Last week 180solutions was in the news again due to another nonconsensual installation discovered and blogged by Ben Edelman. I wrote about it here and here but didn't get a chance (due to traveling again) to blog the rest of the story. 180 blogged their "mea culpa" admitting the first affiliate they shut down, as announced in last Monday's press release, was not the responsible affilate, but they did locate and shut down the guilty party later. SunbeltBLOG posted their about their follow up research. 180 also posted this about Ben Edelman:
We remain troubled by the irresponsible way that Mr. Edelman "disclosed" this unfortunate situation. Mr. Edelman’s self-described "lack of patience" with 180solutions resulted in thousands of unsuspecting consumers receiving our software without the opportunity to properly consent to its installation, simply because Mr. Edelman (who, ironically, portrays himself as a consumer advocate) wanted to prove some point or another by specifically withholding from us key information that we would have used to immediately shut down these unauthorized installs. The consequences of withholding that information are obvious.
"Ben took irresponsible reporting to a new level," charged 180's Sundwall in referring to the redactions. "I don't know if he was doing it out of spite or trying to prove a point."
My favorite response to that nonsense is from Affiliate Tip:
According to reliable sources, Edelman has also committed irresponsible acts such as neglecting to put out the trash on the appropriate day and going to the express line at the grocery store with more than ten items. Clean up your act, Mr. Edelman!
But what I uncovered, above, is not a security vulnerability. I didn't find a new security hole, or a new way to take advantage of some existing hole. All I found was some bad guy who's already using these methods -- and who 180 has been prepared to pay for his efforts. There's no heightened risk of harm to users from my reporting what's already happening. Perhaps this particular bad actor got to continue his scheme for a few more days while 180 struggled to figure out who was responsible. But that's the entire harm that resulted from my refusal to tell 180 what happened -- that's the usual, background, ongoing risk of harm; it's not a heightened risk created by my disclosure itself. When I posted information about these nonconsensual 180 installs, I didn't put users at special risk of any worm or exploit, in the way that responsible disclosure principles intend to prevent.