CSC 379 SUM2008:Week 3, Group 1: Difference between revisions
Line 12: | Line 12: | ||
== Arguments Against The Use of These Markets == | == Arguments Against The Use of These Markets == | ||
* ''Being paid to find software bugs is morally questionable.'' Everyone uses software in some way or another, therefore everyone is affected by bugs. People should report any bugs that they find because it is to all people's benefit, not because they will make money out of it. | * ''Being paid to find software bugs is morally questionable.'' Everyone uses software in some way or another, therefore everyone is affected by bugs. People should report any bugs that they find because it is to all people's benefit, not because they will make money out of it. Furthermore, the business practices of a select few exploit-sellers has been proclaimed tantamount to extortion, as in the case of a 2007 Start-up, [http://news.cnet.com/Bug-hunting-start-up-Pay-up%2C-or-feel-the-pain/2100-7350_3-6200489.html VDA Labs]. | ||
* ''The information can easily end up in the wrong hands.'' Not all companies will sell only to legitimate software vendors and producers. Also, some bug companies sell their bugs in an auction format. They claim that the main market for these bugs are security companies hoping to release updates to their software to prevent cracks in security from being exploited before their competitors can release the same fixes updates. However, there is nothing stopping a malware writer from outbidding the legitimate companies for a bug. | * ''The information can easily end up in the wrong hands.'' Not all companies will sell only to legitimate software vendors and producers. Also, some bug companies sell their bugs in an auction format. They claim that the main market for these bugs are security companies hoping to release updates to their software to prevent cracks in security from being exploited before their competitors can release the same fixes updates. However, there is nothing stopping a malware writer from outbidding the legitimate companies for a bug. | ||
Revision as of 13:30, 28 July 2008
Markets for Bug Reports
As hackers are growing more in numbers and the that data software handles becomes more sensitive, the bugs that the software contains are becoming valuable assets. New legitimate markets are opening up where people who find an exploit or a bug in a program or network can sell it to the highest bidder. The most notable sites are TippingPoint and WSLabi. Currently, there is a black market for software and network exploits. Most of the time, hackers will sell the exploits they find to malware writers or to other hackers. What companies like WSLabi and TippingPoint are trying to do is make a legitimate market for hackers to sell their bugs and to try to reduce some of the bug black market. This also gives the company or system that these bugs belong to, to become aware of the security risks in their products.
See this article for more information on the software bug underground market.
Arguments For The Use of These Markets
- Software will become more secure. By rewarding individuals for their time and effort, people are given an incentive to expose and report more bugs. As these bugs are fixed, software becomes more robust and safer to use.
- They will make it easier to report a bug. Markets will facilitate people who would otherwise not come forward with bugs due to frustration with reporting them the software vendors in the past.[1]
There are concerns that companies in this line of business might sell their information to the highest bidder, which potentially means malware producers. But as the market grows, competition will force these companies to protect their reputations by regulating themselves. One example is Switzerland-based firm called WSLabi, which claims to screen its buyers. If the buyer seems legitimate, WSLabi will sell them the information and vouch for them in the future.
Arguments Against The Use of These Markets
- Being paid to find software bugs is morally questionable. Everyone uses software in some way or another, therefore everyone is affected by bugs. People should report any bugs that they find because it is to all people's benefit, not because they will make money out of it. Furthermore, the business practices of a select few exploit-sellers has been proclaimed tantamount to extortion, as in the case of a 2007 Start-up, VDA Labs.
- The information can easily end up in the wrong hands. Not all companies will sell only to legitimate software vendors and producers. Also, some bug companies sell their bugs in an auction format. They claim that the main market for these bugs are security companies hoping to release updates to their software to prevent cracks in security from being exploited before their competitors can release the same fixes updates. However, there is nothing stopping a malware writer from outbidding the legitimate companies for a bug.
Buying and selling bug reports may be a moot point in any event. While malware is a separate issue from programming bugs, it still poses a credible threat to computer security. Nearly all anti-virus software is signature-based, which means that it only detects malware that is already known to exist. However, malware producers can make new versions of viruses roughly every 45 seconds or so(page 2). There is also a growing underground economy for malware, and as it becomes larger and more sophisticated, so will the malware. Bugs can certainly be used by hackers and crackers to make it easier to break computer systems, but reporting them will barely slow down anyone with enough funds to buy the latest malware. No amount of money spent on a bug report will protect against virus code that doesn't require a security loophole.
Additional Links
- http://news.cnet.com/Bug-hunting-start-up-Pay-up%2C-or-feel-the-pain---page-2/2100-7350_3-6200489-2.html
- http://bits.blogs.nytimes.com/2007/07/06/a-new-market-for-software-flaws/#more-206
- http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/
- http://www.crn.com/security/201800238
- http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf
- http://news.cnet.com/Offering-a-bounty-for-security-bugs/2100-7350_3-5802411.html