Hacker dilemma
Bug auction legalizes hackers
We have a dilemma. Imagine that you are a computer hacker and you have discovered in some program a hole through which intruders could steal money or even personal data. This could bring you honor and respect, but of course you cannot spread them on bread. So, how could you sell your discovery at the best price? The idea of asking for money from a company that produces this vulnerable software, at first glance, may seem like blackmail. It is easy to assume that if the company refuses, then this information may fall into doubtful hands. And at the same time, it is this opportunity that gives value to this knowledge. So, what should be a suitable price and who should agree?
')
As you know, the economy, like nature, always seeks to fill the vacuum and hacker dilemma, in turn, has caused the emergence of an entire industry of "security companies." These companies began to commercially procure information about software holes that hackers supply them (politically correct, referred to as “security researchers”). Then they either sell this information to software companies, sometimes together with the corresponding patch, or use it for deeper “research”, for example, to search for more dangerous - and hence more profitable - holes. Such companies tend to act as trusted intermediaries, on the one hand, hackers, and on the other, software companies. They seek to convince everyone that they know the market well and set the most appropriate price. However, often, they fail to earn the trust of either side. Hackers complain that if they turn to similar companies to find out how much they are willing to pay for the information, then the price for it drops sharply, since it becomes known to too many employees of the company. Meanwhile, software companies believe that such intermediaries usually offer not the most important information. They suspect that information about the most dangerous holes goes straight to the black market.
A couple of weeks ago, a special service appeared that should make trading in bugs more transparent and at the same time, provide hackers with more favorable conditions. The Swiss company WabiSabiLabi , which organized this service, differs from ordinary security companies in that it does not participate in the sale and purchase of information. Instead, it offers a platform for the conclusion of such transactions.
Turn glory into money
Hunter errors in the program can use this service in one of three ways. He can put his discovery at auction, the winner of which will receive exclusive rights to this information. He can sell his discovery to an unlimited number of buyers, but at a fixed price. Or he may try to sell this information at a certain price to a single company without resorting to an auction.
In addition to the marketplace, WabiSabiLabi brought two more important pieces to the market. The first is an attempt to make sure that only legitimate merchants have the right to sell and buy information. The second is that the administration of the service pre-checks each item to make sure that it meets its description.
The head of WabiSabiLabi, Herman Zampariolo, said that since the opening of the service, several hundred hackers have registered. However, only 4 holes were put up for sale, and the prices that buyers offered for them were not too high, perhaps because buyers are not in a hurry, wanting to first see how the service will show itself in action. However, another 200 bugs are now under consideration and are awaiting their admission to trading.
If such bug auctions prove their efficiency, they will have to overcome a number of other obstacles. One of them is that if the seller is too clearly describe the essence of his proposal, the buyer will be able to independently guess where this hole is, and, of course, will not pay. Another is that over time the likelihood that the hole will be discovered by someone else increases. That is why the hacker is interested to sell his find as quickly as possible, and therefore, the administration should consider the application as quickly as possible. But the most seemingly serious obstacle to the organization of a bug-auction is its legal status.
Lawyer from Stanforth University, Jennifer Granik, who has been studying this topic for several years, believes that if someone gets at an auction like, like WabiSabiLabi, information about a hole in the program and, using this, commits a crime, then at the auction big problems will arise. According to US criminal law, in order to confess guilt, it is necessary to prove that the owners acted intentionally. At the same time, in order to satisfy a civil action, it suffices to demonstrate that the owner was negligent.
In films about the wild west, good cowboys wear white hats, and black hats wear villains. Hackers have similar symbols to designate those who can rightfully be considered a representative of the workshop, and those who only defame their glorious art. Having opened the first bug-auction, the WabiSabiLabi company can probably spawn a third type of cowboy - in a gray hat. And the field for hacking, abolishing their ethical boundaries, may expand slightly.
Translation from English:
Roman Ravve
Crossposted from worldwebstudio
We have a dilemma. Imagine that you are a computer hacker and you have discovered in some program a hole through which intruders could steal money or even personal data. This could bring you honor and respect, but of course you cannot spread them on bread. So, how could you sell your discovery at the best price? The idea of asking for money from a company that produces this vulnerable software, at first glance, may seem like blackmail. It is easy to assume that if the company refuses, then this information may fall into doubtful hands. And at the same time, it is this opportunity that gives value to this knowledge. So, what should be a suitable price and who should agree?
')
As you know, the economy, like nature, always seeks to fill the vacuum and hacker dilemma, in turn, has caused the emergence of an entire industry of "security companies." These companies began to commercially procure information about software holes that hackers supply them (politically correct, referred to as “security researchers”). Then they either sell this information to software companies, sometimes together with the corresponding patch, or use it for deeper “research”, for example, to search for more dangerous - and hence more profitable - holes. Such companies tend to act as trusted intermediaries, on the one hand, hackers, and on the other, software companies. They seek to convince everyone that they know the market well and set the most appropriate price. However, often, they fail to earn the trust of either side. Hackers complain that if they turn to similar companies to find out how much they are willing to pay for the information, then the price for it drops sharply, since it becomes known to too many employees of the company. Meanwhile, software companies believe that such intermediaries usually offer not the most important information. They suspect that information about the most dangerous holes goes straight to the black market.
A couple of weeks ago, a special service appeared that should make trading in bugs more transparent and at the same time, provide hackers with more favorable conditions. The Swiss company WabiSabiLabi , which organized this service, differs from ordinary security companies in that it does not participate in the sale and purchase of information. Instead, it offers a platform for the conclusion of such transactions.
Turn glory into money
Hunter errors in the program can use this service in one of three ways. He can put his discovery at auction, the winner of which will receive exclusive rights to this information. He can sell his discovery to an unlimited number of buyers, but at a fixed price. Or he may try to sell this information at a certain price to a single company without resorting to an auction.
In addition to the marketplace, WabiSabiLabi brought two more important pieces to the market. The first is an attempt to make sure that only legitimate merchants have the right to sell and buy information. The second is that the administration of the service pre-checks each item to make sure that it meets its description.
The head of WabiSabiLabi, Herman Zampariolo, said that since the opening of the service, several hundred hackers have registered. However, only 4 holes were put up for sale, and the prices that buyers offered for them were not too high, perhaps because buyers are not in a hurry, wanting to first see how the service will show itself in action. However, another 200 bugs are now under consideration and are awaiting their admission to trading.
If such bug auctions prove their efficiency, they will have to overcome a number of other obstacles. One of them is that if the seller is too clearly describe the essence of his proposal, the buyer will be able to independently guess where this hole is, and, of course, will not pay. Another is that over time the likelihood that the hole will be discovered by someone else increases. That is why the hacker is interested to sell his find as quickly as possible, and therefore, the administration should consider the application as quickly as possible. But the most seemingly serious obstacle to the organization of a bug-auction is its legal status.
Lawyer from Stanforth University, Jennifer Granik, who has been studying this topic for several years, believes that if someone gets at an auction like, like WabiSabiLabi, information about a hole in the program and, using this, commits a crime, then at the auction big problems will arise. According to US criminal law, in order to confess guilt, it is necessary to prove that the owners acted intentionally. At the same time, in order to satisfy a civil action, it suffices to demonstrate that the owner was negligent.
In films about the wild west, good cowboys wear white hats, and black hats wear villains. Hackers have similar symbols to designate those who can rightfully be considered a representative of the workshop, and those who only defame their glorious art. Having opened the first bug-auction, the WabiSabiLabi company can probably spawn a third type of cowboy - in a gray hat. And the field for hacking, abolishing their ethical boundaries, may expand slightly.
Translation from English:
Roman Ravve
Crossposted from worldwebstudio
Source: https://habr.com/ru/post/31588/
All Articles