the underground software vulnerability marketplace and its hazards (fwd)
Mike Rosing
eresrch at eskimo.com
Thu Aug 22 11:13:31 PDT 2002
On Thu, 22 Aug 2002, Adam Back wrote:
> Right. And I fail to see how any of this is dangerous.
Depends on how it's used. Hammers can be dangerous.
> Clearly people are free to sell information they create to anyone they
> choose under any terms they choose. (For example the iDEFENSE promise
> of the author to not otherwise reveal for 2 weeks to give iDEFENSE
> some value.)
Yup. I suspect they won't get paid until after the 2 weeks is up
to ensure that too.
> This commercialisation seems like a _good thing_ as it may lead to
> more breaks being discovered, and hence more secure software.
Maybe.
> (It won't remain secret for very long -- given the existance of
> anonymous remailers etc., but the time-delay in release allows the
> information intermediary -- such as iDEFENSE -- to sell the
> information to parties who would like it early, businesses for example
> people with affected systems.
Or al-quida like operations. By accident of course!
> Criminal crackers who can exploit the information just assist in
> setting a fair price and forcing vendors and businesses to recognise
> the true value of the information. Bear in mind the seller can not
> know or distinguish between a subscriber who wants the information for
> their own defense (eg a bank or e-commerce site, managed security
> service provider), and a cracker who intends to exploit the
> information (criminal organisation, crackers for amusement or
> discovery of further inforamtion, private investigators, government
> agencies doing offensive information warfare domesticaly or
> internationally).
Seems like you're assuming the cracker is pointed at a specific
target to begin with. I think it's more of a crap shoot, and iDEFENSE
is hoping a few will be really worth while for the 100's that aren't.
iDEFENSE has to find the subscriber after the fact, not before (I think).
> I don't see any particular moral obligation for people who put their
> own effort into finding a flaw to release it to everyone at the same
> time. Surely they can release it earlier to people who pay them to
> conduct their research, and by extension to people who act as
> intermediaries for the purpose of negotiating better terms or being
> able to package the stream of ongoing breaks into more comprehensive
> subscription service.
>
> I think HP were wrong, and find their actions in trying to use legal
> scare tactics reprehensible: they should either negotiate a price, or
> wait for the information to become generally available.
If I were HP I'd have done the same thing they did - why be pushed
around when you can fight back? I think the crackers screwed up,
they should have given a presentation to HP with a proof that there's
a crack, and then request (politely) some compensation for where
it was. by making it a reasonable request, HP saves engineering time
and their software, and the crackers get into business. If they'd
gone in with a "win-win" attitude, the crackers would have made money,
HP would have saved a lot of money, and everyone would be a lot happier.
"moral obligation" and "mental attitude" are not the same thing, but
I think the right attitude would make the morals a lot simpler.
So rather than paying paltry sums to crackers, iDEFENSE might do better
as a agency for crackers. If they do the business to business end
for the crackers, and negotiate contracts, then they get a cut, and
the crackers get a lot more motivation to go find problems. I think
everybody can win then, so long as the exploits are in fact published.
Patience, persistence, truth,
Dr. mike
More information about the cypherpunks-legacy
mailing list