e$: Skins vs. Shirts
--- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: Robert Hettinga <rah@shipwright.com> Mime-Version: 1.0 Precedence: Bulk Date: Sat, 14 Jun 1997 14:02:41 -0400 From: Robert Hettinga <rah@shipwright.com> To: Multiple recipients of <e$@thumper.vmeng.com> Subject: e$: Skins vs. Shirts At 10:28 am -0400 on 6/14/97, Adam Shostack wrote:
Are FAT file lists stored as files?
On a Unix box, /. refers to the file containing directory entries, the list of files in the directory. If there is an analogous file on a dos box, you can explore. (Does the bug work on Unix? I've heard it only works if java or livescript are turned on, so it hasn't worried me enough to investigate.)
All this reminds me of something Tim May, Eric Hughes, and others have said before. Once you've gotten to the point where loss of security equals, in a very literal sense, loss of money, the incentive to publicize any given security hole starts to go away. Adam, above, is speculating about the mechanics of a Netscape security hole, which, two years ago, would have gotten someone like Ian Goldberg a grand and a t-shirt, but probably only after they had published it on the net, just like Mssrs Goldberg and Wagner had to do, in order to get Netscape's attention. That included directions for how to replicate the problem. Back then, we wouldn't have been speculating about the mechanics of the hole, because people would be playing with it to see how it worked. As it is, latest hole was published in terms of its results only, and not its mechanics. Instead, those precious details were relased only to Netscape, and only for, NPR says, "an undisclosed sum". Lest we think of this as latter-day greenmail, we have to remember that greenmail actually had it's putative effect, which was to increase the returns to the shareholders by increasing the stock price. It was never fair to begrudge T. Boone Pickens the pound of flesh he extracted from companies like Phillips Petroleum, mostly because the pound he cut off was usually lard, anyway. Not to compare Netscape to a Pritikin candidate, of course. Nobody can see all the consequences of tens or hundreds of thousands of lines of code, and the very best way to solve the semantic problem that poses is the internet way, by swarming it to death. With that in mind, I expect that the next stage in this increasing security "price" escallation will be much more interesting. It won't be long before the first people who say anything about a new security hole will be people who have money stolen from them, and not much will be said by the people who discover those holes in the first place. And, of course, lots of those people probably won't be so virtuous in their use of what they figure out, either. We're about to enter a new era of parallel evolution, much like the relationship between cheeetahs and Thompson's gazelles, where a constant arms race makes predator and prey more efficient, excellerating evolution in both species. Now, I don't think this forgives people from publishing their source code, far from it. I expect that people selling financial cryptography and allied commercial products will still have to publish their source, or nobody will trust it enough buy it. I'm just saying that it will tend to be the victims, and probably not the next generation of "moneypunks", who will be announcing the failure of any given commerce application. So, instead being one of free shirts, the game will be one of payment in, um, skins. And, before long, there will be many more skins out there belonging to people who are spending money than the people who accidentally built the wallets with holes in them could ever pay in gre$enmail. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/ ---------- The e$ lists are brought to you by: Intertrader Ltd: "Digital Money Online" <http://www.intertrader.com/library/DigitalMoneyOnline> Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info@hyperion.co.uk Like e$? Help pay for it! <http://www.shipwright.com/beg.html> For e$/e$pam sponsorship, mail Bob: <mailto:rah@shipwright.com> Thanks to the e$ e$lves: Of Counsel: Vinnie Moscaritolo <mailto:vinnie@webstuff.apple.com> (Majordomo)^2: Rachel Willmer<mailto:rachel@intertrader.com> Commermeister: Anthony Templer <mailto:anthony@atanda.com> Interturge: Rodney Thayer <mailto:rodney@sabletech.com> --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
Robert Hettinga wrote:
Adam, above, is speculating about the mechanics of a Netscape security hole, which, two years ago, would have gotten someone like Ian Goldberg a grand and a t-shirt, but probably only after they had published it on the net, just like Mssrs Goldberg and Wagner had to do, in order to get Netscape's attention. That included directions for how to replicate the problem. Back then, we wouldn't have been speculating about the mechanics of the hole, because people would be playing with it to see how it worked. As it is, latest hole was published in terms of its results only, and not its mechanics. Instead, those precious details were relased only to Netscape, and only for, NPR says, "an undisclosed sum".
Just to be clear, we didn't give the blackmailer any money. As Mike Homer put it: "We don't bargain with terrorists." -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | tomw@netscape.com transcending structure. -- The Tao of Programming |
Tom Weinstein writes: : Just to be clear, we didn't give the blackmailer any money. As Mike : Homer put it: "We don't bargain with terrorists." It is be really quite nice in Aarhus this time of year. And on the Eve of St. John they stay up all night dancing around the bonfires in which they burn the Witch. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH EMAIL: junger@samsara.law.cwru.edu URL: http://samsara.law.cwru.edu NOTE: junger@pdj2-ra.f-remote.cwru.edu no longer exists
At 1:26 AM -0700 6/15/97, Tom Weinstein wrote:
Just to be clear, we didn't give the blackmailer any money. As Mike Homer put it: "We don't bargain with terrorists."
Netscape wants money for one of their products. I won't give them money. "I don't bargain with terrorists." (What the Danes offered was a straight buiness deal, albeit made weirder and more frantic by the constraints of time, publicity, and worldwide attention. Still a business deal, though. When Collabra wanted X dollars to be acquired by Netscape, was this also "terrorism"? The term "terrorist" hardly applies in business deals.) --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Tim May wrote:
At 1:26 AM -0700 6/15/97, Tom Weinstein wrote:
Just to be clear, we didn't give the blackmailer any money. As Mike Homer put it: "We don't bargain with terrorists."
Netscape wants money for one of their products. I won't give them money. "I don't bargain with terrorists."
(What the Danes offered was a straight buiness deal, albeit made weirder and more frantic by the constraints of time, publicity, and worldwide attention. Still a business deal, though. When Collabra wanted X dollars to be acquired by Netscape, was this also "terrorism"? The term "terrorist" hardly applies in business deals.)
If it was just a business deal, that would be okay. We would have a right to not pay him. It becomes blackmail when he says "If you don't pay me, I will try to damage you." That's what he did. He said that if we didn't pay him, he'd time his press announcement to coincide with DevCon in order to cause us the maximum damage, which he did. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | tomw@netscape.com transcending structure. -- The Tao of Programming |
At 5:11 PM -0700 6/15/97, Tom Weinstein wrote:
Tim May wrote:
(What the Danes offered was a straight buiness deal, albeit made weirder and more frantic by the constraints of time, publicity, and worldwide attention. Still a business deal, though. When Collabra wanted X dollars to be acquired by Netscape, was this also "terrorism"? The term "terrorist" hardly applies in business deals.)
If it was just a business deal, that would be okay. We would have a right to not pay him. It becomes blackmail when he says "If you don't pay me, I will try to damage you." That's what he did. He said that if we didn't pay him, he'd time his press announcement to coincide with DevCon in order to cause us the maximum damage, which he did.
It's still not "terrorism." Just ordinary high-pressure bargaining, as when a film star holds out to the last minute on a deal, knowing her value increases as the deadline approaches. Or scads of similar examples, as when Netscape or Microsoft time their announcements for maximum impact. One can imagine people approaching a company with reports of a bug--as a certain math professor approached a certain chip company with reports of a strange FDIV problem--and being given the polite runaround. "Thank you for sharing. We'll have one of our QA engineers look into your report and maybe he'll get back to you." (I have no idea if Netscape reacted in this way, but I can imagine that the flow of bug reports may cause many to linger in the "In" baskets without action.) By reporting the bug to PC Magazine and CNN-FN, the "value" of the bug information shot up rather dramatically. The Arrhus team may not have gotten any bucks from Netscape--and may not even get a free "Bugs Bounty" sweatshirt--but their consulting rates and business have probably both gone up. Browsers are big business, and high stakes poker. It's not surprising to me to see this kind of bluffing and "terorrism" (to quote Homer, with his rosy-fingered typing). What's surprising is that it hasn't happened more often, or at least hasn't gotten as much publicity. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Tim May wrote:
At 5:11 PM -0700 6/15/97, Tom Weinstein wrote:
Tim May wrote:
(What the Danes offered was a straight buiness deal, albeit made weirder and more frantic by the constraints of time, publicity, and worldwide attention. Still a business deal, though. When Collabra wanted X dollars to be acquired by Netscape, was this also "terrorism"? The term "terrorist" hardly applies in business deals.)
If it was just a business deal, that would be okay. We would have a right to not pay him. It becomes blackmail when he says "If you don't pay me, I will try to damage you." That's what he did. He said that if we didn't pay him, he'd time his press announcement to coincide with DevCon in order to cause us the maximum damage, which he did.
It's still not "terrorism." Just ordinary high-pressure bargaining, as when a film star holds out to the last minute on a deal, knowing her value increases as the deadline approaches.
It's blackmail. IANAL, but I believe that blackmail consists of a demand, and a threat to harm if the demand is not met. If he had said: "I'm going to go to the press on this date. You can buy the information from me before that for X amount of money." That would be an ordinary business transaction. Instead, what he said was something like: "Pay me lots of money or I will go to the press in such a way as to damage you the most." That is blackmail. It's clear that the money is to prevent the damage, not just for the information.
Or scads of similar examples, as when Netscape or Microsoft time their announcements for maximum impact.
One can imagine people approaching a company with reports of a bug--as a certain math professor approached a certain chip company with reports of a strange FDIV problem--and being given the polite runaround. "Thank you for sharing. We'll have one of our QA engineers look into your report and maybe he'll get back to you."
(I have no idea if Netscape reacted in this way, but I can imagine that the flow of bug reports may cause many to linger in the "In" baskets without action.)
As a matter of fact, we responded to him very quickly. The day after we heard from him we had a phone call where Jeff Weinstein, Jim Roskind (Java security), and I were present. We gave it serious attention as we do with all security holes.
By reporting the bug to PC Magazine and CNN-FN, the "value" of the bug information shot up rather dramatically. The Arrhus team may not have gotten any bucks from Netscape--and may not even get a free "Bugs Bounty" sweatshirt--but their consulting rates and business have probably both gone up.
He reported it to CNN because he was following through on his threat when we refused to pay him not to.
Browsers are big business, and high stakes poker. It's not surprising to me to see this kind of bluffing and "terorrism" (to quote Homer, with his rosy-fingered typing). What's surprising is that it hasn't happened more often, or at least hasn't gotten as much publicity.
"Terrorism" probably doesn't apply, since his aim was not political. (Or doesn't terrorism have to be political?) I think blackmail is a more appropriate term. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | tomw@netscape.com transcending structure. -- The Tao of Programming |
Since this list has bred a lot of security consultants, I'll comment on the business practices here. Sending a company a bill for doing work they didn't agree to in advance is wrong. I've spent substantial amounts of time finding and documenting bugs in various products. Some of its public, a lot is not. In most every event, the handshake and thank you has led to consulting work for the company. If I show up with a bill in hand, thats not the right way to start a business relationship. So, questions of blackmail aside, its plain bad practice. I'll note that the company in Denmark is not a well known one, nor is the name one that I've seen, so there are questions of if the individual is using their true name or not while chasing the money. If they are not, it may be because they feel that this sort of business practice is one they'd like to disassociate themselves from. Adam Tom Weinstein wrote: | > One can imagine people approaching a company with reports of a bug--as | > a certain math professor approached a certain chip company with | > reports of a strange FDIV problem--and being given the polite | > runaround. "Thank you for sharing. We'll have one of our QA engineers | > look into your report and maybe he'll get back to you." | > | > (I have no idea if Netscape reacted in this way, but I can imagine | > that the flow of bug reports may cause many to linger in the "In" | > baskets without action.) | | As a matter of fact, we responded to him very quickly. The day after | we heard from him we had a phone call where Jeff Weinstein, Jim Roskind | (Java security), and I were present. We gave it serious attention as | we do with all security holes. -- "It is seldom that liberty of any kind is lost all at once." -Hume
"We don't negotiate with terrorists"
"Terrorism" probably doesn't apply, since his aim was not political. .... I think blackmail is a more appropriate term.
On the other hand, as Agatha Christie occasionally points out, the _only_ safe thing to do with blackmailers is kill them... :-) # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
Fair enough. I'm prepared, on the basis of Tom's comments, to accept that the Danish bug-finders were "blackmailers," albeit of the weakest, noncriminal sort. (Nobody is suggesting criminal prosecution, extradition, etc., are they?) But I think the "terrorist" appelation is a bit strong. At 6:56 PM -0700 6/15/97, Tom Weinstein wrote:
It's blackmail. IANAL, but I believe that blackmail consists of a demand, and a threat to harm if the demand is not met.
(However, a "threat to harm" is ambiguous. Many business deals involve mentions of consequences...at what point does this become "blackmail," especially the criminal sense of blackmail?)
If he had said: "I'm going to go to the press on this date. You can buy the information from me before that for X amount of money."
That would be an ordinary business transaction. Instead, what he said was something like: "Pay me lots of money or I will go to the press in such a way as to damage you the most."
That is blackmail. It's clear that the money is to prevent the damage, not just for the information.
Perhaps so, but things remain ambiguous. More skilled negotiators might be more circumspect about the "damage" side, only hinting at it. I don't know if the Danes were clumsy at conveying their intentions. Maybe English was not their forte.
"Terrorism" probably doesn't apply, since his aim was not political. (Or doesn't terrorism have to be political?) I think blackmail is a more appropriate term.
Like I said, but I still think a less inflammatory description than "terrorist," or even "blackmailer" is better. There's probably something between "cheerful Berkeley grad students grateful to get a free t-shirt" and "blackmailer." --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
If he had said: "I'm going to go to the press on this date. You can buy the information from me before that for X amount of money."
That would be an ordinary business transaction. Instead, what he said was something like: "Pay me lots of money or I will go to the press in such a way as to damage you the most."
That is blackmail. It's clear that the money is to prevent the damage, not just for the information.
I agree. It seems a bit like blackmail to me. These 'consultants' would have better off having friends buy put options on Netscape stock prior to the phone call. Then if Netscape won't pay their price they get the money from the market when they make the information public, including the source code. Spare me the insider trading rants. --Ste5e PGP mail preferred Fingerprint: FE 90 1A 95 9D EA 8D 61 81 2E CC A9 A4 4A FB A9 --------------------------------------------------------------------- Steve Schear | tel: (702) 658-2654 CEO | fax: (702) 658-2673 First ECache Corporation | 7075 West Gowan Road | Suite 2148 | Las Vegas, NV 89129 | Internet: azur@netcom.com --------------------------------------------------------------------- I know not what instruments others may use, but as for me, give me Ecache or give me debt. SHOW ME THE DIGITS!
participants (7)
-
Adam Shostack -
Bill Stewart -
Peter D. Junger -
Robert Hettinga -
Steve Schear -
Tim May -
Tom Weinstein