Wednesday, 22 February 2006 6:53 PM
Rocky
Irresponsible Disclosure for a price.
Recently eWeek ran an article (http://www.eweek.com/article2/0,1759,1928389,00.asp?kc=EWRSS03129TX1K0000614)
about iDefense offering a $10,000 reward for anyone that could find a worm hole in Microsoft products that would cause Microsoft to release a critical patch. Ladies and Gentlemen, this is a prime example of a reckless and irresponsible behaviour. iDefense, a division of Versign of all people, has just demonstrated that they are no better than the lowlifes that pay for exploit code on the black market. Well it's not new really, they've been paying for information in order to get the exclusive release rights for some time now, but when 3Com Corp.'s TippingPoint division decided to start paying for the exclusive rights of disclosure, iDefense panicked and decided it was going to double the bounty it offered.
What exactly do they think this will accomplish? Well apparently at least Michael Sutton the Director of iDefense Labs thinks that this will keep the vulnerabilities out of the malicious hackers' hands and will promote responsible disclosure. NOT! What, does he think that the only people that do this are 'white hat' security researches that never ever release stuff to hacker communities? I'm afraid they are few and far between. Does anyone really think that people who illegally and immorally break into other people's computers, and sell these exploits on the black market are actually going to give the vulnerability to iDefense and forget about it? How naive can one person get? These people don't care about contracts or laws. All they are going to do is sell the vulnerability disclosure rights to iDefense, get their money, then turn around and sell it on the black market anyway and develop the exploit code, then sell that on the black market. They don't care about 'exclusive rights' If they get paid, they just find another buyer. It's like trying to get a habitual liar to promise to tell the truth.
It's more lucrative to keep the vulnerabilities quiet anyway. If they can sell an undisclosed vulnerability on the black market, that isn't in the patching loop yet, they can use that vulnerability. People pay a lot more than $10,000 for these kinds of finds. All they have done is made a secondary market for the vulnerabilities. Now they will be sold on the black market, exploits developed, viruses released so they are in place, THEN they'll sell it again to iDefense after it's too late to do much about it for extra money on top of what they've already earned.
This is all aside from the fact that they oferred this bounty for a particular vendor. This kind of action has the ability to affect a vendors stock price, public image, and profit margins. This is offering money to someone to attack a company. In any other book, that's against the law.
So, theoretically speaking, let's say that we have a pretend company who's main job is to offer PKI certificate issuance called TrustySign. Our completely factious company TrustySign is an international trusted certificate issuer. What would TrustySign think if I offered a $15,000 reward to anyone that could give me exploit code to corrupt the TrustySign Certificate Issuing CA chain? This would create a mini-army of people that will eventually find a way to destroy the integrity of the TrustySign trust relationship with every one of it's many customers. This is conspiring to ruin the reputation of TrustySign and in no way can be condoned as responsible or honorable.
All this is doing is driving more and more people into nefarious activities. Again we see a situation where people like iDefense are making crime lucrative. Why, just so they can get the free marketing that comes from keeping a database of vulnerabilities that is one hour more up to date than someone else's. Who's side are they on anyway?