Right. And I fail to see how any of this is dangerous. Clearly people are free to sell information they create to anyone they choose under any terms they choose. (For example the iDEFENSE promise of the author to not otherwise reveal for 2 weeks to give iDEFENSE some value.) This commercialisation seems like a _good thing_ as it may lead to more breaks being discovered, and hence more secure software. (It won't remain secret for very long -- given the existance of anonymous remailers etc., but the time-delay in release allows the information intermediary -- such as iDEFENSE -- to sell the information to parties who would like it early, businesses for example people with affected systems. Criminal crackers who can exploit the information just assist in setting a fair price and forcing vendors and businesses to recognise the true value of the information. Bear in mind the seller can not know or distinguish between a subscriber who wants the information for their own defense (eg a bank or e-commerce site, managed security service provider), and a cracker who intends to exploit the information (criminal organisation, crackers for amusement or discovery of further inforamtion, private investigators, government agencies doing offensive information warfare domesticaly or internationally). I don't see any particular moral obligation for people who put their own effort into finding a flaw to release it to everyone at the same time. Surely they can release it earlier to people who pay them to conduct their research, and by extension to people who act as intermediaries for the purpose of negotiating better terms or being able to package the stream of ongoing breaks into more comprehensive subscription service. I think HP were wrong, and find their actions in trying to use legal scare tactics reprehensible: they should either negotiate a price, or wait for the information to become generally available. Adam On Thu, Aug 22, 2002 at 08:02:16AM -0700, Steve Schear wrote:
On August 7th, an entity known as "iDEFENSE" sent out an announcement, which is appended to this email. Briefly, "iDEFENSE", which bills itself as "a global security intelligence company", is offering cash for information about security vulnerabilities in computer software that are not publicly known, especially if you promise not to tell anyone else.
If this kind of secret traffic is allowed to continue, it will pose a very serious threat to our computer communications infrastructure.
A more serious and credible threat would be an escrow/verification service which could support blacknet style auctions. It could also make the hacker's time valuable enough to support a decent lifestyle fostering an cottage industry.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com