save face.' And more time often means months, not days. Responsible disclosure is nothing more than security through obscurity. And security through obscurity is as good as no security at all. In the intervening months, you have a live, exploitable hole sitting there ripe for attack! And not just on that one system -- every like-configured system is vulnerable. I say, damn the consequences. Report as soon as possible no matter who it embarrasses. It'll either put more pressure on them to fix the bugs faster, or push users to more secure platforms, where security fixes don't take months and are usually found before their ever exploited in the wild.

    --
    My blog
    1. Re:Responsible disclosure by malcomvetter · · Score: 4, Insightful

      'Responsible disclosure' is a euphemism for 'we can't fix bugs fast enough, so if you keep the vulnerabilities a secret, it'll help us to save face.'

      Wrong. Responsible Disclosure is an attempt to curb the greater than linear complexity associated with testing patches.

      If a bug is found in product X, then all applications that reside upon product X need to be validated as functional. In an enterprise, that could include applications plus interfaces that are unique to that organization. Most studies on code complexity find that complexity increases at a greater than linear clip. Responsible Disclosure is the opportunity to level the playing field between the "good guys" and the "bad guys" (deliberately avoiding hat color references).

      Anyone who claims Full Disclosure is the best for his company is:
      A) Not a sysadmin at all
      B) A lazy sysadmin who refuses to fully test patches
      -OR-
      C) A vulnerability pimp (e.g. IDS, AV, Vuln Assessment, etc.)

    2. Re:Responsible disclosure by 99BottlesOfBeerInMyF · · Score: 3, Interesting

      Responsible disclosure is nothing more than security through obscurity. And security through obscurity is as good as no security at all.

      Actually, security through obscurity is very functional and useful as part of a security scheme. Your password is security through obscurity. Why don't you just give it to everyone if it makes no difference?

      In the intervening months, you have a live, exploitable hole sitting there ripe for attack!

      And if you disclose the wrong vulnerability to the general public you have a live, exploitable hole that everyone knows about sitting there ripe for attack. Which is better?

      Responsible disclosure is simply evaluating what is best for the security of users and disclosing i that manner. n some cases, the best thing for overall security is immediate, public disclosure to pressure the vendor into fixing the hole more quickly and to give users a chance to work around the vulnerability. In other cases, where the vendor is responsive, and ther is no easy way to mitigate the vulnerability for the end user, immediate disclosure increases the risk to users with no real benefit.

      I say, damn the consequences. Report as soon as possible no matter who it embarrasses.

      Who is embarrassed is immaterial. Ignoring the likely consequences of you disclosure method, however, is irresponsible, which is why the alternative is called "responsible disclosure."

      It'll either put more pressure on them to fix the bugs faster...

      In many cases the vendor is very motivated and goes to work with all their resources immediately. Take a look at the OmniWeb vulnerability published by the MOAB project. Omnigroup implemented a fix within a day and had it available for download, but they do the same thing for bugs disclosed to them privately. All the immediate disclosure did was give hackers more time to exploit the problem before the fix reached users. Disclosing a vulnerability to the public before sending it to a responsible and security minded development team is good for no one but blackhats. Also, rushing vendors to write code faster, can result in more bugs in said code, including other vulnerabilities or or bugs.

      ...or push users to more secure platforms where security fixes don't take months and are usually found before their ever exploited in the wild.

      Please. Most users will not switch platforms because of security issues and many are locked into MS's desktop monopoly by some software they absolutely need and price constraints. The vast majority of users never even hear about security vulnerability disclosure in the first place.

      Here's a tip for you from someone who does work in the security industry. If you're looking for a job in the field, don't expose your irresponsible ideas about disclosure if you want a chance at being hired somewhere respectable.

  5. hmm by eclectro · · Score: 3, Insightful

    why business treats security research like a big money TV game show

    Maybe because the bugs they find are "showstoppers"?

    --
    Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  6. I wish... by firpecmox · · Score: 4, Funny

    My school would do this for me so I would stop getting suspended.

  7. Stunning by Pheersome · · Score: 3, Insightful

    Wow. How is it that an "ex-hacker" who now "specialises in security from the white hat side of the fence" (from the author's bio) can have so little clue about the responsible disclosure debate and the economics of modern vulnerability research? Maybe getting lambasted on Slashdot will be a wake-up call for him to actually do his homework before he spouts off.

    --
    Better to light a candle than to curse the darkness.
    1. Re:Stunning by merreborn · · Score: 3, Funny

      Maybe getting lambasted on Slashdot will be a wake-up call for him to actually do his homework before he spouts off.


      Wait, you mean there are stories/authors who don't get lambasted on slashdot?
      I thought we pretty much did our best to rip every story to shreds?

  8. Re:Bounty Hunters by Applekid · · Score: 4, Interesting

    In the US, bounty hunters have legal protection to do what they do. If a company puts up a juicy reward for finding a security hole, the person coming forward could easily get the shaft and then be prosecuted under DMCA.

    At least on the black market, you know, honor among thieves.

    --
    More Twoson than Cupertino
  9. Out of context. by Kintar1900 · · Score: 3, Insightful

    Nice way to take the situation out of context with the snippet here on /. I think the important question isn't whether public, for-pay security hunting is a good idea, but rather if it's ethical for an outside firm to pay for it. Would anyone have batted an eye if Apple had been the one advertising for a hack for the Mac? I don't think so, they'd probably have been lauded for having the wherewithal to offer good money to people to help them find exploits of their software.

  10. Damn the consequences by minion · · Score: 5, Insightful

    Which is why, especially in the IT security business, there needs to be a code of conduct with regard to responsible disclosure.' Do you think there's any truth to this? Or is it a better idea to find the vulnerabilities as fast as possible, damn the consequences?"
     
    Considering how quickly companies tend to SUE you for disclosing a vulnerability, I don't think there can be any true code of conduct between hackers and companies.. Not unless the companies start making it (public) policy that they WILL NOT sue you as long as you disclose a vulnerability to them first, and give them a reasonable time to fix it before going public.
     
    I think that'll never happen though, and the only way to safeguard a hacker is to make legislation against those type of lawsuits.
     
    I also think that'll never happen either, considering how firmly planted the lips of those companies are to the politician's ass... So *#@& 'em, we just need a good way to disclose anonymously.

    --

    -- If we don't stand up for our rights, now, there will be no right to stand up for them later.
    1. Re:Damn the consequences by 99BottlesOfBeerInMyF · · Score: 3, Interesting

      Considering how quickly companies tend to SUE you for disclosing a vulnerability, I don't think there can be any true code of conduct between hackers and companies.

      So Apple sued the guy who disclosed this Quicktime vulnerability? If that happened, I never heard about it. In fact, I work i the security industry and very, very rarely hear about any lawsuits, which is why they are news when they do happen.

      Not unless the companies start making it (public) policy that they WILL NOT sue you as long as you disclose a vulnerability to them first, and give them a reasonable time to fix it before going public.

      Why? Would such a statement stop them from later doing it? In general companies don't sue over vulnerability disclosures, no matter whether they are immediate, or if the vendor is given time. The reason security researchers tend to give companies time to fix things is because that is what they think is best for security, overall.

      I think that'll never happen though, and the only way to safeguard a hacker is to make legislation against those type of lawsuits.

      That doesn't really work. Basically you can sue anyone for anything in the US (with very few exceptions). I don't see the need for one here since I very rarely, if ever, hear about anyone being sued for disclosing bugs.

  11. bug testing? by Lord+Ender · · Score: 3, Interesting

    Buying vulnerability info from a third party is just outsourcing your QA. It's just buying testing + bug reporting.

    If a third party demands money to keep QUIET about a vulnerability, that's extortion.

    Much of the animosity here is that many security researchers specialize in breaking things--they haven't ever worked on engineering a large, complex system. They just don't understand how much time is required to test code before it is released. Also, the legal teams for many companies just don't understand that alienating security researchers by filing law suits is only going to make their situation worse.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.