What Responsibility Do Anti-Spyware Researchers Have?
from the questions-questions dept
There's been an ongoing debate in security circles concerning how security researchers should disclose vulnerabilities. The common viewpoint is that the researchers should disclose the vulnerabilities to the company, giving them some time to fix the problem. Typically, however, if nothing is done to fix the vulnerability, then researchers eventually will disclose it publicly. That's where a lot of the conflict occurs, and there are even some questionable laws that might get you in trouble for publicly discussing a vulnerability. However, does this apply to spyware research as well? Earlier this week, we pointed to Ben Edelman showing how 180solutions adware was still being installed surreptitiously, despite promises from the company that this wouldn't happen any more. Edelman refused to reveal the offending affiliate or related info because he felt that, in the past, 180solutions would take the work of independent security researchers showing problems with 180solutions' software and turn it into self-serving press releases about how they fixed a problem or stopped a rogue affiliate -- when the real issue was that 180solutions should have fixed the problem or stopped the affiliate long before the researcher pointed them out. So what does 180solutions do? You guessed it, they put out a self-serving press release anyway, where they not only brag about shutting down this rogue affiliate who they never should have allowed in the first place, but they also scold Ben Edelman (not by name), saying that they shut down this affiliate "despite an unprecedented effort by some industry critics to keep secret the critical information that would have led to a quicker shutdown of the fraudulent behavior." Since then, the war has escalated, with 180solutions claiming Edelman's failure to turn over his findings to them before announcing it publicly is somehow equivalent to security researchers who post security vulnerabilities publicly. Of course, Edelman has no responsibility to give all of his research to 180solutions, and the real issue is that 180solutions never should have allowed this to happen in the first place. Trying to shift the blame to someone who actually discovered the problem isn't exactly the best way to make the company seem particularly trustworthy.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
What company doesn't include this stuff anymore?
[ link to this | view in thread ]
Anyone who reads Edelman knows this is 180 trash t
Spend a few minutes reading his articles at Ben Edelman's site and you'll see the detailed information he provides and the patient dialog he has attempted with problematic web operators, like 180Solutions.
180Solutions has a team of staffers and a boatload of money, yet after five years of "dilligent work", they still can't seem to control the non-consensual installation of their affiliate-rewarding adware. Gee ... I can see why it's easier to blame Edelman for not providing more information to them, instead of looking at the logs they claim they keep to prevent this fraud.
I'm not surprised by what 180Solutions says or does, but I am astonished that savvy media outlets bother to print or give credence to what they say. Like the old joke, "How do you know when they are lying? Their lips ...."
[ link to this | view in thread ]
Re: Anyone who reads Edelman knows this is 180 tra
I don't think anyone really is giving credence to what they're saying. If you read the original article, while they present 180solutions side, the writer is pretty clearly skeptical.
[ link to this | view in thread ]
Re: What company doesn't include this stuff anymor
Wonder if that is the reason Edelman did not disclose which 'affiliate' was corrupt, he knew there was more than one.
The exploit is basic as well and could easily be prevented if 180 wanted to. Obviously they have a motive not to fix the expolit.
I wonder if an advertiser can sue 180? Do purchasers pay/purchase based on the size of 180's client/user base? (Which is, of course, exagerated.)
[ link to this | view in thread ]
What Responsibility Do Anti-Spyware Researchers Ha
(Sorry, bad pun)
[ link to this | view in thread ]
More on this story: 180's false statements, respon
Earlier this week, Sunbelt and I figured out that 180 had not actually terminated the distributor at issue -- that they caught the wrong guy (a different rule-breaking distributor) on Monday. See analysis in Sunbelt's blog. So that's one false statement in 180's press release: They said they had terminated the distributor on Monday, when they had not actually done so.
But the story gets worse for 180. 180's press release also said they have already provided re-notification to every affected user: "the S3 functionality enabled the company to go back and re-message every user who received its software from [the distributor at issue] and provide them a one-click uninstall." Neither Sunbelt nor I has received any such "re-messaging."
I also think 180's "responsible disclosure" argument falls flat. See my analysis of this argument, noting how responsible disclosure principles (e.g. protecting users from new exploits) fail to call for telling an adware vendor about nonconsensual installations of their software. I think my reasoning is generally consistent with Mike's, and with the view of the reporter who published the story linked in the main piece above.
My analysis concludes: "180's S3 system is still broken in all the ways I initially set out. 180's press release made claims that can be shown to be false, as did 180's prior statements of S3's benefits, but 180 has not properly retracted its false statements. And 180's analogies don't add up. I'd still like to see 180 spend more time improving its practices, and less time on premature press releases and public relations." All in all, I'm not impressed.
As to TechNoFear's questions: I think 180 makes various false statements to advertisers, some of which could give rise to a legal claim. For example, 180 describes its software as "permission-based" and "opt in" -- but it's well-known (including in my example that triggered this article) that 180 sometimes shows ads even to users who didn't grant permission. Advertisers contract with 180 to show their ads to users who did give permission. If 180 shows ads to users who didn't agree, and charges advertisers for those ads, then advertisers are being charged for something they didn't agree to pay for. It's not much of a leap to think advertisers could rightly complain about such charges, as well as about the nonconsensual display of their ads to non-consenting users.
[ link to this | view in thread ]
Re: More on this story: 180's false statements, re
[ link to this | view in thread ]