Comments on: Market for zero-day vulnerabilities incentivizes programmers to sabotage their own work

By: Antinous / Moderator

Antinous / Moderator — Mon, 18 Jun 2012 20:49:00 +0000

Incite doesn’t imply an incentive.

By: dragonfrog

dragonfrog — Mon, 18 Jun 2012 16:43:00 +0000

Why inventorificate a new word when “incites” is already there?

By: JonS

JonS — Mon, 18 Jun 2012 00:09:00 +0000

Of course they are … they’re /criminals/. But the Govt – if not businesses – are supposed to be looking out for our interests, not looking for new ways to sell us down the river.

By: foobar

foobar — Sun, 17 Jun 2012 23:32:00 +0000

To take a whack at a bank’s security, you have to actually go there and run the risk of arrest. You can go at whatever server you like from a coffee shop with practically no chance of being identified.

Moreover, you can usually get a copy of software to attack in the privacy of your own network.

By: stephenl123

stephenl123 — Sun, 17 Jun 2012 22:17:00 +0000

I notice you mention governments and businesses paying for zero day vulnerabilities. But you don’t mention criminal organizations doing the same thing. Is it that you think the black market for vulnerabilities is not a major part of the market?

By: tré

tré — Sun, 17 Jun 2012 13:50:00 +0000

Don’t hate the player…

(but seriously, this whole thing needs to be taken care of by some serious market regulation.)

By: Paul Renault

Paul Renault — Sun, 17 Jun 2012 11:27:00 +0000

Verbing weirds language.
- Calvin (John?)

By: devilsdue

devilsdue — Sun, 17 Jun 2012 08:50:00 +0000

Bank vaults, and for that matter any kind of traditional physical security, are as exposed as any Internet connected computer. The only reason you perceive them to be less exposed is that vaults tend to be at the center of nested layers of security, and that the difficulty of tackling that security outweighs the benefits of breaking in. Furthermore, when break-ins do occur, banks are required to inform authorities and the bank’s customers that such a break-in did occur.

Instead, you have systems where single-point vulnerabilities lay open entire networks to outside access. Worse, now the developers of those systems (and the software the systems run) have an incentive to ensure they are insecure. Allowing those developers to limit their legal liabilities to customers only increases that incentive to sell out those same customers.

By: foobar

foobar — Sun, 17 Jun 2012 05:47:00 +0000

Bank vaults are pretty simple compared to software, yet if they were exposed to everyone on the internet I’d imagine they’d get opened pretty quickly.

By: Antinous / Moderator

Antinous / Moderator — Sun, 17 Jun 2012 05:25:00 +0000

Verb too radical?

By: fettemama

fettemama — Sun, 17 Jun 2012 04:36:00 +0000

That’s disgusting! Developers should be prosecuted!

By: Moriarty

Moriarty — Sun, 17 Jun 2012 04:20:00 +0000

Well, that and the fact that nobody wants to buy a crappy bank vault.

By: devilsdue

devilsdue — Sun, 17 Jun 2012 03:25:00 +0000

One of the underlying problems is those EULAs we all click through that absolve developers of any and all damages that may come from using their software. Ask yourself: If money can be made by putting intentional faults into security products, why aren’t bank vaults broken into all the time? The answer is in the liability, as well as the licensing and bonding process that vault makers and locksmiths must go through in order to sell their products and services.

Of course, that would require regulation. A naughty word in politics today.

By: Avram Grumer

Avram Grumer — Sun, 17 Jun 2012 02:24:00 +0000

It's a bad day when the tech industry follows in the footsteps of an almost-20-year-old Dilbert cartoon.

By: Vanwall Green

Vanwall Green — Sun, 17 Jun 2012 01:48:00 +0000

Like making zip guns for a coupla bucks apiece, and selling them to the Cops for $300.00 each, and keeping the real guns on the street.

By: checht

checht — Sun, 17 Jun 2012 01:46:00 +0000

“Incentivizes” – ouch. “Provides Incentive” too old school?