the underground software vulnerability marketplace and its hazards (fwd)
Adam Back
adam at cypherspace.org
Thu Aug 22 08:54:51 PDT 2002
Right. And I fail to see how any of this is dangerous.
Clearly people are free to sell information they create to anyone they
choose under any terms they choose. (For example the iDEFENSE promise
of the author to not otherwise reveal for 2 weeks to give iDEFENSE
some value.)
This commercialisation seems like a _good thing_ as it may lead to
more breaks being discovered, and hence more secure software.
(It won't remain secret for very long -- given the existance of
anonymous remailers etc., but the time-delay in release allows the
information intermediary -- such as iDEFENSE -- to sell the
information to parties who would like it early, businesses for example
people with affected systems.
Criminal crackers who can exploit the information just assist in
setting a fair price and forcing vendors and businesses to recognise
the true value of the information. Bear in mind the seller can not
know or distinguish between a subscriber who wants the information for
their own defense (eg a bank or e-commerce site, managed security
service provider), and a cracker who intends to exploit the
information (criminal organisation, crackers for amusement or
discovery of further inforamtion, private investigators, government
agencies doing offensive information warfare domesticaly or
internationally).
I don't see any particular moral obligation for people who put their
own effort into finding a flaw to release it to everyone at the same
time. Surely they can release it earlier to people who pay them to
conduct their research, and by extension to people who act as
intermediaries for the purpose of negotiating better terms or being
able to package the stream of ongoing breaks into more comprehensive
subscription service.
I think HP were wrong, and find their actions in trying to use legal
scare tactics reprehensible: they should either negotiate a price, or
wait for the information to become generally available.
Adam
On Thu, Aug 22, 2002 at 08:02:16AM -0700, Steve Schear wrote:
> >On August 7th, an entity known as "iDEFENSE" sent out an announcement,
> >which is appended to this email. Briefly, "iDEFENSE", which bills
> >itself as "a global security intelligence company", is offering cash
> >for information about security vulnerabilities in computer software
> >that are not publicly known, especially if you promise not to tell
> >anyone else.
> >
> >If this kind of secret traffic is allowed to continue, it will pose a
> >very serious threat to our computer communications infrastructure.
>
> A more serious and credible threat would be an escrow/verification service
> which could support blacknet style auctions. It could also make the
> hacker's time valuable enough to support a decent lifestyle fostering an
> cottage industry.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cypherpunks-legacy
mailing list