Security is a business and those of us who make a living from it, in some form or other, effectively profit from the fact that vulnerabilities get exploited by bad people. But is there a moral or ethical limit to how you turn insecurity into money?
ReVuln, a security company based in Malta, claims to have found nine zero-day vulnerabilities in Scada systems. This comes not long after French firm Vupen said it had discovered zero-day flaws in Windows 8 and has exploits ready.
Vulnerabilities are found all the time. What marks out these companies, and a handful of others, is that they don’t share their findings with the affected software vendors. As far as these firms are concerned, the vulnerabilities are not a problem to be fixed, they are a business opportunity.
ReVuln, Vupen and their ilk sell the zero-day information, and any exploits they’ve created on the back of them, to governments and other organisations that want them to … well, what?
Surveillance, espionage, cyberwar … these are among the most likely applications of such exploits. So, the question is, do we really feel we can trust governments, including our own, to use such exploits responsibly and in the best interest of all? No, stop laughing, this isn’t funny.
We know it goes on. The German authorities have been relatively open about their use of malware for law enforcement purposes.
The problem is, some of these security firms also sell to unnamed private organisations. There is no transparency or accountability here.
And the problem is that this is something that affects all of us. If your computer has a vulnerability, it means you’re not just at risk of surveillance or attack from your government, or perhaps some corporate entity that feels entitled to act in this way; if ReVuln or Vupen or others have found these vulnerabilities, there is a possibility that cyber-criminals or state-sponsored hackers have made those discoveries, too.
Maybe that doesn’t bother you if you’re an individual who feels you’re unlikely to be a target for these people. (It should bother you, but hey, that’s your call.) However, it’s going to bother organisations with data, incomes and reputations to protect.
There have been some real efforts in the infosecurity business to share intelligence – such as the Common Vulnerabilities and Exposures (CVE) dictionary, the Common Vulnerability Scoring System (CVSS), the Common Vulnerability Reporting Framework (CVRF), Georgia Tech’s malware intel-sharing system Titan and any number of more informal processes.
So am I the only person who finds the selling of zero-days to the highest bidder to be morally reprehensible and ethically shameful?
Discovering vulnerabilities should be the first step towards fixing the problem, not profiteering. These are issues that threaten us all. And maybe you could argue that it’s not like knowing that your Ford Pinto is going to explode in a rear-end collision. After all, that’s life threatening, whereas here we’re ‘only’ talking about our privacy, identities, maybe our intellectual property and perhaps the contents of our bank accounts. On the other hand, Scada vulnerabilities could be much more serious.
These threats mostly stem from poor programming. Software vendors are able to get away with marketing substandard products because there are few repercussions. Lack of training of developers in security issues, poor or non-existent review and testing processes – these are the things that lead to zero-days. Fixing the problem costs money without adding features or perceivable value to the product. And so firms push out code blindly hoping no-one will find any flaws. It’s one of the few industries where companies can get away with such wilfully negligent behaviour.
And now we have another tier of businesses capable of cashing in on these same shoddy practices. And, no doubt, they have a ready stream of clients, armed with a sense of entitlement that allows them to exploit our vulnerabilities in the name of law enforcement, national security or perhaps even just their own profits.
Can you spot who the losers are here?