the underground software vulnerability marketplace and its hazards (fwd)

Adam Shostack adam at homeport.org
Thu Aug 22 11:13:58 PDT 2002 

Research into defining and addressing classes of vulnerabilities can't
happen without libraries of available vulnerability code.  I can think
of three researchers into automated methods for addressing
vulnerabilities who griped, uninvited, about the quality of the
existing vulnerability sites.  Doing research into a set requires that
you have enough examples, in the open, that you can define a set, and
that the set is added to from time to time so you can make and test
predictions.

I feel fairly confident in saying that without full disclosure, we
wouldn't have Stackguard, ITS4, Nissus, or snort.  And the security
admin's job would be a lot harder.

Clearly, people should not be restricted from doing what they want
with information.  However, if you are concerned about the state of
computer security, then I think encouraging more and better
communication amongst "white hats" is a good idea.

(An interesting question is 'Is there a difference between selling
information you know you have and information you expect to have?'
which is what many security companies have been doing for a while:
Hiring the people who find exploits to find them for their commercial
profit.  The difference is that those security companies paid salary,
not contracting rates.)

Adam

On Thu, Aug 22, 2002 at 04:54:51PM +0100, Adam Back wrote:
| Right.  And I fail to see how any of this is dangerous.
| 
| Clearly people are free to sell information they create to anyone they
| choose under any terms they choose.  (For example the iDEFENSE promise
| of the author to not otherwise reveal for 2 weeks to give iDEFENSE
| some value.)
| 
| This commercialisation seems like a _good thing_ as it may lead to
| more breaks being discovered, and hence more secure software.
| 
| (It won't remain secret for very long -- given the existance of
| anonymous remailers etc., but the time-delay in release allows the
| information intermediary -- such as iDEFENSE -- to sell the
| information to parties who would like it early, businesses for example
| people with affected systems.
| 
| Criminal crackers who can exploit the information just assist in
| setting a fair price and forcing vendors and businesses to recognise
| the true value of the information.  Bear in mind the seller can not
| know or distinguish between a subscriber who wants the information for
| their own defense (eg a bank or e-commerce site, managed security
| service provider), and a cracker who intends to exploit the
| information (criminal organisation, crackers for amusement or
| discovery of further inforamtion, private investigators, government
| agencies doing offensive information warfare domesticaly or
| internationally).
| 
| I don't see any particular moral obligation for people who put their
| own effort into finding a flaw to release it to everyone at the same
| time.  Surely they can release it earlier to people who pay them to
| conduct their research, and by extension to people who act as
| intermediaries for the purpose of negotiating better terms or being
| able to package the stream of ongoing breaks into more comprehensive
| subscription service.  
| 
| I think HP were wrong, and find their actions in trying to use legal
| scare tactics reprehensible: they should either negotiate a price, or
| wait for the information to become generally available.
| 
| Adam
| 
| On Thu, Aug 22, 2002 at 08:02:16AM -0700, Steve Schear wrote:
| > >On August 7th, an entity known as "iDEFENSE" sent out an announcement,
| > >which is appended to this email.  Briefly, "iDEFENSE", which bills
| > >itself as "a global security intelligence company", is offering cash
| > >for information about security vulnerabilities in computer software
| > >that are not publicly known, especially if you promise not to tell
| > >anyone else.
| > >
| > >If this kind of secret traffic is allowed to continue, it will pose a
| > >very serious threat to our computer communications infrastructure.
| > 
| > A more serious and credible threat would be an escrow/verification service 
| > which could support blacknet style auctions.  It could also make the 
| > hacker's time valuable enough to support a decent lifestyle fostering an 
| > cottage industry.
| 

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

More information about the cypherpunks-legacy mailing list