

Macbook Hacker Charlie Miller: "I have a new campaign. It's called No More Free Bugs." - tptacek
http://blogs.zdnet.com/security/?p=2941

======
riferguson
Miller says that the bugs have a market value beyond $5000 -- indeed, he
claims that an IE8 exploit has a "market value" of over $50k.

But that market value exists only if you're willing to sell the exploits to
people who either (a) are planning to use them or (b) want to fix them. The
former group are the ones setting the market value, since they're the ones who
are going to monetize the exploits.

The idea of announcing NO MORE FREE BUGS really amounts to saying to the world
"I'm either going to sell my work to criminals, or am going to participate in
an ongoing blackmail scheme to make myself rich."

Nice. Good luck with that, Charlie.

~~~
tptacek
I don't like vulnerability markets. It seems to me like a flaw is more
valuable before it's patched, and more valuable before it's disclosed. Like
plutonium, anything done to make it safer makes it less valuable. If you're
going to pay top dollar for something like that, you bother me.

But I have two problems with where you're going.

First, finding a bug in your own time and not telling Apple about it unless
they pay you isn't blackmail. Charlie Miller bills $300/hour. His work product
is worth money. Apple has no right to confiscate it. If the dilemma was, "pay
up or it's going to the Russian Mafia", it'd be blackmail. But if you think
Charlie Miller is selling vulnerabilities to the Russian Mafia, you're a
jackass.

Second, the reason you don't see me at CanSecWest --- well, one of them,
another being that Nils and Charlie and Dino would crush me --- is that I
spent all day reversing protocols, writing fuzzers, and finding flaws. For
cash. Vendors pay us, and so do large companies that buy from those vendors.
It's my day job; it's a job; money changes hands. How is Charlie's proposal
different?

I think it is different. But it's way more subtle than you're making out to
be. It's also a common industry practice, so making him the face of it isn't a
great play.

(You can see where we stand on this:
<http://www.matasano.com/log/mtso/ethics/>).

~~~
riferguson
I have no problem with you, Charlie, or anyone else being paid top dollar for
his or her work, particularly in an important field like security research.

Indeed, I think it's a great idea for Apple and the other vendors to reimburse
3rd parties for high quality results.

But he wasn't saying "I put X hours into this, and therefore it's worth
$X*(billing rate)."

He was saying "the market value of this is $Z., and it's more for things that
have a greater impact."

I don't know Charlie Miller from a hole in the ground, and so I have no idea
if he's going to be selling his work to the Russian Mafia. If you say he's a
great guy, I'm sure you're right.

Nevertheless, if he thinks that security exploits have a market value beyond a
reasonable billing rate, he's implicitly using the threat of the Bad Guys to
raise the value of his work.

That's a very fine line to be walking.

~~~
secres
Charlie has actually written about this issue before in a more academic
context:

weis2007.econinfosec.org/papers/29.pdf

Based on the limited data in the paper, it seems that it's the government
rather than the vendors that is actually setting the price in the legitimate
market, at least for high quality exploits.

I think the X*(billing rate) calculation ignores the risk that the researcher
took. It's a little like saying that a startup should be worth exactly the
amount of money that has been invested in it.

~~~
riferguson
I will go and read the paper. Thanks for the pointer.

------
mcav
Cool:

> Q: _Google Chrome was the one target left standing. Surprised?_

> A: _There are bugs in Chrome but they’re very hard to exploit. I have a
> Chrome vulnerability right now but I don’t know how to exploit it. It’s
> really hard. The’ve got that sandbox model that’s hard to get out of. With
> Chrome, it’s a combination of things — you can’t execute on the heap, the OS
> protections in Windows and the Sandbox._

~~~
peregrine
I still use Chrome even though its become less trendy lately. Beta version has
some great features.

I know many people are mad that the linux/mac version isn't available but if
you think about it, the reason is the sandbox. Google loves quality and won't
release something if its not of high quality. Sandboxing on windows I'm
positive is different on a unix based system. And security is key.

~~~
pierrefar
I thought they're only on Windows because they're using Windows-specific
libraries. IIRC, I think it was the MFC.

------
karl11
I've always thought it was funny when someone would try to sell me on macs by
saying there are less bugs and viruses on them. You have to remind them that
if Apple had 90% of the business computer market that wouldn't be true
anymore. Apple's best security is the fact that far fewer people buy their
products than they do Microsoft's.

~~~
weaksauce
But, at the moment, there are less viruses on them for precisely that reason.
Security through popularity is working for the time being. That and
linux/unix/os x have the principal of least privileges working for them too.

~~~
hollerith
Someone does not know what 'principle of least priviledge' means.

------
tlrobinson
I really have no idea what I'm talking about, but I thought Leopard had the
address space randomization I assume he's referring to?

Leopard also has some sort of sandbox feature, but apparently it's not used
for Safari.

~~~
tptacek
Nope. They've started down the path, but with these things, if you don't do it
right, you may as well not have done it all.

[http://www.matasano.com/log/981/a-roundup-of-leopard-
securit...](http://www.matasano.com/log/981/a-roundup-of-leopard-security-
features/)

~~~
mark_h
That was a good read, thanks. Has it been submitted to HN?

~~~
tptacek
I generally won't submit my own stuff, but that post is also pretty old.
There's stuff on the blog I'm much more proud of that hasn't made it here.

~~~
mark_h
Fair enough, I have to admit I haven't checked out your blog before. The age
did occur to me, but Leopard is still current and I thought it was a good
read.

I was mainly interested in if there had been any HN discussion on it. Thanks.

------
tlrobinson
Dino's slides:
[http://nchovy.kr/uploads/3/301/D1T1%20-%20Dino%20Dai%20Zovi%...](http://nchovy.kr/uploads/3/301/D1T1%20-%20Dino%20Dai%20Zovi%20-%20Mac%20OS%20Xploitation.pdf)

------
Buzzzz
Wonder how long linux or *bsd would survive? Are they easier or harder than
mac os x?

//olme

------
cool-RR
Am I the only one whose browser crashed while reading this article? Spooky.

------
yan
My photo from his announcement: <http://twitter.com/yan_i/status/1358061677>

------
nate
I have a new campaign. No more reading of sites with ginormous interstitial
ads.

------
pkaler
With all of the talk about morals and ethics, these are the 2 questions I ask
myself whenever making a tough decision:

    
    
      1) Am I making the world a better place or a worse place?
      2) Am I providing value to the people I care about?
    

I can't speak for Charlie Miller. But, my answer would be no for both
questions. If I were in the same position as him I would feel like a big piece
of fucking shit every single morning when I looked at myself in the mirror.

~~~
jrockway
In his case:

3) Can I feed myself?

By finding Safari bugs, he does make the world a better place. But he can't
live like that, so he has to stop looking for Safari bugs.

Since Safari undoubtedly has bugs, this means someone else is going to find
them. That someone else could be a criminal, but you can't blame the guy for
not wanting to do work that doesn't pay. In the end, Safari's security is
Apple's problem, not Charlie Miller's.

~~~
pkaler
I understand that he has to eat. But making enough money to eat is not that
hard.

And it isn't just Apple's problem (or just Microsoft or just Google). It's my
problem, too. It's my mom's problem, too.

Think about the case where a user's data is compromised.

With great power comes great responsibility, and whatever other cheesey
statement you want to make. I would feel personally responsible if I found an
exploit and later that exploit was used to compromise someone's bank account
or private correspondence.

My conscience is more important than my stomach. I can find other ways to eat.

~~~
jrockway
_I would feel personally responsible if I found an exploit and later that
exploit was used to compromise someone's bank account or private
correspondence._

Which is why he's not even _looking_ for exploits anymore. He is leaving it to
Apple's QA team, since it is really their job.

