On Thu, 22 Aug 2002, Adam Back wrote:
Right. And I fail to see how any of this is dangerous.
Depends on how it's used. Hammers can be dangerous.
Clearly people are free to sell information they create to anyone they choose under any terms they choose. (For example the iDEFENSE promise of the author to not otherwise reveal for 2 weeks to give iDEFENSE some value.)
Yup. I suspect they won't get paid until after the 2 weeks is up to ensure that too.
This commercialisation seems like a _good thing_ as it may lead to more breaks being discovered, and hence more secure software.
Maybe.
(It won't remain secret for very long -- given the existance of anonymous remailers etc., but the time-delay in release allows the information intermediary -- such as iDEFENSE -- to sell the information to parties who would like it early, businesses for example people with affected systems.
Or al-quida like operations. By accident of course!
Criminal crackers who can exploit the information just assist in setting a fair price and forcing vendors and businesses to recognise the true value of the information. Bear in mind the seller can not know or distinguish between a subscriber who wants the information for their own defense (eg a bank or e-commerce site, managed security service provider), and a cracker who intends to exploit the information (criminal organisation, crackers for amusement or discovery of further inforamtion, private investigators, government agencies doing offensive information warfare domesticaly or internationally).
Seems like you're assuming the cracker is pointed at a specific target to begin with. I think it's more of a crap shoot, and iDEFENSE is hoping a few will be really worth while for the 100's that aren't. iDEFENSE has to find the subscriber after the fact, not before (I think).
I don't see any particular moral obligation for people who put their own effort into finding a flaw to release it to everyone at the same time. Surely they can release it earlier to people who pay them to conduct their research, and by extension to people who act as intermediaries for the purpose of negotiating better terms or being able to package the stream of ongoing breaks into more comprehensive subscription service.
I think HP were wrong, and find their actions in trying to use legal scare tactics reprehensible: they should either negotiate a price, or wait for the information to become generally available.
If I were HP I'd have done the same thing they did - why be pushed around when you can fight back? I think the crackers screwed up, they should have given a presentation to HP with a proof that there's a crack, and then request (politely) some compensation for where it was. by making it a reasonable request, HP saves engineering time and their software, and the crackers get into business. If they'd gone in with a "win-win" attitude, the crackers would have made money, HP would have saved a lot of money, and everyone would be a lot happier. "moral obligation" and "mental attitude" are not the same thing, but I think the right attitude would make the morals a lot simpler. So rather than paying paltry sums to crackers, iDEFENSE might do better as a agency for crackers. If they do the business to business end for the crackers, and negotiate contracts, then they get a cut, and the crackers get a lot more motivation to go find problems. I think everybody can win then, so long as the exploits are in fact published. Patience, persistence, truth, Dr. mike