the underground software vulnerability marketplace and its hazards (fwd)

Thu Aug 22 11:13:31 PDT 2002

On Thu, 22 Aug 2002, Adam Back wrote:

> Right.  And I fail to see how any of this is dangerous.

Depends on how it's used.  Hammers can be dangerous.

> Clearly people are free to sell information they create to anyone they
> choose under any terms they choose.  (For example the iDEFENSE promise
> of the author to not otherwise reveal for 2 weeks to give iDEFENSE
> some value.)

Yup.  I suspect they won't get paid until after the 2 weeks is up
to ensure that too.

> This commercialisation seems like a _good thing_ as it may lead to
> more breaks being discovered, and hence more secure software.

Maybe.

> (It won't remain secret for very long -- given the existance of
> anonymous remailers etc., but the time-delay in release allows the
> information intermediary -- such as iDEFENSE -- to sell the
> information to parties who would like it early, businesses for example
> people with affected systems.

Or al-quida like operations.  By accident of course!

> Criminal crackers who can exploit the information just assist in
> setting a fair price and forcing vendors and businesses to recognise
> the true value of the information.  Bear in mind the seller can not
> know or distinguish between a subscriber who wants the information for
> their own defense (eg a bank or e-commerce site, managed security
> service provider), and a cracker who intends to exploit the
> information (criminal organisation, crackers for amusement or
> discovery of further inforamtion, private investigators, government
> agencies doing offensive information warfare domesticaly or
> internationally).

Seems like you're assuming the cracker is pointed at a specific
target to begin with.  I think it's more of a crap shoot, and iDEFENSE
is hoping a few will be really worth while for the 100's that aren't.
iDEFENSE has to find the subscriber after the fact, not before (I think).

> I don't see any particular moral obligation for people who put their
> own effort into finding a flaw to release it to everyone at the same
> time.  Surely they can release it earlier to people who pay them to
> conduct their research, and by extension to people who act as
> intermediaries for the purpose of negotiating better terms or being
> able to package the stream of ongoing breaks into more comprehensive
> subscription service.
>
> I think HP were wrong, and find their actions in trying to use legal
> scare tactics reprehensible: they should either negotiate a price, or
> wait for the information to become generally available.

If I were HP I'd have done the same thing they did - why be pushed
around when you can fight back?  I think the crackers screwed up,
they should have given a presentation to HP with a proof that there's
a crack, and then request (politely) some compensation for where
it was.  by making it a reasonable request, HP saves engineering time
and their software, and the crackers get into business.  If they'd
gone in with a "win-win" attitude, the crackers would have made money,
HP would have saved a lot of money, and everyone would be a lot happier.

"moral obligation" and "mental attitude" are not the same thing, but
I think the right attitude would make the morals a lot simpler.

So rather than paying paltry sums to crackers, iDEFENSE might do better
as a agency for crackers.  If they do the business to business end
for the crackers, and negotiate contracts, then they get a cut, and
the crackers get a lot more motivation to go find problems.  I think
everybody can win then, so long as the exploits are in fact published.

Patience, persistence, truth,
Dr. mike