This deserves more than an upvote. This is exactly the right attitude. It puts the incentives in the right place and will let the market do what she does best: work.
Hm, I recall the Comodo hack. I think it Comodo was hacked twice or more times that year. It won many rewards and continued leading the CA space. The market did not work apparently...
The security market is working exactly as it was designed and evolved to. Far as when high-assurance started, the Black Forrest Group of execs of big companies convening on INFOSEC told one of INFOSEC founders they thought companies would refuse to sell them highly-assured software. The reason was they suspected they intended to make extra profit two ways: cutting QA for immediate profit; selling the fixes for later profit. This proved true with lock-in strategy combining for what was essentially checkmate to lots of companies.
The other end are buyers. Most of them don't know what to expect for security or how to evaluate it. Most attempts to solve this failed. They've been conditioned to expect constant hacks, crashes, or data loss. So, they see Comodo etc get hacked and shrug. They'll usually stay if their end of whatever they bought works. The sector that will pay for highly reliable or secure software is probably under 1% of the market or projects. It's enough companies keep forming to do real thing but tiny, tiny few struggling to justify the extra costs or less features necessary for higher security.
Just curious, what would the legal implications of something like that be? It seems like you're still benefitting from criminal activity that you enable, but what would the specific charge (if any) be? And any examples where people have tried this?
Although I guess it could help align customer and business goals, since no one wants to lose money
Not at all. You're making bets based on public information only you have realized is meaningful before informing the rest of the public to make money off that discovery. Quite a few folks make a lot of money this way and (nearly) everyone benefits: https://www.bloomberg.com/news/articles/2015-03-04/how-a-25-...
Nothing can protect you from the lawsuit being brought, but it will likely be thrown out. That's the same with anything, and whether you short a stock or not.
If you short it, at least you might make some money to offset any pending lawsuit. There's plenty of examples of people doing the same thing to fall back on, such as the guy who found out a newly listed company wasn't actually real[1].
IANAL but there is no risk that you may have to defend that proposition in court as long as you don't actually exploit the vulnerability and simply point it out.
It's public information.
Now if someone who works at the bank had told you about it, you'd be in a lot of trouble.
IANAL either but my understanding is that you can be prosecuted under U.S. law for poking around on servers in any unconventional way. The text of the CFAA forbids "unauthorized access" or "exceeding authorized access".
I'll admit that viewing the source code and noticing this link would be a stretch, but I wouldn't necessarily expect it to be a slam dunk for the researcher, especially if he had assented to the site's ToS (and since he had an account, it seems that he had).
At this point, I imagine he could be in all sorts of (primarily civil) trouble for the disclosure that he just made. He may be protected under some type of financial whistleblower law, but I wouldn't hold my breath.
"The text of the CFAA forbids "unauthorized access" or "exceeding authorized access"."
BOOM! And they've been harsh on hackers for a long time. So, the vulnerability must not require violating access controls or system integrity to be safest. Hackers should be in the clear if it was simply noticing something in HTML/HTTP or whatever that indicated insecurity. An example might be a breakable cipher-suite or handling sessions improperly.
This is a good parallel and you're definitely right. However, weev was charged [0] on 2 counts:
1. conspiracy to access a computer without authorization
2. fraud in connection with personal information
This is because Goatse Security not only noticed the vulnerability itself, but because they wrote and executed a script called the "iPad 3G Account Slurper" to iterate over ICC-IDs, returning the associated email address for each one.
Executing the script against AT&T's servers probably is a bona fide violation of the CFAA, not just a conspiracy, but I would guess it's simpler to bring the conspiracy charge since you don't have to get into the nitty gritty of actual requests made, etc.
According to the complaint, they proceeded to email a handful of notable people whose emails had been harvested, including someone on the Board of Directors at News Corp. All of these contacts appear to be media outlets. The Gawker article also lists some of the people whose email addresses were extracted this way (without disclosing their emails).
I'm assuming this direct communication to journalists and/or execs at journalism outlets gives rise to the fraud with personal information charge.
Overall, I don't think that weev did anything that I wouldn't have necessarily have done if I were in that situation (trying to drum up attention and make a name for his consulting firm), but it's different from this disclosure because as far as we know, this researcher did not actually exploit the vulnerability and he has not obtained or disclosed any information from doing so.
Would this really be considered public information, since the existence of that vulnerability it's not known to the public or literally anyone else until you publish that blog post?
I agree that making bets by noticing public information earlier is 100% okay (and in the case of Lumber Liquidators, a better outcome for almost everyone).
But would this case with the bank be different because the vulnerability, unlike formaledehyde, could be actively exploited? Encouraging a stock price to fall because of bad practices seems alright (like the LUmber Liquidators example), but if in the process you become an accessory to smaller-scale fraud against individual account owners, is it still "alright"?
There are law firms working with hedge funds that specialize in doing exactly this when they are about to file a class-action suit. It's possible to be criminally charged if you know that the information you are spreading is false. But other than that limited circumstance, you are free to trade on any information you have about a company that you did not illegally obtain from an insider. Even in the case that the information was obtained from an insider, to convict you, the government must be able to prove that you knew that the insider both a) received a benefit (usually money) in exchange for the information, and b) breached their fiduciary duty by disclosing the information.
That said, technical glitches tend to not affect the fortunes of companies nearly as much as we (the HN crowd) think. Tradeking had the glaring vulnerability outlined in this article for years, and they are doing just fine.
Great point, I think the tech crowd may overestimate the cost of glitches, relative to everything else at play in a business.
I think the point I'm getting hung up on is that the bank's stock price could drop for two reasons: bad PR due to the glitch, and/or falling financials due to fraud perpetrated as part of the glitch. I can completely understand a hedge fund trading and making money off the bad PR. But if (hypothetically) the bank lost a ton of money by hackers liquidating user accounts or, worse, making leveraged bets [before everyone checked for that sort of thing ;)], and the hedge fund knew there was a reasonable chance that the malicious activity would occur based on the newly disclosed information, would they have liability there? (from the theft/fraud perpetrated against the bank, not the drop in stock price)
I believe that responsible disclosure is a courtesy to the vendor and its customers. Afaik, there is nothing in the law that requires it. Exploiting vulnerabilities like the one you are discussing here yourself certainly would be illegal, and you could possibly be implicated in a conspiracy if you disclosed the vulnerability solely to one person or group that you knew would exploit it (so "I told my Russian hacker friend about this..let's short the stock before he nails them with it!" would probably be a conspiracy case, whereas a press release or HN posting would not be).
But general public disclosure of a vulnerability, and/or trading on the anticipated effects of public disclosure, is not illegal. It likely won't win you friends in the IT community, but it falls short of an indictable offense.
Martin Shkreli claims to have made a lot of money by shorting pharma companies ahead of their FDA results - he would read their studies and make reasonably accurate predictions as to the outcome.
Shkrelli has shuttered two hedge funds (Elea Capital Management & MSMB Capital Management) when he was unable to cover shorts and put options when the stock price moved away from him. He is also currently awaiting trial for securities fraud. So I would take his comments with a grain of salt.
This is why I said "claims". He no doubt failed at some of his shorts. On a livestream he said he made all the money he still has on his companies, not trading. The strategy is still relevant to the discussion, though.
Great link, thanks for sharing. The quote that stood out to me was “My issue was that patient safety wasn’t front and center.”
I don't have a problem with MedSec making money by shorting St. Jude's stock (that seems to align incentives to take care of security issues as early as possible). But if MedSec publicly disclosed specific, exploitable vulnerabilities (I'm not sure about specifics from the article), they shouldn't be able to hide behind the "doing what is best for the consumer" argument. It's definitely a clever business hack, and that's alright, but the fake sense of moral superiority isn't.
Alternatively, publish it in an obscure place online, get proof you published it in archived medium (eg Gmail or Archive.org), short the stock based on that now-public information, and then reveal it again in a way that will get stock-smashing attention. That's my hypothetical model I came up with when trying to figure out how to incentivize apathetic, but public companies, to care about security a bit. You can even follow up offering them security consulting but don't expect a yes haha.
