CNET News.com – August 3, 2007
Vulnerability Discovery and Analysis (VDA) Labs, founded in April by Jared DeMott, notifies software vendors of security bugs found in their software, as do many other security researchers. But as part of VDA’s business model, vendors are asked to pay for the bugs it discovers, or its consulting services, otherwise VDA threatens to sell the bug to a third party or make the details of the security flaw public.
DeMott, who has done work for the National Security Agency among other places, describes his business model as “edgy,” while other security researchers see it as more akin to “extortion.” The practice, in either case, veers from the more traditional ways bug hunters have worked with software vendors and security firms.
| “Edgy?” This really does sound like extortion to me. Force them to pay or else. Just like having nude pictures of the CEO’s wife. Do you think this is illegal or just unethical? |
Whats the problem.
Companies making flawed software SHOULD be made to pay.
Sure, this might not seem ethical, but how the hell is foisting buggy software on their paying consumers (basically paying-bug-testers) ethical either?
It’s not extortion really. He’s not forcing them to pay. They are simply offering them the chance to address it privately and quietly. These guys are working for free to identify these bugs, so the software company should effectively ‘tip’ them for the time invested. Furthermore, the software company can put them out of business by simply not releasing software with security bugs.
As long as the details of the bug are released publicly and not just emailed directly to malicious developers I don’t see any problems.
I really don’t think it’s a moral way to do business. At worst go in the media about the flaw, but sell it to someone else? It’s reall extorsion, more like a protection racket than “Consulting service”
You don’t know me and you never agreed to hire me, but while you were at work yesterday I went to your house and looked for ways that burglars could sneak in.
I found 3 ways that thieves can sneak into your house. If you pay me I will tell you what they are, but if you don’t pay me I will give this information to some burglars.
I see this as a completely valid buisness practice.
If this tactic becomes endemic, it will force companies to write software with very few bugs, which are generally a result of poor coding (or cutting corners to meet a supposed deadline).
This will benefit the consumer because they will not need to be worried about excessively gaping security holes. A relieved consumer will purchase more of the now “safer” product.
This will in turn drive up revenue for the company and will offset any budget issues raised by the need to hire programmers who dont completely suck ass at coding.
Now let the flame wars begin
So if they sell a security flaw to a third party and that third party uses it in an illegal manner, would they be an accessory?
ok whatever pedro
“We found a security bug, pay or we will let you in the dark!” … that is unethical.
“We found a security bug, pay or we we’ll give it to hackers!” … sound like extorsion to me.
This sounds like a “victimless crime”, at first. Or at least, only victimizing the faceless corp. that created the software. But then you have to realize that all the consumers of that software are being screwed, when the bug hunter compromises that product’s security. It isn’t “XYZ Corp” that’s gets screwed, right off. It’s all the thousands of users of the flawed software, who are unaware of its vulerability. Secure thru Obscurity, is still a valid approach. Though only for a short time. What the bug hunter should say is that they’ll publically announce the flaw (without giving all the details) so as to effect future sales of the software. Then it can be seen as being a public service. But not this “under the counter” approach at extorting funds, by burning the public’s trust in the product, when they get hacked!
#9 – that being said would you say that its unethical to hire hackers to fill key positions to check your software for security issues?
Microsoft is screwed
#10 yes, thats what I was getting at in post #5
#9 is correct, this is extortion.
#11 – It is completely ethical to hire hackers to hack your OWN software. It’s called “quality assurance,” and it’s been in practice for years.
#15 – and then if those so called hackers were to tattle after they left the job is all somehow wrong – this world is fuct
Both extortion and unethical.
it would perefectly fine if they didn’t “threaten” to sell it to a 3rd party. that’s seems childish, as the most likely 3rd party that would want to buy it would perhaps be a botmaster or virus writer. -or their competition for a slander campaign, yada yada..
on the surface, releasing to the public seems counterproductive to their business model.
otherwise, charging for it, esp if its a complicated bug to find with serious ramifications sounds like smart a business model to me.. bug hunting is a tedious, time consuming task.
a 3rd, unrelated (companywise) bug hunter tends to catch bugs that the original programmers are blind to *because* of the fact that it’s their code..the 3rd party sees the code with a completely different eyes/mindset etc… -also they tend not to be burned out due to “crunch time” deadlines and the impending doom associated with it..
not really a big deal in the long run. i’d like to see a follow up on this in say 6months to see they’ve actually made some decent money for their efforts nonetheless
-s
It is unethical, but it is also unethical to sell software, “as is”, and not be responsible for faulty software.
The analogy to the “checking the vulnerabilities of a private home” and selling them to burglars is a false one. I assume the software we are talking about is for sale, to the public, which is completely opposite private property.
I guess I’m in the minority, I don’t see any legal or moral issues here. The issue I guess boils down to who owns knowledge of an error. I don’t even see how you could patent knowledge of a error. You might be able to patent the fix, however, but that’s not at issue here.
Accordingly, since no one owns it, I see no reason one could not sell it as long as someone was informed at what they were buying and were willing to pay.
Winston Smith analogized with a break-in of a house: “I went to your house and looked for ways that burglars could sneak in.”
But there is no trespass in here. Unless these guys are getting access to proprietary source code illegally, which doesn’t seem to be the issue.
Soundwash had a problem with these guys selling knowledge of the problem: “it would perfectly fine if they didn’t “threaten” to sell it to a 3rd party. that’s seems childish”
But as I already said, where is the immortally in selling what no one owns?
Many others have talked about how this is extortion. Where is the extortion? Am I extorted when I have to pay for gas? Nope. Am I extorted when I have to pay for milk? Nope. No one is forcing Microsoft (or anyone else) to pay or to buy. They’re are perfectly free to not buy and do nothing or find knowledge of the error themselves. If this is extortion, well, I guess extortion is much more common than I ever imagined.
#20 Jerk-Face: Fuckin A
#20 “Winston Smith analogized with a break-in of a house: . . .But there is no trespass in here. Unless these guys are getting access to proprietary source code illegally, which doesn’t seem to be the issue.”
How is it different? We do not have a business relationship, yet you are demanding unilaterally that I pay you whatever money you demand, or else harm may come to me or my customers. That is called extortion.
It is nothing more than the old protection racket.
22. “How is it different?”
Well, in your analogy there is a break-in/trespass while Jared DeMott does neither. That’s different. That’s completely different.
“We do not have a business relationship, yet you are demanding unilaterally that I pay you whatever money you demand, or else harm may come to me or my customers.”
I’m confused. What does the fact that there is no business relationship has to do with anything? Let’s assume I want to buy an iPod. I have no business relationship with Apple, does that mean the company is extorting money from me? I don’t get that at all.
And yes, knowledge can keep people from harm. So every time someone sells knowledge there is extortion?
If Microsoft (or whoever) pays this company, they must have did so because someone found the knowledge valuable. No one would ever pay if they did not believe what they were buying had value.
But they are not forced to pay. Microsoft (or whoever) has the means to find the knowledge themselves. Or they can hire any number of third parties to find the knowledge.
If I need medical care, and the doctor demands payment for the knowledge he has to treat me, it is extortion for him to be paid? No. It’s his right to be paid. And if I want the service, I will pay.
But of course software is different from medicine. With software no one really has a life on the line. So your talk of “harm” is really nothing more than hyperbole.
22. “It is nothing more than the old protection racket.”
Oops, I missed this. The old protection racket of which you speak was an illusion. Men would come to a store and offer to sell “protection.” But what they were really selling is protection from themselves. If the shop owner did not pay, they would harm him and his property.
That is not happening here. Here knowledge is being offered and they are offering it those who would need it the most first. If no acceptance is made, they will then offer it to anyone else willing to pay. That’s capitalism. And as far as I know, that’s not against the law yet.
Maybe a better analogy would be I take some photographs of a famous person doing something they might be ashamed of. Say, Ann Colture taping his dick down. I either use a telephoto lens pointed at Bill O’Rielly’s office window or take the picture in a public place. I offer to sell Ann Colture the photos on the understanding that if he doesn’t wish to buy them I will be selling them to someone else who might be more interested.
That is classic extortion.
So if I look for and come across some information and I offer that information to a company on the understanding that if they don’t want to buy it I will sell it to someone else, that is extortion. A felony in all states.
Illegal? No. Unethical? Since when has business every worried about ethical? This is small stuff compared to the rape of the middle class by big business. Lets get some perspective here.
To modify Winston Smith’s house argument and work around the “private property” argument: You case a bank, find 3 security vulnerabilities and threaten that if the bank doesn’t pay you, you’ll sell the information to “3rd parties”.
The bank doesn’t pay. So, you sell that info to a bank robbe, and the bank gets robbed. Do you think the police will not accuse you of aiding and abetting a crime, because you conducted an arm’s length transaction with the bank robber?
So, while no one may have written a law to address this type of criminal behavior, this “edgy” criminal-in-waiting is clearly poised to aid and abet criminal behavior, even holding aside the issue of extortion.
25. “Maybe a better analogy would be I take some photographs of a famous person doing something they might be ashamed of. Say, Ann Colture taping his dick down. I either use a telephoto lens pointed at Bill O’Rielly’s office window or take the picture in a public place. “
Regarding the office example, that could be an invasion of privacy, or an exposure of a private fact which would be both illegal and immoral. I don’t see any such invasion in this current example.
But if someone does something famous in public, and someone takes a picture of it, it could be illegal as an exposure private facts.
Lat’s assume that a hypothetical actor likes to live in the closet, let’s call him Tom Crooz. Someone discovers he’s really gay and exposes that private fact. That exposure of knowledge could bring about a civil cause of action against the person because such harmful private facts are private. My hypothetical actor could sue the person who made the exposure.
Now software does not have a right to privacy, nor do corporations. So any embarrassing flaw discovered in software would not have the same protections. Maybe that’s a law Microsoft should be working on. (If they’re not working on it already.)
‘Pay me money or I’ll take action that’ll hurt you.’
And you don’t think that’s a protection racket? Pffffft.
#19 – Lou
“…it is also unethical to sell software, “as is”, and not be responsible for faulty software.”
No it isn’t. The laws regarding ‘as is’ as a condition of sale are clear and well-known. You may not LIKE those terms, but that doesn’t make it unethical. When you are told by the seller that what you’re considering buying won’t necessarily work or do what you want, you are free to not buy it.
WTF is “unethical” about that? Ethics doesn’t require they sell you something that works – unless THEY SAY IT DOES AND IT ACTUALLY DOESN’T.
You need to work on those ‘reasoning’ skillz…
29. “: You case a bank, find 3 security vulnerabilities and threaten that if the bank doesn’t pay you, you’ll sell the information to “3rd parties”.”
That still involves trespass, because if the bank knew why you were there, they would kick you out. There is no trespass here. And if there is trespass, i.e., they have illegal access to the source code, that is illegal and immoral, not the business they’re doing.
“So, you sell that info to a bank robbe, and the bank gets robbed. Do you think the police will not accuse you of aiding and abetting a crime, because you conducted an arm’s length transaction with the bank robber?”
Think about this. Let’s assume I go to locksmith college and learn all about locks. I then use that knowledge to commit burglaries. Are the school and teachers guilty of aiding and abetting my burglaries?! They gave me the knowledge to complete my felonies, right? No, because they didn’t have knowledge or an intent to aid and abet me.
Sure, if you make up the fact that Jared DeMott will knowingly and intentionally sell the information to criminals for a criminal purpose, by circular argument you’ve proved your point. But the article only says that Jared DeMott will sell the information to third parties or to make the information available to the public.
Heck, why not assume they’re also guilty of murder because they’ll certainly double cross anyone who pays, kill them, and then keep the money. And of course they’ll steal cars to get to the sales meeting, so let’s hypothetically assume they’re guilty of grand theft auto. And of course while taking breaks of discovering flaws in software, let’s assume they torture puppies and old ladies too.
#26, You need a lesson in justice. “This is small stuff compared to the rape of the middle class by big business.” You remind me of Mugabe in Zimbabwe. You justify unethical treatment of others because you see them as a group who deserves punishment for crimes you believe that group has committed.
This is simply the same foolishness that has justified persecution of classes and groups through-out history.
These guys are in the same ethical boat as spammers and malware distributors and their click to install defense. I say throw them into the same woodchipper then vaporize the remains with a nuclear blast.