107952 2003-07-18 23:39 /88 rader/ Josh Daymont <joshd@midgard.net> Importerad: 2003-07-18 23:39 av Brevbäraren Extern mottagare: Bugtraq <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <5646> Kommentar till text 107899 av Jay D. Dyson <jdyson@treachery.net> Ärende: Re: Disclosure-for-pay? ------------------------------------------------------------ Regarding the ethics of demanding money for vulnerability information: In most modern industrialized nations, asking a vendor to pay for the details of a security vulnerability is both unethical, and is or should be criminal extortion of both the vendor, and by extension, the vendor's customers. However, after many years of working in the security industry, I've come to realize that in many parts of the world, including some economically advanced Asian nations, this kind of activity is considered either acceptable or is tolerated to a greater or lesser extent. This is by no means an excuse for the behavior, I only mention it so that you don't jump to any conclusions about an intent or malice that this individual may or may not have for your firm. There are a number of things that can be done when these kinds of things happen, but first and foremost you should take notice of two things: you have been notified of a potential hole in your customer's networks and also, frankly, a potential public relations liability for your firm. Because of this you should try to stay to see if you can convince this person to do the right thing and provide you with the information. Do not give in to demands for money under any circumstances. One strategy in these cases is to turn the tables on such a person by telling them that you intend to make their identity public and state the truth about them, which is that they are attempting to hold an ethical firm and its customers hostage for cash. If the individual is reluctant to provide the details, consider demanding that he or she provide some proof of the vulnerability's existence, either through partial technical details or a live exploit demonstration; then try to use these details to determine the nature of what has been found. It's a generally accepted practice to give credit to people outside of a firm for reporting a security vulnerability in a responsible manner, perhaps this person would accept such public credit as a career boost in leui of a ransom. As a last resort, consider contacting law enforcement or the NIPC (www.nipc.gov). In the event that none of the above works, you can at least truthfully tell your customers that you made a best effort to address the issue. -Josh http://www.mobile-secure.com/ On Wed, 16 Jul 2003, Jay D. Dyson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, 16 Jul 2003, Talley, Brooks wrote: > > > My company recently received a communication from someone purporting to > > know of a security vulnerability in our web application. The individual > > stated that they would sign an NDA and report the details of the > > vulnerability to us if we paid his "consulting fee" and provided future > > services to him at no cost. > > Call me unruly, but that sounds like extortion to me. Indeed, > it's all too akin to someone knocking on your door and claiming they've > found a way to steal your car...but if you'll give them free rides around > town, they'll keep it quiet. > > > Is that kind of demand for payment for reporting a vulnerability at all > > the norm? > > No, this is _not_ the norm. If anything, it's unethical. In some > circles, it's considered illegal. There have been a few people who've > been pinched by law enforcement for such "offers." > > Bottom line: you didn't hire this individual to audit your > applications, so he's out of line asking for compensation. > > - -Jay > > ( ( _______ > )) )) .-"There's always time for a good cup of coffee"-. >====<--. > C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-' > `--' `--' `Red meat isn't bad for you, fuzzy green meat is.' `------' > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun > y0c2+VQ9klvbfd5yMs90nvA= > =pJOm > -----END PGP SIGNATURE----- > (107952) /Josh Daymont <joshd@midgard.net>/(Ombruten) 108026 2003-07-21 18:43 /61 rader/ Martin Walker <martin.walker@ctg.com> Importerad: 2003-07-21 18:43 av Brevbäraren Extern mottagare: Jay D. Dyson <jdyson@treachery.net> Extern mottagare: Bugtraq <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <5656> Ärende: RE: Disclosure-for-pay? ------------------------------------------------------------ NOTE: that the individual is not saying "Pay me or I'll tell everyone about it". He's just saying "Pay me or I WON'T tell you about it". There is a subtle but critical difference. Your example is incorrect from that standpoint. Personally I don't think it is very good business, but it is not as damning as many people are screaming about. In fact, the most unethical part is the "provide future services at no cost". -----Original Message----- From: Jay D. Dyson [mailto:jdyson@treachery.net] Sent: Wednesday, July 16, 2003 6:22 PM To: Bugtraq Subject: Re: Disclosure-for-pay? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 16 Jul 2003, Talley, Brooks wrote: > My company recently received a communication from someone purporting > to know of a security vulnerability in our web application. The > individual stated that they would sign an NDA and report the details > of the vulnerability to us if we paid his "consulting fee" and > provided future services to him at no cost. Call me unruly, but that sounds like extortion to me. Indeed, it's all too akin to someone knocking on your door and claiming they've found a way to steal your car...but if you'll give them free rides around town, they'll keep it quiet. > Is that kind of demand for payment for reporting a vulnerability at > all the norm? No, this is _not_ the norm. If anything, it's unethical. In some circles, it's considered illegal. There have been a few people who've been pinched by law enforcement for such "offers." Bottom line: you didn't hire this individual to audit your applications, so he's out of line asking for compensation. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-' `--' `--' `Red meat isn't bad for you, fuzzy green meat is.' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun y0c2+VQ9klvbfd5yMs90nvA= =pJOm -----END PGP SIGNATURE----- (108026) /Martin Walker <martin.walker@ctg.com>/(Ombruten) Kommentar i text 108032 av Jay D. Dyson <jdyson@treachery.net> 108032 2003-07-21 19:15 /37 rader/ Jay D. Dyson <jdyson@treachery.net> Importerad: 2003-07-21 19:15 av Brevbäraren Extern mottagare: Martin Walker <martin.walker@ctg.com> Mottagare: Bugtraq (import) <5662> Kommentar till text 108026 av Martin Walker <martin.walker@ctg.com> Ärende: RE: Disclosure-for-pay? ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 21 Jul 2003, Martin Walker wrote: > NOTE: that the individual is not saying "Pay me or I'll tell everyone > about it". He's just saying "Pay me or I WON'T tell you about it". > There is a subtle but critical difference. Your example is incorrect > from that standpoint. Perhaps, but I doubt someone would go to all that trouble just to get stiffed in the end...and NOT tell everyone else if they don't get their way. People of that caliber don't typically function like that. > Personally I don't think it is very good business, but it is not as > damning as many people are screaming about. In fact, the most unethical > part is the "provide future services at no cost". I've seen people get hauled in on extortion charges for making similar "disclosure requests." - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-' `--' `--' `- If war isn't the answer, what's the question? -' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE/G/3BNlg1oZSC9mkRAugxAJ9/s8IVPew4/UGYoYWo6OlG2DcLkQCfeScA EpH2krMCI0pJqgDgaL7jUOM= =q319 -----END PGP SIGNATURE----- (108032) /Jay D. Dyson <jdyson@treachery.net>/(Ombruten) 108093 2003-07-22 19:59 /71 rader/ <Rikhardur.EGILSSON@oecd.org> Importerad: 2003-07-22 19:59 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <5681> Ärende: RE: Disclosure-for-pay? ------------------------------------------------------------ This is apparenty what happened with Serge Humpich, France's famous engineer (At least in France :-), a true hacker (in the original meaning of the word). He was passionate about the French credid card system and how it worked, and spent four years studying the system and even bought one teller machine (legally). In the end he had spend a few hundred thousand dollars on equipment and countless hours studying the system. And then he managed to brake the private key of the banks .. He went to the banks and proposed to sell them the information both of how to break and repair the system. The banks didn't belive his story at first and demanded proof.. So he bought a few metro tickets from a vending machine and went back with the slip from the vending machine and the metro tickets. Then the banks went ballistic and started threatening him with legal actions and god knows what ... Word got out about what was heppening and a lot of people became *very* interested .. Apparently, somebody managed to repeat the factorization and that somebody then posted the parts to the Internet. The "Yescard" was born. ... Six years later and the Yescards still exist, less of a problem, yes, but still a problem ... Personally I don't see any difference in offering you information about how someone can break into your house and how you can fix that, or a CD with my song on it, both require special knowledge to make and either you accept the buy or not .... It's like a freelance reporter who discovers a story, but instead of seling it to everybody, you only offer it to one company.. -----Original Message----- From: Talley, Brooks [mailto:brooks@frnk.com] Sent: 16 July, 2003 11:02 PM To: bugtraq@securityfocus.com Subject: Disclosure-for-pay? My company recently received a communication from someone purporting to know of a security vulnerability in our web application. The individual stated that they would sign an NDA and report the details of the vulnerability to us if we paid his "consulting fee" and provided future services to him at no cost. Am I crazy here, or does this sound not good in several different ways? Is that kind of demand for payment for reporting a vulnerability at all the norm? I'd love any advice here. Thanks -Brooks (108093) / <Rikhardur.EGILSSON@oecd.org>/-(Ombruten)