In-Depth

Paying For Vulnerabilities -- A Disquieting Trend?

Rowing though the backwaters may keep you more secure

• By Chris DeVoney
• 08/07/2007

Last week, many of the digital security industry’s elite, some slackers, and those in between gathered in Las Vegas for a pair of events called Black Hat and Defcon. The best analogy to describe the differences between the two is that one is more dressy and formal; the other is Animal House meets high-tech mosh pit.

Both events offered unique classes, presentations, occasions for socializing, and reams of useful security information that gets swapped in corridors, hotel rooms, bars, poolside, and in the auditoriums. However, don’t underrate the more formal settings. Last year, Jon Ellch and David Maynor sparked controversy when they showcased a flaw in wireless device drivers that affected a range of equipment while using an Apple Mac laptop in the demonstration. In the coming weeks you will hear reports of new vulnerabilities and exploits discovered and showcased.

Nor is self-deprecation a lost art. A new ceremony handed out the Pwnie (pronounced "pony") Awards to celebrate, among other things, the most lethal bugs found by researchers in the past year. Although industry awards are usually nothing more than self-adulation, this one has comes with a hardy sense of humor—with statues for the most hyped vulnerability, the best song written by a researcher, and worst vendor.

More seriously, security vulnerabilities are discussed openly in large sessions and small groups. However, what would you think, if speakers didn’t use first-come, first-served enrollment but instead auctioned off the limited slots for their classes? Would you think "questionable ethics" or "free market?" What if a lecturer would reveal the details of a vulnerability only to a single person who won an open auction?

No, such behavior didn’t occur at the dual conferences, but we learned it could be attributed to a Swiss security company called WabiSabiLabi, which uses an eBay-like format to link vulnerability sleuths with winning bidders. The bidding is in Swiss francs (currently about 0.82 to the U.S. dollar), but the arrangement, although capitalistic and apparently legal, is, I find, morally questionable at best.

In late July, the Associated Press' Anick Jesdanun wrote an article on the state of cash-for-vulnerability (see "Researchers Seek Cash for Software Flaws" at http://redmondmag.com/news/article.asp?editorialsid=8853) that is a must-read for IT security personnel. Computer bugs have existed almost since the first vacuum tube was pushed into a socket for a calculating machine. Security vulnerabilities have existed since stored data acquired monetary value, and certainly since computers became interconnected. There’s no reason to rehash the arguments. I know nothing is truly free. It costs to discover vulnerabilities. Whether by an individual laboring at home or a person or team unsupported by their employer, somebody pays for the time to discover and analyze the flaw. These reports are offshoots of that work.

Vulnerabilities reported by members of the education community are not free. Taxpayer dollars, tuition, or grants pay some aspects of that work. I am unaware of government or corporate grants that specifically pay for tracking down vulnerabilities.

Such vulnerabilities were, at one time, reported to the development company freely. The motivation was partially to get a fix for a problem, partially to get recognition, and partially to get everyone a better product. Many are still motivated by varying degrees of such altruism.

To be sure, programs are so much more complex and the interconnections are more numerous than ever before. Designing bullet-proof software isn’t impossible—it’s just very expensive. The cruise missile is a good example. The software for such rockets is about as rock solid as possible; the multimillion dollar price tag reflects that huge cost. Don’t expect commercial software to rival weapons software.

Cash-for-vulnerability isn’t a new idea. iDefense, a Verisign acquisition, has been paying cash bounties for bugs for several years. 3Com’s TippingPoint firewall/filtering appliance has more recently entered the game.

Hacker boards and black markets have likewise existed for years. The IRC channels and low-profile sites that share, price, and trade hidden secrets on Microsoft, Cisco, and other companies may change their names and IP addresses, but they still exist. I occasionally visit them and find that separating bluster for substance can still be difficult. Most talk, however, has turned commercial and criminal.

Why shouldn’t free-market forces create more efficiencies for the commercial vulnerability vendor? That’s how stock markets are seen—as efficiencies. Maybe it will produce fair pricing for vulnerability hunters. Maybe we’ll get better products.

On WabiSabiLabi’s Web site I found this note: "We are very aware about the risks of selling vulnerabilities and this is why we subjects [sic] buyers to deeper scrutiny, to minimize the risk of selling the wrong information to the wrong people." Oh, really? If the scrutiny matches their proofreading, I am worried.

More disquieting is the thinking from Roberto Preatoni, strategic director for WabiSabiLabi: since the site functions as an auction, the questions of legal liability and disclosure are strictly between those parties. Just like a Web site that features auctions of pit-trained dogs?

I do know that at least one member of every Fortune 500 company, large institution, and government agency computer security staff must keep active watch on the hacker/criminal backwaters and sites such as WabiSabiLabi. It may be difficult to develop patches for vulnerabilities, but you have a lead in hardening defenses and preparing countermeasures if an exploit hits. That’s prudent and proactive thinking.

In spite of expanded police forces, bounty hunters are still very active today. Maybe we need the electronic equivalent for program bugs. Maybe it is the final acknowledgement of the loss of innocence with the Web. Nevertheless, it remains disquieting.