Hi! I'm a security researcher, and here's your invoice

Hi! I'm a security researcher, and here's your invoice

Summary: Michal Zalewski: Security researchers don't have to give any information away for free; but if you need to resort to arm-twisting tactics to sell a service, you have some serious soul searching to do.

SHARE:
TOPICS: Security
25

Guest editorial by Michal Zalewski

It always struck me as a simple deal: there are benefits to openly participating in the security research community - peer recognition and job opportunities. There is also a cost of doing it as a hobby - loss of potential income in other pursuits. After having made a name for themselves, some people decide that the benefits no longer offset the costs - and stop spending their time on non-commercial projects. Easy, right?

Well, this is not what's on the minds of several of my respected peers. Somewhere in 2009, Alex Sotirov, Charlie Miller, and Dino Dai Zovi announced that there will be no more free bugs; in Charlie's own words:

"As long as folks continue to give bugs to companies for free, the companies will never appreciate (or reward) the effort. So I encourage you all to stop the insanity and stop giving away your hard work."

The three researchers did not feel adequately compensated for their (unsolicited) research, and opted not to disclose this information to vendors or the public - but continued the work in private, and sometimes boasted about the inherently unverifiable, secret finds.

[ SEE: No more free bugs ]

Is this a good strategy? I think it is important to realize that most vendors, being driven by commercial incentives, spend exactly as much on security engineering as they think is appropriate - and this is influenced chiefly by external factors: PR issues, contractual obligations, regulatory risks. Full disclosure puts many of the poor performers under intense public scrutiny, and may force them to try harder and hire security talent (that's you!).

Exactly because of this unwanted pressure, they probably do not inherently benefit from the unsolicited services, and will not work with you to nourish them: if you "threaten" them by promising to essentially stop being a PR problem (unless compensated) - well, don’t be surprised if they do not call back soon with a job offer.

Having said that, there is an interesting way one could make this work: the "pay us or else..." approach - where the "else" part may be implied to mean:

  • Selling the information to unnamed third parties, to use it as they see fit (with potential consequences to the vendor's customers),
  • Shaming the vendor in public to suggest negligence ("company X obviously values customer safety well below our $10,000 asking price"),
  • Simply tellling the world without giving the vendor a chance to respond.

[ See: Security engineering: broken promises ]

There's only one problem: I think these tricks are extremely sleazy. There are good and rather uncontroversial reasons why disclosing true information about an individual is often legal, but engaging in blackmail never is; the parallels here are really easy to draw.

This is why I am disappointed by the news of VUPEN apparently adopting this very strategy (full article); and equally disappointed by how few people called it out:

"French security services provider VUPEN claims to have discovered two critical security vulnerabilities in the recently released Office 2010 – but has passed information on the vulnerabilities and advice on mitigation to its own customers only. For now, the company does not intend to fill Microsoft in on the details, as they consider the quid pro quo – a mention in the credits in the security bulletin – inadequate.

'Why should security services providers give away for free information aimed at making paid-for software more secure?' asked [VUPEN CEO] Bekrar."

Here's the thing: security researchers don't have to give any information away for free; but if you need to resort to arm-twisting tactics to sell a service, you have some serious soul searching to do.

* Michal Zalewski is a security researcher at Google. He has written and released many security tools, including ratproxy, skipfish and the browser security handbook.  He can be found at the lcamtuf’s blog and on Twitter.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • RE: Hi! I'm a security researcher, and here's your invoice

    Michal,
    We had this conversation before so I won't go into a lengthy tirade here why your points are moot. Potential for economical incentives leads to creation of markets, this is a force of nature. Your lack of basic economical understanding leads to discounting such an obvious fact. A vulnerability market is unavoidable, there is demand so will be supply and according price action. It is rather amusing that this nonsensical commentary comes from somebody who grew up in the market-suppressed Eastern EU during the USSR era.
    Regards,
    Sinan Eren
    6752
    • RE: Hi! I'm a security researcher, and here's your invoice

      @Sinan: You do realize that the exact same arguments you presented could be used to justify the activities of people such as Al Capone and John Gotti, right?
      Random_Walk
      • Well....

        @Random_Walk

        Let's hear those arguments in detail and give us a chance to tear them to shreds.

        Personally I think you are way off base without even having heard them.
        Economister
      • RE: Hi! I'm a security researcher, and here's your invoice

        @Economister: You can see those arguments in detail - right above my previous post. Apply them to prohibition, or the drug trade.
        Random_Walk
    • RE: Hi! I'm a security researcher, and here's your invoice

      @6752

      And you miss the point that not all markets are legal or ethical, and that some regulation of business is necessary (unless you enjoy ground glass in baby food and little games like what Wall St just pulled).
      SzechwanVanilla
      • In Ludwig von Mises we trust, all else we sell short

        @SzechwanVanilla <br><br>After reading your tirade which does not dare attempt to counter any of the points I raise, just a dry critique of my style, that is all there is to it and thus very much pointless. Honestly I can care less what you think about my mannerisms. Now that I hear another corporate tool's rhetoric, I am perfectly justified calling you out as also lacking any intellectual basis and sophistication. Go code and write some specs that should pay the mortgage ...
        6752
  • Economic value also includes marketing value

    Michal's points aren't moot, and do approach the problem from an economic standpoint. Someone should obviously sell their work to the highest bidder, but then we also have to factor in several external factors.

    First, crime does pay, but it has drawbacks. Becoming known as a criminal could limit your ability to get work later, and likely isn't in your best interests. You could also end up with various penalties. If someone did free research on a business's physical security, and then told the owner they'd sell the results to them or to the gang around the corner, they'd likely end up dealing with prosecution. I feel like doing the same thing with respect to software security is really equivalent.

    Second, being percieved as either a criminal or someone with low ethics will also reduce people's willingness to hire you. I know some very sharp security people who I won't hire because I don't trust them. There are other sharp people I can trust that can do the job, too.

    Third, being viewed as someone who works in a responsible, ethical manner can have huge payoffs in terms of future work and marketing value. The value of a vendor saying "thank you" can be quite high - I have personal experience with this.

    Another aspect that's hard to factor depending on the vendor is what the value of a bug is to the vendor. Someone working internally may find dozens (sometimes hundreds) of bugs/year, which establishes what a vendor thinks of as a reasonable value for a bug. An external researcher is likely less efficient at finding bugs, and places a higher value on their work than the vendor would. This leads to an inevitable conflict.
    anonymous
    • RE: Hi! I'm a security researcher, and here's your invoice

      @dcleblanc : It actually gets worse than that - if these idiots start pulling what are basically extortionist tactics (and yes, it is extortion, and is a crime), the whole security research community gets a big, fat ugly reputation.

      I have zero problems with full disclosure - especially if the researcher tried to negotiate a reasonable deadline for the bug but the vendor decided to become all recalcitrant.

      I do however have problems with extortion, and I'm very sure that the vendors (esp. large vendors) would as well. While Joe Sixpack's little software house wouldn't get much attention over such matters, I'm very sure that the likes of Microsoft could get the FBI/Interpol/whoever to snap-to in very short order. And before the s'kiddies on their first TOR jag start bragging about anonymity, that money has to get to you somehow - and a sting op is very easy to set up by a big vendor, esp. when reasonably large numbers are thrown around.
      Random_Walk
    • go talk to Cushman

      @dcleblanc

      Mr. Leblanc,

      I know of you and now I can be certain that you are what they define as "a brilliant but a very one-sided technocrat". You lack the intellectual basis to make any claims as to what defines economical and/or individual interest. Corporate desk-jockeying does require little to no intellectual sophistication it seems... What makes you think "we" require a good reputation to find work ? You just present silly anecdotal arguments, how about something empirical for a change ? There are many very successful short-sellers, whistle-blowers and prosecutors out there and none of them require a healthy/good reputation over at Microsoft or any other corporate HQ. There are many security researchers that might have a bad wrap at Microsoft, Apple et al however the empirical evidence I speak of is hidden in their bank accounts with the source of income being several of the Fortune 500 US companies and the US Government. Life is not as limited in legitimate gainful employment options as you might think so and it certainly does NOT require 30-40 years of being a corporate tool. The world is constantly changing and the economical reality with it. The ones who adopt deserve to survive all others will fail... I think Cushman, Moussouris are aware of that very fact, maybe you should listen to them for a change.

      Regards,
      /SE
      6752
      • RE: Hi! I'm a security researcher, and here's your invoice

        @6752

        My goodness, what an awful, bad-mannered little troll you are!

        You tell everybody else how ignorant they are and then you go out of your way to show us your ill-tempered ignorance. Sad, really. "You lack the intellectual basis to make any claims as to what defines economical and/or individual interest." Well, it takes one to know one, I guess.

        Allow me to assure you, from my 30+ years experience inside and outside of "Corporate desk-jockeying", that if you have a rap (rap, not wrap, BTW) for being unethical, you are going to have a hard time getting work: people won't trust weasels, especially weasels with proven track records as weasels. It makes sense, really: "If I know that person has screwed other people, why would I believe they won't screw me?" It's basic gamesmanship, strategy, call it what you will. If you're going to be a weasel, you'd better be the only game in town, be independently wealthy, or have a lot of some other "leverage". I have "I was there" accounts I can relate to prove this; I'm sure many others do, too. Even business schools use case studies as teaching tools, so don't be so quick to dismiss "anecdotes" (and they teach classes in a thing called "Business Ethics", too, which sort of boil down to "don't be a weasel").

        Maybe you can't cut it in the corporate world which is why you are so contemptuous of it ("Corporate desk-jockeying does require little to no intellectual sophistication it seems"). If you actually believe that is true, you are deluded beyond belief.

        You'll get a lot farther using facts and politeness than with the kind of snide, juvenile assault you hand out so blithely here. People might actually pay attention to your points (if you bother to make any between personal attacks, or actually buttress your points with facts instead of abuse and opinion). Also, you won't get ganged up on like this (and I bet you don't like this at all).
        SzechwanVanilla
  • Another shades of gray issue

    How often do we find that there's more than one way to play a hand in shades of gray deal-making? Hard to say which way pent up inertia will go. Good synopsis by the guest author; interesting talkback takes too.
    klumper
  • From a legal perspective ...

    <i>"Having said that, there is an interesting way one could make this work: the pay us or else approach - where the else part may be implied to mean:<br><br> * Selling the information to unnamed third parties, to use it as they see fit (with potential consequences to the vendors customers),<br> * Shaming the vendor in public to suggest negligence (company X obviously values customer safety well below our $10,000 asking price),<br> * Simply tellling the world without giving the vendor a chance to respond.<br>"</i><br><br>Speaking as an attorney, "pay us or we might or will do (the above)" could be viewed as extortion--either criminal extortion or at least what civil law calls "duress", which is the non-criminal equivalent (like "conversion" is the non-criminal equivalent of "theft").<br><br>Anyone making such threats could expect <b><i>at least</i></b> to receive a strongly-worded letter from a lawfirm threatening to press criminal charges or sue. At some point, some of the companies would follow through. Even if the "security researcher" won, he would have to spend tens of thousands of dollars in legal fees. Plus, <b><i>everyone</i></b> in IT management would know his name and he could forget getting any kind of work.<br><br>Plus, if the person making the threat used either the mails or wire communications (fax, telephone, email, anything involving the Internet) or did anything involving interstate commerce or sending anything across state lines, he could be subject to federal criminal prosecution for mail and/or wire fraud.

    Also, if more than one person was involved on the "researcher" end, the group could be subject to prosecution or civil suit for conspiracy.
    Rick_R
    • I will not argue with your legal reaoning since I am not a lawyer, but...

      @Rick_R <br><br>only a fool would threaten. Maybe we need to set up a vulnerabilities exchange and allow the vulnerability to be sold to the highest bidder. I realize that there may be practical difficulties in making this work, but I believe it is doable.<br><br>The owner of the SW containing the vulnerability would presumably not dare not to be the highest bidder for a vulnerability of any consequence. If no bid is made the vulnerability is made public. Descriptions during the bidding process would have to be sufficiently detailed for a bidder to estimate the value of both the vulnerability itself if exploited (however he chooses, some of which would carry risks by their virtue of being illegal) as well as the cost of trying to uncover it independently, without assisting in that discovery in any meaningful way.<br><br>Individual researchers would quickly develop a reputation in this exchange regarding the quality, and hence the value of their research. Once in a while a dud might be sold for an inflated price, but that is no different than in any other market. If researchers had a way to sell their work, the quality and quantity of that work would also improve, leading to better SW and a more safe and secure internet..
      Economister
      • RE: Hi! I'm a security researcher, and here's your invoice

        @Economister in regards to: "Maybe we need to set up a vulnerabilities exchange and allow the vulnerability to be sold to the highest bidder."

        Bad idea.

        "If no bid is made the vulnerability is made public"

        Better idea, but why not just do full disclosure and be done with it?
        Random_Walk
      • So far...

        @Random_Walk

        you have made posts without really taking an articulated position on anything, just disagreeing with other posters. If you cannot do better, your posts deserve to be ignored.
        Economister
      • RE: Hi! I'm a security researcher, and here's your invoice

        @Economister: So in other words, you have no answer to the one simple question (in which I actually agreed top an extent with an idea you had).

        Besides, I only asked a question that would be very obviously asked by the first serious site-owner/VC/whoever you proposed it to. If you can't answer it here, then perhaps you hadn't really thought it through?
        Random_Walk
  • RE: Hi! I'm a security researcher, and here's your invoice

    Wow, that is messed up. Obviously there is an anti-socialist mentality present here. If they intend to get paid for finding a security problem then maybe they should get on the ticket for vendors to perform the owrk under contract.

    Sounds like to me this tactic will backfire and, hopefully, run them "out of town". Surely if these tactics are practiced other security firms who are playing fair, and nice, will begin looking to shutting them down as this could damage existing relationships within the security community. Accepting any such actions only fuels more to do the same, which is the same reasons the US and various law enforcement will not give in to demands of hostage takers. When you remove the incentive of criminal activity then the activity itself is not longer worth pursuit.

    In my ethical and moral world such practices if I find a bug I report it, plain and simple. I believe in support the vendors who support me. They do not ask me to report or research such issues and thus I am not obligated to provide that research, however, I understand it will improve the products I use for the future thus it IS in my interest to do report any issues, and I ask nothing in return except knowing that it will be fixed in the future.
    ryanstrassburg
    • Ethical, moral or naive?

      @ryanstrassburg

      Why are whistle blowers in many circumstances given rewards? Don't they have knowledge of "bad" things that society somehow would be better off knowing about?

      How does that fit into your ethical and moral world?
      Economister
    • RE: Hi! I'm a security researcher, and here's your invoice

      @ryanstrassburg <br><br>>I ask nothing in return except knowing that it will be fixed in the future. <br><br>Did you hold your breath waiting for MS to fix all the holes in XP? How about NT? Probably not, because you'd be dead. That's a lovely philosophy you've got there, but that isn't how the real world works.<br><br>If not a lot of people are affected, it won't get fixed (even if it's major). If a lot of people are affected but the effect is minor, it won't get fixed. Even if the effect is major, companies often don't fix, or take forever to fix, the bug: they'll tell you to save more often, that it's user error, whatever. If they can NOT spend the money on fixes, they won't: they'd rather have it as profit, to invest in other products, or for other parts of the company (PR, R&D, facility management, office supplies, etc., etc.).<br><br>Especially if the SW product is an old version, and old product, huge, spaghetti code, undocumented, full of code rot, or all of the above, waiting around expecting companies to do the right thing is sort of like believing in Santa Claus: cute but ultimately, inevitably disappointing.<br><br>I've been in this business (coding, writing documentation, leading projects) for over 30 years, and this is how it works, folks. It isn't bad, it isn't good, it's just how it is.
      SzechwanVanilla
      • RE: Hi! I'm a security researcher, and here's your invoice

        @SzechwanVanilla: Agreed, perfectly. If they don't want to fix it, then it would likely be better just leaving it be - eventually they get bitten hard enough to force the issue. Microsoft itself has had this problem before - lax security in a medium they barely understood... all the way up until their products became synonymous with "swiss cheese", and became a non-negligent factor when the enterprise began ditching their server products for Linux. <br><br>If a foolish captain refuses to hear your warnings of an impending iceberg, then screw it - you're better off camping by the nearest lifeboat than standing there screaming until you're blue in the face. Personally, I'd prefer concentrating instead on other vendors more likely to give a damn.
        Random_Walk