Rediff.com« Back to articlePrint this article

Hackers welcome at software companies

September 14, 2007 08:53 IST

In the summer of 2005, Michael Lynn discovered a dangerously exploitable flaw in an older version of Cisco routers, one that could shut down or hijack wide swaths of the Internet if it fell into the wrong hands. Lynn, a researcher with Internet Security Systems, immediately told Cisco's security team about the bug. But when Cisco showed no signs of informing customers who used the outdated hardware, Lynn put his discovery in front of a more responsive audience: the thousands of hackers attending the Black Hat security conference in Las Vegas.

Cisco's next reaction was swift: It sued Lynn, even though his presentation hid details of his exploit. The episode became a public relations blow up for Cisco and a legal morass for Lynn. That kind of stonewalling, enmity and miscommunication has long characterized relations between hackers and software developers, says Jennifer Granick, a cyber-law attorney who represented Lynn in his legal battles.

"There's been a lot of bad blood," she says. "Companies have a hard time acting grateful when some punk kid is lording over them that they found something wrong with their software."

But that attitude is now changing. Software developers are learning that cooperating with hackers is better than ignoring or attacking reports of exploitable holes in software. At the same time, a growing number of security companies are willing to pay for information about software vulnerabilities. That has nudged more software makers to treat independent security less like bandits and more like helpful volunteers.

"Essentially, we're doing free quality assurance work for software vendors," says a hacker who goes by the handle "Dead Addict," and who spoke on unexpected bug disclosures at the DefCon hacker conference last month. "Companies' first reaction is often: 'What can we do to stop this from going on?' But they're learning that that's counterproductive."

To the surprise of many, Microsoft has become one of the most hacker-friendly software developers, says Dead Addict, who also works for a major mobile hardware company. He recalled how several of his hacker friends were hired as contractors to test the security of Microsoft's Vista operating system in the months before it was released.

Microsoft is proving equally enthusiastic when it hears about hackable flaws in its software from people not on the software giant's payroll. "We've learned a lot about how to work with independent researchers, and we're always trying to make it easier," says Mark Miller, director of Microsoft's Security Response Team. Miller says that 70% of the security flaws discovered in Microsoft's products last year were reported directly to the company by "volunteers."

Cisco has also "moved on" since its highly publicized spat with Michael Lynn, says Mike Caudill, the company's product security incident manager. "We've worked with independent researchers for years, and we welcome them contacting us," he says. Cisco has a 24/7 hotline and a secure system that hackers can use to send encrypted messages to the company about sensitive vulnerabilities.

But convincing hackers to give away information about bugs--some of which could easily help unscrupulous hackers spy, steal bank codes or hijack computers to issue spam or "malware"--is also getting trickier. Companies, including 3Com's TippingPoint division and iDefense, offer to buy vulnerabilities from hackers for several thousand dollars apiece, promising to inform the vendor of exploitable flaws. Other bug buyers, including Netragard and Immunity, pay hundreds of thousands of dollars for details of vulnerabilities that security researchers use to test how easily hackers can penetrate a system--and they don't always share the information immediately with the software's manufacturer.

In July, a Switzerland-based Web site called Wabisabilabi began auctioning bugs in an eBay-style marketplace. Among the items up for bid were detailed descriptions of bugs in 3Com file transfer protocol servers, Wordpress software and SAP's graphical user interface. An unidentified bidder is currently offering 5,000 euros (about $6,900) for information about one SAP bug.

Software vendors have hesitated to offer money for vulnerabilities in their own software, for fear that such bounties would only attract attention to their products' flaws and invite extortion. One rare exception was Netscape's bug bounty program in the late 1990s, which paid hackers $1,000 for significant discoveries. Neither Microsoft nor Cisco offer bounties, but they do give credit in their security bulletins to hackers who offer up bugs.

Given that Netragard can pay hackers as much as $200,000 for information about vulnerabilities, Adriel Desaultels, the company's chief technology officer, says that the least software vendors can do is to avoid a hostile response to hackers. "Vendors really can't compete with us in terms of paying for vulnerabilities," he says. "And when they try to quash research, it only takes a quick post to ruin their reputation as a company that makes secure software."

Some companies have yet to learn that lesson. Diebold Election Systems, recently renamed as Premier Election Solutions, unsuccessfully issued legal threats to dozens of individuals in 2003 for publicizing security problems found in their voting machines. Last year, Princeton University Professor Ed Felten and two of his graduate students found a method to infect Diebold voting machines with a virus that communicated from machine to machine via removable memory cards, potentially enabling the wholesale theft of votes.

Felten says Diebold ignored the academicians' entreaties to patch the flaw. A Premier spokesman denies that Felten's research pinpointed real vulnerabilities and says that the company is cooperating with all ongoing investigations and working to create a secure product.

In early August, however, the California secretary of state's office decertified electronic voting machines built by three companies--including Diebold--because of concerns about security vulnerabilities. "Had [Diebold] engaged with us, they'd have a reasonably secure system," says Felten. "Instead, they stonewalled, and look where it got them."

But that hardliner attitude is increasingly becoming the exception rather than the typical corporate reaction, Felten says. "Companies are already making sure that vulnerabilities get fixed and that hackers get credit," he says. "And now that there's competition from third parties who buy vulnerabilities, they'll have to move even faster."

Andy Greenberg, Forbes.com