Miller says that the bugs have a market value beyond $5000 -- indeed, he claims that an IE8 exploit has a "market value" of over $50k.
But that market value exists only if you're willing to sell the exploits to people who either (a) are planning to use them or (b) want to fix them. The former group are the ones setting the market value, since they're the ones who are going to monetize the exploits.
The idea of announcing NO MORE FREE BUGS really amounts to saying to the world "I'm either going to sell my work to criminals, or am going to participate in an ongoing blackmail scheme to make myself rich."
I don't like vulnerability markets. It seems to me like a flaw is more valuable before it's patched, and more valuable before it's disclosed. Like plutonium, anything done to make it safer makes it less valuable. If you're going to pay top dollar for something like that, you bother me.
But I have two problems with where you're going.
First, finding a bug in your own time and not telling Apple about it unless they pay you isn't blackmail. Charlie Miller bills $300/hour. His work product is worth money. Apple has no right to confiscate it. If the dilemma was, "pay up or it's going to the Russian Mafia", it'd be blackmail. But if you think Charlie Miller is selling vulnerabilities to the Russian Mafia, you're a jackass.
Second, the reason you don't see me at CanSecWest --- well, one of them, another being that Nils and Charlie and Dino would crush me --- is that I spent all day reversing protocols, writing fuzzers, and finding flaws. For cash. Vendors pay us, and so do large companies that buy from those vendors. It's my day job; it's a job; money changes hands. How is Charlie's proposal different?
I think it is different. But it's way more subtle than you're making out to be. It's also a common industry practice, so making him the face of it isn't a great play.
I have no problem with you, Charlie, or anyone else being paid top dollar for his or her work, particularly in an important field like security research.
Indeed, I think it's a great idea for Apple and the other vendors to reimburse 3rd parties for high quality results.
But he wasn't saying "I put X hours into this, and therefore it's worth $X*(billing rate)."
He was saying "the market value of this is $Z., and it's more for things that have a greater impact."
I don't know Charlie Miller from a hole in the ground, and so I have no idea if he's going to be selling his work to the Russian Mafia. If you say he's a great guy, I'm sure you're right.
Nevertheless, if he thinks that security exploits have a market value beyond a reasonable billing rate, he's implicitly using the threat of the Bad Guys to raise the value of his work.
Charlie has actually written about this issue before in a more academic context:
weis2007.econinfosec.org/papers/29.pdf
Based on the limited data in the paper, it seems that it's the government rather than the vendors that is actually setting the price in the legitimate market, at least for high quality exploits.
I think the X*(billing rate) calculation ignores the risk that the researcher took. It's a little like saying that a startup should be worth exactly the amount of money that has been invested in it.
If Charlie Miller doesn't find bugs in Safari, it is more likely that the Russian Mafia will get them from someone else. If Miller decides to boycott Apple security research until Apple pays better --- to just stop doing the work --- is he implicitly using the threat of Bad Guys to raise the value of his work?
[Let's use "Alice" as the name of our hypothetical security researcher.]
If the Bad Guys can get the exploit from someone else, then Apple equally could pay someone other than Alice to disclose it to them. Your premise assumes the work is fungible.
If the entire set of people (including Alice) who are capable of finding these vulnerabilities conspired to withhold their work and push the White Hat market clearing price up to the level that the Bad Guys will pay, then the answer to your question would be yes.
If it's a market without price fixing, then Alice withholding her work doesn't materially affect the actual price of the exploit to Apple, and in that case the answer to your question is no.
You're missing the point. Apple isn't matching the market's bid for these vulnerabilities. Clearly, people besides Miller can find Safari flaws; the difference is, when Miller finds them, we know they aren't being sold to organized crime. By your logic, if he stopped, he'd be making things better for the Bad Guys; he's therefore obligated to do the work.
You're missing mine, I'm afraid: I've made no claim about anyone having to do anything. Indeed, if I was in Charlie's shoes, I wouldn't be working on spec.
Let me put it another way.
There are two markets for exploits: the legitimate one, and the criminal one.
Charlie is participating in the legitimate one. He's going to get paid what the sole counterparty wants to pay him. We can argue about what the counterparty should pay him, but that's up to Apple (in this case), and there are a lot of different things that might enter into their calculation.
An argument that uses the value of the exploit in the criminal market in an attempt to set a value in the legitimate one only makes sense in one of two cases: (a) you're going to take your work and sell it over there, or (b) you claim that someone else either has already discovered or will soon discover the same exploit independently, and will choose to sell it on the criminal market, and therefore the value of your work should reflect the danger of that happening.
In the first case, you're engaging in blackmail.
In the second case, it's just not a very good argument -- because the chance that each element in the chain of reasoning about the value (it's about to be or has already been discovered by someone else, it's going to end up on the black market, it's a substantial risk for a 0-day, etc.) is not true represents a probability that reduces the overall value of your exploit in the legitimate market. Plus, there's the additional reductions in exploit value that come from the vendor not actually caring that much about fixing problems until they're in the wild, or having already found the issue and decided that the particular problem isn't worth fixing for a variety of non-technical reasons, or any one of a dozen other external factors.
Working on spec and then demanding that the vendors match the exploit values that the criminal market is paying is just a Bad Idea, morally and practically.
No, but that's not his point. (I think) he says there's something wrong with him basing his price on what criminals would pay (regardless of whether he would actually sell it to criminals).
I don't know. If he can't ask whatever he wants for it and Apple can't pay whatever they want for it, there's no simple solution.
I think we've latched too much on the pricing specifics. I don't think Miller cares; I think he's just trying to illustrate that there is in fact a market value for this work, and that vendors and customers appear to expect to get the work product for free.
One's billing rate is determined by the market value of one's services. For instance, I may be able to charge $300/hr for general security consulting to a software vendor, but I cannot expect $300/hr for flipping burgers at a fast food place. It's contextual; there's not one price assigned to one person. If Charlie finds an exploit that could potentially cause a lot of damage, it's perfectly reasonable to expect the vendor to pay a value proportionate to that exploit's potential liability, damages, etc.
Hourly rates are determined based on market rates, and vary from job to job.
Conversely, he is basically stating that third parties like himself are working as exploit-oriented QA Engineers for the software they are exploiting. If full-time QA people get paid for it, why shouldn't he?
Please enlighten me... I don't see any mention of selling the exploit to criminals, just mention that they could get a lot more money than is offered. Is there just a subtext I'm missing with those statements?
> Q: Google Chrome was the one target left standing. Surprised?
> A: There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.
I still use Chrome even though its become less trendy lately. Beta version has some great features.
I know many people are mad that the linux/mac version isn't available but if you think about it, the reason is the sandbox. Google loves quality and won't release something if its not of high quality. Sandboxing on windows I'm positive is different on a unix based system. And security is key.
I've always thought it was funny when someone would try to sell me on macs by saying there are less bugs and viruses on them. You have to remind them that if Apple had 90% of the business computer market that wouldn't be true anymore. Apple's best security is the fact that far fewer people buy their products than they do Microsoft's.
A really common response to that is, "well, malware share on Macs should track the market share of Macs; it doesn't, ergo Macs are more secure".
This is, of course, silly. We haven't hit "peak oil" for Windows infections. A new Windows worm still pays off wildly better than a Mac worm; writing Mac malware is economically irrational.
But, at the moment, there are less viruses on them for precisely that reason. Security through popularity is working for the time being. That and linux/unix/os x have the principal of least privileges working for them too.
No, they don't. We can go through the motions on this "OS X has a better privilege model than Windows" argument, but I know how it'll end: malware doesn't need (or even want) root to win.
Fair enough, I have to admit I haven't checked out your blog before. The age did occur to me, but Leopard is still current and I thought it was a good read.
I was mainly interested in if there had been any HN discussion on it. Thanks.
With all of the talk about morals and ethics, these are the 2 questions I ask myself whenever making a tough decision:
1) Am I making the world a better place or a worse place?
2) Am I providing value to the people I care about?
I can't speak for Charlie Miller. But, my answer would be no for both questions. If I were in the same position as him I would feel like a big piece of fucking shit every single morning when I looked at myself in the mirror.
I think Charlie Miller wakes up thinking, "you're the weak, and I'm the tyranny of evil men, but I'm trying real hard to be the shepherd". Then he goes off getting in all kinds of adventures and shit, like Kane from Kung Fu.
By finding Safari bugs, he does make the world a better place. But he can't live like that, so he has to stop looking for Safari bugs.
Since Safari undoubtedly has bugs, this means someone else is going to find them. That someone else could be a criminal, but you can't blame the guy for not wanting to do work that doesn't pay. In the end, Safari's security is Apple's problem, not Charlie Miller's.
I understand that he has to eat. But making enough money to eat is not that hard.
And it isn't just Apple's problem (or just Microsoft or just Google). It's my problem, too. It's my mom's problem, too.
Think about the case where a user's data is compromised.
With great power comes great responsibility, and whatever other cheesey statement you want to make. I would feel personally responsible if I found an exploit and later that exploit was used to compromise someone's bank account or private correspondence.
My conscience is more important than my stomach. I can find other ways to eat.
I would feel personally responsible if I found an exploit and later that exploit was used to compromise someone's bank account or private correspondence.
Which is why he's not even looking for exploits anymore. He is leaving it to Apple's QA team, since it is really their job.
But that market value exists only if you're willing to sell the exploits to people who either (a) are planning to use them or (b) want to fix them. The former group are the ones setting the market value, since they're the ones who are going to monetize the exploits.
The idea of announcing NO MORE FREE BUGS really amounts to saying to the world "I'm either going to sell my work to criminals, or am going to participate in an ongoing blackmail scheme to make myself rich."
Nice. Good luck with that, Charlie.