Monday, April 20, 2009

Should We Reward Hackers for Finding Flaws?

Dr. Charlie Miller, famous Mac hacker, announced at this year's CanSecWest hacking contest that he would no longer be releasing exploits for free, to the vendor or anyone else. Further, Charlie and a few friends have started a "No More Free Bugs" campaign, which even has its own logo.

I've met and very much respect Charlie Miller, and I believe his intentions are good. He just wants to make a living doing what he is good at. The services he provides are valuable, to the software vendor and to us all. Still, I'm bothered by one nagging question: Will or won't Charlie sell his bug findings to parties with malicious intentions? He hasn't yet made a clear, definitive statement on that. I suspect he won't, but for now, I don't know for sure.

(It took Charlie Miller only 10 seconds to crack the Mac at CanSecWest. Now he says he's found a way to trick the iPhone into enabling shell code.)

I feel for Charlie and other truly elite, well-intentioned hackers like him. I've met many of them over the last 20 years, and I know that discovering vulnerabilities isn't the easiest way to make a living. I've known talented hackers who provided independently found exploits to the vendor and were offended when the vendor didn't want to pay them for their hard work. I've seen these initially well-intentioned hackers begin multiyear vendettas against the vendor, who they purportedly wanted to work for, by announcing bug after bug in retaliation. I've seen scorned hackers sell bugs to competitors and beat up the vendor in the press.

Penny in a haystack

Selling exploits is a money-making opportunity like never before, especially if you're a black hat. A hacker that doesn't care who gets his exploit can sell a decent vulnerability finding for a widely distributed software program for $5,000 or more. Prices on the black market are hard to find, but I've seen offers for up to $100,000 for a remote buffer overflow exploit against Windows Server 2003. Considering that multiple crimeware syndicates are making tens of millions of dollars, or more, a price of tens of thousands of dollars for a well-coded exploit is pretty cheap in the grand scheme of things.

Even in the white hat world, many legitimate parties are paying for bugs and exploits. First, many vendors (including my full-time employer, Microsoft) pay millions to internal and external bug finders, although they are almost always (if not always) contracted before the bugs are found. CanSecWest and other hacking contests pay for new zero-day vulnerabilities. Several other organizations, like the Zero Day Initiative, pay for new vulnerability findings. They make their money on the back end by selling protection products to their clients. Lastly, it's a poorly kept secret that our government has huge teams of people working on finding exploits for offense and defense purposes. There have even been attempts at open-air vulnerability auctions.

Black and white

The sad fact is that a found exploit doesn't earn the white hat hacker nearly as much money as the same exploit would bring in the black hat market. That's because white hat hacking is about fixing the product and protecting people, while black hat hacking is about separating people from their money. A friend of mine at a large software company did an analysis of the company's spending for internal and externally hired vulnerability finders, and he said the money paid often worked out to less than $25 per found bug. It's hard for any legitimate hacker to make a decent living at those wages.

But they do. I guess that's it in a nutshell. There are lots of ways to make money in this world. My computer books would sell a lot more if they contained porn, or I could supplement my income with tax-free money by selling illegal drugs, but I've got to be able to look at myself in the mirror in the morning and be proud of what I'm doing. I get paid to hack, but I've never done it without permission or with ill will toward anyone. Whatever personality trait takes to be involved with something malicious, it's missing from my DNA.

Many companies make a decent if not robust living finding bugs for vendors. Maybe they aren't making $5,000 or more per bug, but they've built successful -- sometimes highly successful -- businesses doing it the right way. They've become industry names and created individual stars. Their owners have grown the company, created long-term careers for their employees, and are able to hold their heads up high without a moment of second-guessing.

For every infamous black hat hacker, I can name two infamous white hat hackers and their companies -- names such as @Stake, ZDI, iDefense, David Litchfield, Foundstone, Dave Aitel, Immunity, and so many more.

Charlie and other "No More Free Bugs" advocates deserve to make a living doing what they do best. But I hope they consider the types of people and companies they will be selling their bugs to. We need them to assure us that they are on our side every time.

No comments: