CNET News.com – August 3, 2007
Vulnerability Discovery and Analysis (VDA) Labs, founded in April by Jared DeMott, notifies software vendors of security bugs found in their software, as do many other security researchers. But as part of VDA’s business model, vendors are asked to pay for the bugs it discovers, or its consulting services, otherwise VDA threatens to sell the bug to a third party or make the details of the security flaw public.
DeMott, who has done work for the National Security Agency among other places, describes his business model as “edgy,” while other security researchers see it as more akin to “extortion.” The practice, in either case, veers from the more traditional ways bug hunters have worked with software vendors and security firms.
| “Edgy?” This really does sound like extortion to me. Force them to pay or else. Just like having nude pictures of the CEO’s wife. Do you think this is illegal or just unethical? |
34. “spammers and malware distributors and their click to install defense.”
Spammers send out billions of bits of information no one wants. While these guys are selling valuable information about flaws in software. If a company decides it is not valuable to know about such flaws, they are free not to buy.
And of course malware distributors use tricks and deception to get people to install their garbage, which is not even remotely analagous to what’s going one here. These guys are not creating the flaws, they are only discovering them.
#23 Jerk-Face – When you buy an iPod or use medical service, those are voluntary actions made by you. Not buying the iPod or seeing the doctor won’t harm you(It’s not the doctor’s fault you didn’t see him).
This company is finding flaws in software, without the maker’s consent, and threatening to sell the security flaws to third parties against the software maker’s will.
In addition to the ethics issue, another flaw in this business model is that the first time the “please bend over, we’re here to help company” releases bug info that might put end users at risk, the hunter will become the hunted. End users of any serious business software will leave a vapor trail getting to their phones to speed dial their attorneys. If displaying their expertise by providing a sample of a flaw identified isn’t enough to attract customers, trying to nut lock software developers into getting on-board with their plan sure as hell isn’t. You don’t see Billy Mays offering to send you a case of Kadoodoo and return your kidnapped cat for $19.99, because that would also be astonishingly stupid.
Lauren sayz:
It’s really very simple. If you threaten to cause harm (physical or otherwise) to an individual or company and require money from them to keep you from doing this, that’s extortion, plain and simple.
#32: Through-out your comments you ignore the concept of intent.
We probably need a lawyer concerning whether trespass is conditional on intent, i.e, the bank let’s you in its lobby conditional on your lack of intent to rob it.
You’re mistaken when you say casing a specific bank and selling that knowledge is the same as teaching generally about locks. If the lock teacher specifically taught you about the locking system of the bank and then you rob the bank then he’s part of the criminal conspiracy, obviously.
Same with this hacker, he’s not distributing general knowledge, but specific knowledge and if he can be reasonably certain that the knowledge could be used by criminals, he’s going to be in trouble.
“You make up the fact that Jared DeMott will knowingly and intentionally sell the information to criminals for a criminal purpose.” Yes, of course, this whole discussion is suppositional, that means we’re making things up, it’s called developing scenarios. The guy hasn’t been arrested, so no one here is arguing facts of a case.
In any event, even if Jared sells the information to someone who isn’t a criminal and the transaction is legal, by threatening the victim and demanding money, he’s simply a blackmailer. #39 is right, if the victim suffers reputational & financial harm, because he didn’t pay, then Jared is also an extortionist.
#33, so you would have been chasing the French underground in 1943. Get a life.
#38 – Lou
“I’m not stupid, and understand that all this exists on a continuum (lead paint on toys, bad/unethical/recall , crappy toys that break easily, caveat emptor), but as a programmer, I do get embarassed by the lack of responsibility, both before and after software release, that today’s developers seem to have. Not unethical, you’re probably right, in most cases, but in some, yes.”
…and I agree with you, as far as that goes. Shameful disavowal of any responsibility for putting buggy code out there is rife, although some large portion of the blame should go to managers, rather than the programmers themselves, since those are the guys who too often regard beta testing and after-sale support as unnecessary cost centers to be minimized or done away with if possible.
Many people out there are trying to write good code, only to see it rushed out to the public prematurely, and then being denied the time or resources to fix things in response to user feedback. At the end of the day, bean counters still have the last word at too many shops…