madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Hi! I'm a security researcher, and here's your invoice

By | July 9, 2010, 11:00am PDT

Summary: Michal Zalewski: Security researchers don’t have to give any information away for free; but if you need to resort to arm-twisting tactics to sell a service, you have some serious soul searching to do.

Guest editorial by Michal Zalewski

It always struck me as a simple deal: there are benefits to openly participating in the security research community - peer recognition and job opportunities. There is also a cost of doing it as a hobby - loss of potential income in other pursuits. After having made a name for themselves, some people decide that the benefits no longer offset the costs - and stop spending their time on non-commercial projects. Easy, right?

Well, this is not what’s on the minds of several of my respected peers. Somewhere in 2009, Alex Sotirov, Charlie Miller, and Dino Dai Zovi announced that there will be no more free bugs; in Charlie’s own words:

“As long as folks continue to give bugs to companies for free, the companies will never appreciate (or reward) the effort. So I encourage you all to stop the insanity and stop giving away your hard work.”

The three researchers did not feel adequately compensated for their (unsolicited) research, and opted not to disclose this information to vendors or the public - but continued the work in private, and sometimes boasted about the inherently unverifiable, secret finds.

[ SEE: No more free bugs ]

Is this a good strategy? I think it is important to realize that most vendors, being driven by commercial incentives, spend exactly as much on security engineering as they think is appropriate - and this is influenced chiefly by external factors: PR issues, contractual obligations, regulatory risks. Full disclosure puts many of the poor performers under intense public scrutiny, and may force them to try harder and hire security talent (that’s you!).

Exactly because of this unwanted pressure, they probably do not inherently benefit from the unsolicited services, and will not work with you to nourish them: if you “threaten” them by promising to essentially stop being a PR problem (unless compensated) - well, don’t be surprised if they do not call back soon with a job offer.

Having said that, there is an interesting way one could make this work: the “pay us or else…” approach - where the “else” part may be implied to mean:

  • Selling the information to unnamed third parties, to use it as they see fit (with potential consequences to the vendor’s customers),
  • Shaming the vendor in public to suggest negligence (”company X obviously values customer safety well below our $10,000 asking price”),
  • Simply tellling the world without giving the vendor a chance to respond.

[ See: Security engineering: broken promises ]

There’s only one problem: I think these tricks are extremely sleazy. There are good and rather uncontroversial reasons why disclosing true information about an individual is often legal, but engaging in blackmail never is; the parallels here are really easy to draw.

This is why I am disappointed by the news of VUPEN apparently adopting this very strategy (full article); and equally disappointed by how few people called it out:

“French security services provider VUPEN claims to have discovered two critical security vulnerabilities in the recently released Office 2010 – but has passed information on the vulnerabilities and advice on mitigation to its own customers only. For now, the company does not intend to fill Microsoft in on the details, as they consider the quid pro quo – a mention in the credits in the security bulletin – inadequate.

‘Why should security services providers give away for free information aimed at making paid-for software more secure?’ asked [VUPEN CEO] Bekrar.”

Here’s the thing: security researchers don’t have to give any information away for free; but if you need to resort to arm-twisting tactics to sell a service, you have some serious soul searching to do.

* Michal Zalewski is a security researcher at Google. He has written and released many security tools, including ratproxy, skipfish and the browser security handbook.  He can be found at the lcamtuf’s blog and on Twitter.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Researcher, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 25 Talkback(s)

  • RE: Hi! I'm a security researcher, and here's your invoice
    Michal,
    We had this conversation before so I won't go into a lengthy tirade here why your points are moot. Potential for economical incentives leads to creation of markets, this is a force of nature. Your lack of basic economical understanding leads to discounting such an obvious fact. A vulnerability market is unavoidable, there is demand so will be supply and according price action. It is rather amusing that this nonsensical commentary comes from somebody who grew up in the market-suppressed Eastern EU during the USSR era.
    Regards,
    Sinan Eren
    ZDNet Gravatar
    6752
    9th Jul 2010
  • RE: Hi! I'm a security researcher, and here's your invoice
    @Sinan: You do realize that the exact same arguments you presented could be used to justify the activities of people such as Al Capone and John Gotti, right?
    ZDNet Gravatar
    Random_Walk
    9th Jul 2010
  • Well....
    @Random_Walk

    Let's hear those arguments in detail and give us a chance to tear them to shreds.

    Personally I think you are way off base without even having heard them.
    ZDNet Gravatar
    Economister
    10th Jul 2010
  • RE: Hi! I'm a security researcher, and here's your invoice
    @Economister: You can see those arguments in detail - right above my previous post. Apply them to prohibition, or the drug trade.
    ZDNet Gravatar
    Random_Walk
    10th Jul 2010
  • RE: Hi! I'm a security researcher, and here's your invoice
    @6752

    And you miss the point that not all markets are legal or ethical, and that some regulation of business is necessary (unless you enjoy ground glass in baby food and little games like what Wall St just pulled).
    ZDNet Gravatar
    SzechwanVanilla
    12th Jul 2010
  • In Ludwig von Mises we trust, all else we sell short
    @SzechwanVanilla

    After reading your tirade which does not dare attempt to counter any of the points I raise, just a dry critique of my style, that is all there is to it and thus very much pointless. Honestly I can care less what you think about my mannerisms. Now that I hear another corporate tool's rhetoric, I am perfectly justified calling you out as also lacking any intellectual basis and sophistication. Go code and write some specs that should pay the mortgage ...
    ZDNet Gravatar
    6752
    13th Jul 2010
  • Economic value also includes marketing value
    Michal's points aren't moot, and do approach the problem from an economic standpoint. Someone should obviously sell their work to the highest bidder, but then we also have to factor in several external factors.

    First, crime does pay, but it has drawbacks. Becoming known as a criminal could limit your ability to get work later, and likely isn't in your best interests. You could also end up with various penalties. If someone did free research on a business's physical security, and then told the owner they'd sell the results to them or to the gang around the corner, they'd likely end up dealing with prosecution. I feel like doing the same thing with respect to software security is really equivalent.

    Second, being percieved as either a criminal or someone with low ethics will also reduce people's willingness to hire you. I know some very sharp security people who I won't hire because I don't trust them. There are other sharp people I can trust that can do the job, too.

    Third, being viewed as someone who works in a responsible, ethical manner can have huge payoffs in terms of future work and marketing value. The value of a vendor saying "thank you" can be quite high - I have personal experience with this.

    Another aspect that's hard to factor depending on the vendor is what the value of a bug is to the vendor. Someone working internally may find dozens (sometimes hundreds) of bugs/year, which establishes what a vendor thinks of as a reasonable value for a bug. An external researcher is likely less efficient at finding bugs, and places a higher value on their work than the vendor would. This leads to an inevitable conflict.
    ZDNet Gravatar
    dcleblanc
    9th Jul 2010
  • RE: Hi! I'm a security researcher, and here's your invoice
    @dcleblanc : It actually gets worse than that - if these idiots start pulling what are basically extortionist tactics (and yes, it is extortion, and is a crime), the whole security research community gets a big, fat ugly reputation.

    I have zero problems with full disclosure - especially if the researcher tried to negotiate a reasonable deadline for the bug but the vendor decided to become all recalcitrant.

    I do however have problems with extortion, and I'm very sure that the vendors (esp. large vendors) would as well. While Joe Sixpack's little software house wouldn't get much attention over such matters, I'm very sure that the likes of Microsoft could get the FBI/Interpol/whoever to snap-to in very short order. And before the s'kiddies on their first TOR jag start bragging about anonymity, that money has to get to you somehow - and a sting op is very easy to set up by a big vendor, esp. when reasonably large numbers are thrown around.
    ZDNet Gravatar
    Random_Walk
    9th Jul 2010
  • go talk to Cushman
    @dcleblanc

    Mr. Leblanc,

    I know of you and now I can be certain that you are what they define as "a brilliant but a very one-sided technocrat". You lack the intellectual basis to make any claims as to what defines economical and/or individual interest. Corporate desk-jockeying does require little to no intellectual sophistication it seems... What makes you think "we" require a good reputation to find work ? You just present silly anecdotal arguments, how about something empirical for a change ? There are many very successful short-sellers, whistle-blowers and prosecutors out there and none of them require a healthy/good reputation over at Microsoft or any other corporate HQ. There are many security researchers that might have a bad wrap at Microsoft, Apple et al however the empirical evidence I speak of is hidden in their bank accounts with the source of income being several of the Fortune 500 US companies and the US Government. Life is not as limited in legitimate gainful employment options as you might think so and it certainly does NOT require 30-40 years of being a corporate tool. The world is constantly changing and the economical reality with it. The ones who adopt deserve to survive all others will fail... I think Cushman, Moussouris are aware of that very fact, maybe you should listen to them for a change.

    Regards,
    /SE
    ZDNet Gravatar
    6752
    10th Jul 2010
  • RE: Hi! I'm a security researcher, and here's your invoice
    @6752

    My goodness, what an awful, bad-mannered little troll you are!

    You tell everybody else how ignorant they are and then you go out of your way to show us your ill-tempered ignorance. Sad, really. "You lack the intellectual basis to make any claims as to what defines economical and/or individual interest." Well, it takes one to know one, I guess.

    Allow me to assure you, from my 30+ years experience inside and outside of "Corporate desk-jockeying", that if you have a rap (rap, not wrap, BTW) for being unethical, you are going to have a hard time getting work: people won't trust weasels, especially weasels with proven track records as weasels. It makes sense, really: "If I know that person has screwed other people, why would I believe they won't screw me?" It's basic gamesmanship, strategy, call it what you will. If you're going to be a weasel, you'd better be the only game in town, be independently wealthy, or have a lot of some other "leverage". I have "I was there" accounts I can relate to prove this; I'm sure many others do, too. Even business schools use case studies as teaching tools, so don't be so quick to dismiss "anecdotes" (and they teach classes in a thing called "Business Ethics", too, which sort of boil down to "don't be a weasel").

    Maybe you can't cut it in the corporate world which is why you are so contemptuous of it ("Corporate desk-jockeying does require little to no intellectual sophistication it seems"). If you actually believe that is true, you are deluded beyond belief.

    You'll get a lot farther using facts and politeness than with the kind of snide, juvenile assault you hand out so blithely here. People might actually pay attention to your points (if you bother to make any between personal attacks, or actually buttress your points with facts instead of abuse and opinion). Also, you won't get ganged up on like this (and I bet you don't like this at all).
    ZDNet Gravatar
    SzechwanVanilla
    12th Jul 2010
  • Another shades of gray issue
    How often do we find that there's more than one way to play a hand in shades of gray deal-making? Hard to say which way pent up inertia will go. Good synopsis by the guest author; interesting talkback takes too.
    ZDNet Gravatar
    klumper
    9th Jul 2010
  • From a legal perspective ...
    "Having said that, there is an interesting way one could make this work: the pay us or else approach - where the else part may be implied to mean:

    * Selling the information to unnamed third parties, to use it as they see fit (with potential consequences to the vendors customers),
    * Shaming the vendor in public to suggest negligence (company X obviously values customer safety well below our $10,000 asking price),
    * Simply tellling the world without giving the vendor a chance to respond.
    "

    Speaking as an attorney, "pay us or we might or will do (the above)" could be viewed as extortion--either criminal extortion or at least what civil law calls "duress", which is the non-criminal equivalent (like "conversion" is the non-criminal equivalent of "theft").

    Anyone making such threats could expect at least to receive a strongly-worded letter from a lawfirm threatening to press criminal charges or sue. At some point, some of the companies would follow through. Even if the "security researcher" won, he would have to spend tens of thousands of dollars in legal fees. Plus, everyone in IT management would know his name and he could forget getting any kind of work.

    Plus, if the person making the threat used either the mails or wire communications (fax, telephone, email, anything involving the Internet) or did anything involving interstate commerce or sending anything across state lines, he could be subject to federal criminal prosecution for mail and/or wire fraud.

    Also, if more than one person was involved on the "researcher" end, the group could be subject to prosecution or civil suit for conspiracy.
    ZDNet Gravatar
    Rick_R
    9th Jul 2010
  • I will not argue with your legal reaoning since I am not a lawyer, but...
    @Rick_R

    only a fool would threaten. Maybe we need to set up a vulnerabilities exchange and allow the vulnerability to be sold to the highest bidder. I realize that there may be practical difficulties in making this work, but I believe it is doable.

    The owner of the SW containing the vulnerability would presumably not dare not to be the highest bidder for a vulnerability of any consequence. If no bid is made the vulnerability is made public. Descriptions during the bidding process would have to be sufficiently detailed for a bidder to estimate the value of both the vulnerability itself if exploited (however he chooses, some of which would carry risks by their virtue of being illegal) as well as the cost of trying to uncover it independently, without assisting in that discovery in any meaningful way.

    Individual researchers would quickly develop a reputation in this exchange regarding the quality, and hence the value of their research. Once in a while a dud might be sold for an inflated price, but that is no different than in any other market. If researchers had a way to sell their work, the quality and quantity of that work would also improve, leading to better SW and a more safe and secure internet..
    ZDNet Gravatar
    Economister
    10th Jul 2010
  • RE: Hi! I'm a security researcher, and here's your invoice
    @Economister in regards to: "Maybe we need to set up a vulnerabilities exchange and allow the vulnerability to be sold to the highest bidder."

    Bad idea.

    "If no bid is made the vulnerability is made public"

    Better idea, but why not just do full disclosure and be done with it?
    ZDNet Gravatar
    Random_Walk
    10th Jul 2010
  • So far...
    @Random_Walk

    you have made posts without really taking an articulated position on anything, just disagreeing with other posters. If you cannot do better, your posts deserve to be ignored.
    ZDNet Gravatar
    Economister
    10th Jul 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here