Security company?!?
|
| Author | Content |
|---|---|
| tqk Jul 06, 2007 10:40 AM EDT |
I haven't read the article, btw. I thought a security company was something that implemented security, or tested for vulnerabilities to learn how the vulnerable could secure themselves. This company sounds more like Botnet Enablement, Inc., the research arm of Russian Mafia Enterprises, PLC. And eBay's going along with this? Weren't there a few laws passed recently that criminalize this behaviour? Okay, now I have read it. It's unrelated to eBay, they say they're going to test the vulnerabilities to ensure they're not snakeoil, and they're going to vet potential purchasers to ensure they're legit (and not RME, PLC). They say they're just trying to create a vehicle which can ensure security researchers get paid for their work. Controversial, but possibly admirable. Bring the backroom dealing out into the light of day, legitimizing the sale of exploits to the reputable instead of to the crackers. WOULD SOMEONE PLEASE POINT ME AT THE FORMATTING HOWTO, SO MY POSTS STOP GETTING MANGLED INTO INCOMPREHENSIBILITY?!? THOSE ARE PARAGRAPHS (PLURAL!) UP THERE, DAMNIT! THIS IS REALLY BEGINNING TO P*SS ME OFF! |
| tqk Jul 06, 2007 11:17 AM EDT |
FSCK! In preview, it displayed as one single monolithic paragraph! Augh! |
| techiem2 Jul 06, 2007 11:17 AM EDT |
They're not using ebay, they're starting an ebay like service to sell to "legitimate buyers".
How well that'll work out is anybody's guess. |
| Scott_Ruecker Jul 06, 2007 12:18 PM EDT |
tqk: I thought I already gave you a link for that? |
| Sander_Marechal Jul 06, 2007 1:04 PM EDT |
Yeah, the forum software here isn't the most userfriendly :-) Anyway, from the article: Quoting:WabiSabiLabi argues that the computer industry's ethical disclosure policies have led to a raw deal for security researchers, who typically are not paid for disclosing vulnerabilities. "Nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy," That's an idiotic statement and a very flawed analogy. If they want to make the analogy with the pharmaceutical industry: Drug safety testing is obligatory and done in public. The results are free for all. If there are bad drugs out there that you know of and you keep quiet about it, and get found out, you'll be sued so fast and hard that you don't know what hit you. The AV and security research industry is to the software industry what the NHS (or whatever the equivalent is called) is to the pharmaceutical industry. |
| tqk Jul 07, 2007 9:47 AM EDT |
Quoting:I thought I already gave you a link for that?You did, but I seem to keep coming up with new corner cases. In this one, I posted a message, read the article, came back to edit my message, hit "Preview", and it displayed as one huge monolithic paragraph. That's where the ALL CAPS came in. I hit send ... and there it was in double spaced paragraphs. !@#$% I'm sure it's just my ignorance of how forum software works, which is why I'd like to see some documentation. RTFM?!? What a novel concept. :-) Trial and error can be frustrating, not to mention slooooooow. |
| tqk Jul 07, 2007 9:57 AM EDT |
Quoting:The AV and security research industry is to the software industry what the NHS (or whatever the equivalent is called) is to the pharmaceutical industry.Yes, so how these people get paid for their efforts? Hire on with Microsoft (as if they care) or MacAffee or F-Secure or Kaspersky? Shouldn't they be allowed to work freelance? Many people are more productive using that arrangement. You don't have to suffer the office politics and Team Building shmooze meetings, or suffer under clueless managers. You just have to justify your efforts to whoever it is that wants to buy your work. So, I say, more power to 'em if they can make this work. Beats the crap out of selling it on the Black Market to RME, PLC. |
| Sander_Marechal Jul 08, 2007 2:32 AM EDT |
Quoting:Yes, so how these people get paid for their efforts? Hire on with Microsoft (as if they care) or MacAffee or F-Secure or Kaspersky? Continuing the healtcare analogy, if an NHS worker decides he's not paid enough, quits and starts selling drug-problems related information to the highest on the open market, he would be sued and silenced pretty quickly. That should go for security researchers as well. If they think they're not paid enough they should find a different line of word. Network security testing is all the rage these days and pays quite well. |
| tqk Jul 08, 2007 11:19 AM EDT |
Quoting:Continuing the healtcare analogy, if an NHS worker decides he's not paid enough, quits and starts selling drug-problems related information to the highest on the open market, he would be sued and silenced pretty quickly.Yes, and if he proves his claims in court, his counter-claims for tortious abuse will net him even more than his attempt at whistle-blowing could have got him. Lots of us out here see (ie.) anti-virus companies are essentially protection rackets. It's good for them when new and more dangerous exploits show up because that helps them sell their stuff. I think it makes a heck of a lot of sense for a reputable security researcher to avoid relationships like that. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!