
Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them? - aburan28
http://www.theatlantic.com/technology/archive/2014/05/should-hackers-fix-cybersecurity-holes-or-exploit-them/371197/?single_page=true
======
iwwr
In a normal world, this wouldn't even be a question. If there's a duty of the
state that is to safeguard its people. In fact, it would lend some legitimacy
to some of these programs.

------
w8rbt
___" Everyone uses the same software, so fixing us means fixing them, and
leaving them vulnerable means leaving us vulnerable."_ __

As a third option, a country may decide to just patch their devices, but not
disclose the vulnerability. Protect themselves while leaving others
vulnerable.

When other parties find and exploit the vulnerability (and they will), the
best case scenario is, "Darn, we can't exploit that anymore". The worst case
scenario is that exploitation causes some major disaster (widespread power
outage, loss of SCADA control, etc.) that impacts us all somehow and that
could have been avoided.

Broad, public disclosure and patching seems the best choice for everyone.

------
falcolas
I fall on the side of "fix 'em" \- after all, what good is being able to
infiltrate the enemy at will when they're already poking around your systems
with the same "held in reserve" vulnerability?

That said, the idea of an entity using the moniker of "cyber-weapons arms
manufacturer" gives me goosebumps. I know it's mostly just undisclosed
vulnerabilities, but these are complicated machines we have in our laps. How
long until they find a way to weaponize them? Or has that ship sailed?

------
Zigurd
If someone was creating bioweapons and auctioning them to the highest bidder
they would get their ass droned, and they would deserve it. Those who are
weaponizing vulns are no better.

------
rilita
Considering that when I found some large holes and reported them I was then
harassed by the FBI and given nothing... I think hackers should exploit the
holes and then sell them to the highest bidder.

Helping protect people just gets you harassed.

~~~
sarciszewski
I've been on both sides of this. I was recently granted early termination from
probation after the Infragard incident in 2011, which probably ranks somewhere
in the list of Top N Botched vulnerability disclosures (where N < 100).

On the other hand, I've also reported a lot of bugs to projects over the past
couple of years. Most projects are grateful for the help, a few (Taylor Otwell
of Laravel and Daniel Kerr of OpenCart) are arrogant and hostile, but they're
not the norm.

~~~
rilita
My focus here is really on highly critical vulnerabilities that affect the
public in a negative way by existing. I agree completely that reporting
smaller bugs, or possibly large bugs with no hugely negative effects, tends to
get you respect and thanks.

Reporting critical ones that results in major changes tends to win hatred and
negative attention overall. There is positive mixed in but it does not
outweigh the negative.

Possible ways to handle critical vulnerabilities:

1\. Sell them to the highest bidder. Typically that bidder is the government.
There is an open legal market for this. Result: You make some money, the
government uses bugs against people, and you are viewed as a traitor by the
software community.

2\. Sell them to the black market. This is criminal behavior. Figure this one
out for yourself.

3\. Do nothing. This is what most people do. Result: You are normal.

4\. Use them in some illegal fashion for yourself. ( See #2 )

5\. Tell your boss. Result: If you were told to be looking at it, you will get
kudos. If you were not, you will get yelled at for wasting time, and told to
do #3.

6\. Tell the company who makes the software. Result: If there is a bug bounty
program and you report it through that, you get a small bit of money ( not
worth it ), and it gets fixed. If there is not, your message will likely be
ignored.

7\. Tell the public. Result: You will be ignored.

8\. Tell the public loudly. Result: You will be mocked.

9\. Tell the publicly loudly and demonstrate the problem. Result: Everyone
will attack you for making it possible for people to abuse the problem.

10\. Demonstrate the problem for yourself. Notify the company first
anonymously. If they don't listen or do anything notify the public, including
documentation of your attempting to notify the company. If the public still
ignores you also publish the demonstration. At no point let on who you are; it
is just not worth it.

Only #10 is a solution that works in all scenarios, and it brings little
reward for the person finding and reporting the issue.

I am obviously ignoring the case where you are hired as a pentester. That is a
whole different story.

