Forwarded from: Emerson Tan <etat_private> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 02:46 12/08/2002 -0500, you wrote: >http://www.wired.com/news/technology/0,1282,54450,00.html > >[When this was being talked about at Defcon 10, I overheard one >party mention that if this was the case, then he could very well >become a majority shareholder in iDefense with the number of >vulnerabilities in his collection. - WK] > > >By Michelle Delio >1:25 p.m. Aug. 9, 2002 PDT > >A security company's offer to pay for information on bugs discovered >in software has once again stirred discussions over a long-simmering >issue -- whether independent researchers should receive compensation >for the flaws they find and how information about security >vulnerabilities should be disclosed. > <snip> > >While no one is accusing iDefense of selling secrets to the enemy, >some worry that cash rewards could encourage widespread unethical >behavior, such as bug hunters partnering with company-employed >programmers to purposely plant and then "discover" flaws. It's worth pointing out that at least one software firm tried this internally in the early 90's and almost immediately hit the collusion problem, resulting in a bunch of well off programmers and no improvement in software quality. This company couldn't effectively monitor it's own internal communications, so it's going to be very hard for someone like iDefense to audit a scheme like this for this kind of dishonesty. Indeed the scam inside the software company was only discovered when someone plotted out number of bugs discovered and pointed out that there was no way that so many bugs could have crept into such small bits of code. Without access to source for many products, iDefense probably can't do this analysis. I would caution them to think twice before engaging in this course of action unless they have very deep pockets. > >IDefense spokesman Michael Cheek said that the company will only >work only with those who ethically discover valid vulnerabilities. This raises the question of what is an ethically discovered vulnerbility and how do you find out. If I steal the source for say IOS, and discover an exploitable problem via source code analysis, I can invent a cock and bull story and still be paid. iDefense is going to be no wiser unless they look through all my poessions as I've faked my working notes (trival), and have written some shifty test code (trivial again). This obviously wasn't ethical. Unless iDefense releases it's audit methodology and ethical criteron, anything like this is going to be suspicious. It is left up to the interested reader as to how to circumvent any safeguards iDefense may have in this area. Emerson -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPVenHQnUC24nNNxyEQK0cgCgvh8xxkbWXi9DZtcMsAE1kCehNyMAoKac KfERN6gR07gLfP2A49xXsFKu =+u40 -----END PGP SIGNATURE----- --- "None are more hopelessly enslaved than those who falsely believe they are free." - Goethe Emerson Tan Freelance Thinker etat_private :PGP public key on request or from http://pgpkeys.mit.edu PGP key fingerprint: 71E9 0C2A CD8F 44AC 4CA5 BB3D 09D4 0B6E 2734 DC72 - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 05:02:32 PDT