Pwn2Own 2009 Contest Ethically Corrupt
By hollywood | Posted in • News • Opinion • TechnologyI’ve been following the TippingPoint Pwn2Own contest for the last couple of years. Last year a researcher from ISE named Charlie Miller used an exploit in a Perl library included in WebKit, the base code for Apple’s Safari browser and won a cash price for his effort. In the press it was claimed he “hacked Safari in mere seconds”. In truth it took a lot more time than that to devise the exploit and only seconds to execute it.
This year he did it again with another preplanned exploit which he says he discovered while researching last years bug. Again he won a cash prize of $10,000. And again it was claimed that Safari is exploited in seconds.
In an interview with ZDNet he said: “I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away,” Miller told ZDNet. “Apple pays people to do the same job so we know there’s value to this work.”
I have a major problem with his philosophy and feel this is a dangerous precedent to set and a bastardization of the goals of security in the fist place. I feel he has an obligation to inform Apple and not dangle a dollar amount for the how-to.
Sure he should be paid for his time and effort which is why he works at a security firm. This contest is basically bonus money and about bragging rights. Sitting on a bug puts the safety of other users at risk. But he is basically demanding bribe money for bugs. Who is to say he wouldn’t give up his research to the highest bidder? I’m sure there are blackhat groups like those in Russia and China that would pay handsomely for some juicy exploits like this.
Yes there is a long history of security firms hiring hackers and there have been many questions of whether that is a good idea. But security firms should take notice of this philosophy and not employee those who engage in this kind of behavior. It’s bad form for his employer and makes the security industry as a whole look bad by proxy. Would you hire a security company that employees hackers who blackmail for bugs to work on your systems? If we hired his firm while I was working IT at a large New York bank I would advised my boss to make sure he’s not on our project (and perhaps hire an entirely different firm altogether).
I’ve been in a discussion with other users about this. There seems to be a split in viewpoint, one side saying he should let Apple and the WebKit developers know about this exploit for the betterment of everyone (for free). The other side feels this is purely about capitalism and he has no moral or ethical obligation to tell anyone.
Some have likened it to seeing a crack in a bridge that might fail. Are you obligated to inform someone of the problem? What if Dan Kaminsky demanded $1 million (Dr. Evil laugh) to divulge details on the DNS BIND problem? People would be after his head and his career would be over. This isn’t about capitalism vs. communism as some have suggested. It is about right and wrong. Charlie Miller is on the wrong side of this equation.
-Hollywood
