Layer 8

Yeah, I saw this and commented on Morrill’s blog too. This guy comes off as a pretty big asshole. You’d think he’d know better for having a PhD.

This guy is doing this service on his own time, as his own hobby, and that is the extent of it unless a company is willing to pay him. He doesn’t *deserve* any compensation or even any credit. I really hate that he used that word, “deserve.“

Maybe he should not work “hard days and nights” finding these bugs and instead do something else with his free time?

Or maybe he can start rattling household doors, break in, and then ring the owner saying he’ll disclose and secure for a fee, especially since he has already broken in to prove it can be done. Right…

Lindstromate.

Our take on this is well known (http://www.matasano.com/log/mtso/ethics), but with that out of the way:

Why is it wrong to find a vulnerability in someone else’s application and then refuse to tell them about it?

DeMott’s discovery doesn’t stifle anyone else’s discovery of the same vulnerability. If the vendor doesn’t take him up on the offer, DeMott has done no harm to anyone. If it costs the vendor nothing to have people like DeMott do security audit work for them, then application security becomes an externality to the vendor.

Make a case for what DeMott is doing wrong.

Ptacek-mate?

Thomas, I appreciate Matasano’s position on this.  I believe that what made DeMott wrong was the combination of “I’ll only tell you if you pay me” and then going out and releasing it anyway.  It makes it look an awful like the Mafia tactic:  “You’d better pay me some money so that nothing happens to your store,“ and then if they refuse to pay, smashing it up themselves. 

In fact, try that scenario on for size in any other security realm and see how it tastes in your mouth.  “I’ve found a way to poison your city’s water supply—now pay me.“  “I’ve figured out how your children can be kidnapped—pay me.“  “I’ve worked for years figuring out a way to break in to the Louvre—pay me for my time spent on developing this undetectable rootkit.“  (Er, maybe not the last one.)

Again, it’s the combination that I find distasteful.  It wasn’t that DeMott approached them and they refused to fix the flaw, so he “had” to release it in order to save your Dad’s credit card number from theft.  In fact, who says that LinkedIn doesn’t have their own security testing staff who are working hard on doing the right thing?  Just because DeMott decided to test their site, they have to start paying him too?  Where is THAT going to lead?

And why do you suppose vulnerability pimps like DeMott don’t do testing on small Mom-and-Pop sites?  They probably need the “free” QA even more, right?

Because that’s not where the money is.

Let’s not pretend this is about saving your Dad’s credit card number, because his behavior shows that it clearly isn’t.  I have a lot of respect for researchers who either do it because they’re honestly trying to help vendors do the right thing, or because they’re asked to do it by clients.  DeMott pushes me over into Lindstrom’s corner, where I don’t like to be.

That argument would make more sense to me if DeMott’s “pitch” had both a carrot and a stick. But it doesn’t seem to. If LinkedIn doesn’t buy, DeMott does nothing. LinkedIn is no more or less likely to get hit before or after DeMott’s failed pitch. What DeMott doesn’t seem to be saying, that many other unscrupulous researchers do say, is “pay me for this finding or I will post this to Bugtraq”.

I get that the money DeMott is asking for is distasteful… but why should it be? He performed a service for LinkedIn, and the market has attached a value to it that looks to be very close to what his asking price is. LinkedIn doesn’t have to buy, but DeMott shouldn’t have to make a donation.

I’m glad Lindstrom’s position is uncomfortable, because it is also dumb.

“If LinkedIn doesn’t buy, DeMott does nothing”. How did you come to that conclusion???

“a pair of security researchers today posted public exploit code for a severe vulnerability affecting users of the Internet Explorer toolbar for business networking site LinkedIn”

And: “DeMott said he decided to go public with the exploit after an official with Mountain View, Calif.-based LinkedIn, which has more than 12 million members, hung up on him. That is when he knew the vulnerability would end “0-day style,“ he said.“

That’s not very grown up is it?

That’s far more serious than posting it to Bugtraq. In fact, I’d go as far as to say it’s criminal, at the very least it’s juvenile. No, there’s nothing wrong with looking for it, but when the client says “no thanks”, that should be the end, as you suggest is a legitimate response.

Unless I have very much mistaken what this article says, this is brutal, and as Mafia-esque as shrdlu said in the first place.

I’ve apparently misread the article. I agree, extortion is bad.

... though, for what it’s worth:

- if you report a vulnerability to LinkedIn, and they fix it, it’s fair game to publish the details of the vulnerability at some point; when that point occurs is a grey area.

- if you report a vulnerability to LinkedIn, and they steadfastly refuse to fix it, LinkedIn is exhibiting negligence, and the consensus opinion is that there is some additional point that occurs at which it makes sense to publish to force action.

It’s hard to argue that what DeMott did was criminal, but dropping z-day abruptly because LinkedIn refused to pay is certainly unprofessional.

If you found the vulnerability and they fixed it, I think you should be able to publish what you like, although the gentlemanly thing would be to get their agreement, I don’t see an issue in going public once it’s fixed. It’s your time you’ve put in, so go ahead and bleat about your work, it’s not really going to affect anyone, and if it’s fixed, LinkedIn (or whoever) gets some free publicity.

If they don’t fix it, which seems to be the case, then they are indeed negligent, but if (as they seem to have assumed) you’re going to publish, who’s going to punish them? Only the hacker can make that call, and it shouldn’t really be his to make, as in a case like this, where it draws comparisons to the Mafia on websites.

Rather than having a breaking point where the hacker/extorter feels duty bound and therefore looks hypocritical, it might make sense to have some sort of authority these vulns could be sent to. The website owners would have to comply with their regulations on fixing it as soon as it was released to them. The bug finder would get his dues, a set rate I would imagine. The vulnerabilities could be collected and registered, web app fw and scanning vendors could download the database daily, developers could cross reference their code, etc. so there’s your funding.

Isn’t this happening now anyway on a private basis? It would seem to make more sense to have it controlled by the government and turn DeMott’s dodgy behavior into a recognized crime.

That being said, the way it stands I still reckon I could get a lawyer to convince a judge that this was already extortion, as you said, and that as such is illegal now.

Thomas, I’m really enjoying this discussion with you; thank you for dropping in over here.

I agree with your two bullet points above.  However, let’s try one more Gedankenexperiment and you tell me how you feel about it:

You get a call from someone claiming to know about a security weakness at one of your country’s embassies around the world.  He says he will tell you what it is IF you pay him.  If you don’t pay him, he says he won’t reveal it ... but of course you know that if what he claims is true, he himself could take advantage of the hole at any time.

So you need to put more resources into finding a hole that may or may not exist (you’ve already got security, but don’t know whether they already know about this hole or could find it on their own), OR you need to pony up the money to someone who appears to be making a living out of trying to find holes in your security.

How would you rate this scenario on the Vulnerability Pimp Scale?

See, I don’t particularly like the motives of anyone who is trying to make money off of unsolicited vulnerability research.  I don’t think they’re trying to protect consumers.  If their purpose was to pressure companies into fixing their products, they would make that their priority, not things that would benefit them personally ($$ or the thrill of releasing a 0-day). 

I don’t think that someone who is testing my company’s security for money, when I didn’t ask him to, has any honorable motives whatsoever.  He’s not trying to help me or my customers.

(Partial disclosure:  I did once receive a pseudonymous tip that there was a bug in a script on one of my organization’s websites.  We fixed it, I wrote a nice thank-you email, that was the end of it.  I would have bought him a beer, too, if he’d stayed in touch after that.)

Depends. Is she lying about the vulnerability?

I’m going to assume she’s actually finding stuff. My take? Not a pimp. From an economic perspective, I simply don’t see the difference between these two lines of reasoning:

(1) “I spent 2 otherwise billable days tracking down this vulnerability; unless you pay me 2 billable day worth of my time, plus a premium accounting for the fact that those hours have no execution risk to you, I’m not giving up details.“

(2) “It will take me 2 billable days to track down a vulnerability in this application; unless I can get them to pay me for my time, I’m not going to bother.“

To the receiver, the outcome of both lines is the same. The only person impacted by the choice of (1) and (2) is the researcher, who may be out 2 days of (speculative) work. Everyone makes choice (2) on an almost daily basis. Are we all pimps?

I really don’t understand the argument that money “taints” this process. Security consulting is worth money. Lots of money. If you are an ASP, the ROI on a private finding versus a public incident is not hard to figure out. As long as “mercenary” researchers aren’t aiding and abetting criminals, all they’re doing is offering a higher-quality consulting service (“consulting with a 100% guarantee of a valid finding”).

I’m presupposing:

- That the researcher doesn’t accidentally leak findings.

- That the researcher’s finding is valid.

- That the process of finding the vuln didn’t itself damage the service.

I know that the realization that security research isn’t a pure public service is traumatic, but try working (pro bono) with software vendors for a couple of years; you’ll see, fair is fair.

... by the way, if we were only in it to help consumers, nobody would work on any project other than Firefox. And we’d all do it for free.