What Responsibility Do Anti-Spyware Researchers Have?

from the questions-questions dept

There’s been an ongoing debate in security circles concerning how security researchers should disclose vulnerabilities. The common viewpoint is that the researchers should disclose the vulnerabilities to the company, giving them some time to fix the problem. Typically, however, if nothing is done to fix the vulnerability, then researchers eventually will disclose it publicly. That’s where a lot of the conflict occurs, and there are even some questionable laws that might get you in trouble for publicly discussing a vulnerability. However, does this apply to spyware research as well? Earlier this week, we pointed to Ben Edelman showing how 180solutions adware was still being installed surreptitiously, despite promises from the company that this wouldn’t happen any more. Edelman refused to reveal the offending affiliate or related info because he felt that, in the past, 180solutions would take the work of independent security researchers showing problems with 180solutions’ software and turn it into self-serving press releases about how they fixed a problem or stopped a rogue affiliate — when the real issue was that 180solutions should have fixed the problem or stopped the affiliate long before the researcher pointed them out. So what does 180solutions do? You guessed it, they put out a self-serving press release anyway, where they not only brag about shutting down this rogue affiliate who they never should have allowed in the first place, but they also scold Ben Edelman (not by name), saying that they shut down this affiliate “despite an unprecedented effort by some industry critics to keep secret the critical information that would have led to a quicker shutdown of the fraudulent behavior.” Since then, the war has escalated, with 180solutions claiming Edelman’s failure to turn over his findings to them before announcing it publicly is somehow equivalent to security researchers who post security vulnerabilities publicly. Of course, Edelman has no responsibility to give all of his research to 180solutions, and the real issue is that 180solutions never should have allowed this to happen in the first place. Trying to shift the blame to someone who actually discovered the problem isn’t exactly the best way to make the company seem particularly trustworthy.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “What Responsibility Do Anti-Spyware Researchers Have?”

Subscribe: RSS Leave a comment
Andrew Strasser (user link) says:

What company doesn't include this stuff anymore?

Seriously? They just keep doing it and doing it. Someone needs to do something about the companies that cause it not the ones that are doing it. All it takes is one person who has the right info and they will get them in 30 years just like anyone else who’s rich. If you were poor believe you me they’d knock on your door today. That’s what we seem to find in our neck of the woods and law enforcement anyway.

TechNoFear (profile) says:

Re: What company doesn't include this stuff anymor

You have to follow the trail back to 180 site to find out that the affiliate mentioned in the 180 press release is not the one reported by Ben Edelman. There was another one.

Wonder if that is the reason Edelman did not disclose which ‘affiliate’ was corrupt, he knew there was more than one.

The exploit is basic as well and could easily be prevented if 180 wanted to. Obviously they have a motive not to fix the expolit.

I wonder if an advertiser can sue 180? Do purchasers pay/purchase based on the size of 180’s client/user base? (Which is, of course, exagerated.)

TomS says:

Anyone who reads Edelman knows this is 180 trash t

Ben Edelman is a careful, concerned researcher who has devoted considerable effort and time into tracking online security issues. This is a poor reward for the work he has done.
Spend a few minutes reading his articles at Ben Edelman’s site and you’ll see the detailed information he provides and the patient dialog he has attempted with problematic web operators, like 180Solutions.
180Solutions has a team of staffers and a boatload of money, yet after five years of “dilligent work”, they still can’t seem to control the non-consensual installation of their affiliate-rewarding adware. Gee … I can see why it’s easier to blame Edelman for not providing more information to them, instead of looking at the logs they claim they keep to prevent this fraud.
I’m not surprised by what 180Solutions says or does, but I am astonished that savvy media outlets bother to print or give credence to what they say. Like the old joke, “How do you know when they are lying? Their lips ….”

Mike (profile) says:

Re: Anyone who reads Edelman knows this is 180 tra

I’m not surprised by what 180Solutions says or does, but I am astonished that savvy media outlets bother to print or give credence to what they say.

I don’t think anyone really is giving credence to what they’re saying. If you read the original article, while they present 180solutions side, the writer is pretty clearly skeptical.

Ben Edelman (user link) says:

More on this story: 180's false statements, respon

Ben Edelman here, with an update on this story.
Earlier this week, Sunbelt and I figured out that 180 had not actually terminated the distributor at issue — that they caught the wrong guy (a different rule-breaking distributor) on Monday. See analysis in Sunbelt’s blog. So that’s one false statement in 180’s press release: They said they had terminated the distributor on Monday, when they had not actually done so.
But the story gets worse for 180. 180’s press release also said they have already provided re-notification to every affected user: “the S3 functionality enabled the company to go back and re-message every user who received its software from [the distributor at issue] and provide them a one-click uninstall.” Neither Sunbelt nor I has received any such “re-messaging.”
I also think 180’s “responsible disclosure” argument falls flat. See my analysis of this argument, noting how responsible disclosure principles (e.g. protecting users from new exploits) fail to call for telling an adware vendor about nonconsensual installations of their software. I think my reasoning is generally consistent with Mike’s, and with the view of the reporter who published the story linked in the main piece above.
My analysis concludes: “180’s S3 system is still broken in all the ways I initially set out. 180’s press release made claims that can be shown to be false, as did 180’s prior statements of S3’s benefits, but 180 has not properly retracted its false statements. And 180’s analogies don’t add up. I’d still like to see 180 spend more time improving its practices, and less time on premature press releases and public relations.” All in all, I’m not impressed.

As to TechNoFear’s questions: I think 180 makes various false statements to advertisers, some of which could give rise to a legal claim. For example, 180 describes its software as “permission-based” and “opt in” — but it’s well-known (including in my example that triggered this article) that 180 sometimes shows ads even to users who didn’t grant permission. Advertisers contract with 180 to show their ads to users who did give permission. If 180 shows ads to users who didn’t agree, and charges advertisers for those ads, then advertisers are being charged for something they didn’t agree to pay for. It’s not much of a leap to think advertisers could rightly complain about such charges, as well as about the nonconsensual display of their ads to non-consenting users.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...