What Responsibility Do Anti-Spyware Researchers Have?

from the questions-questions dept

There's been an ongoing debate in security circles concerning how security researchers should disclose vulnerabilities. The common viewpoint is that the researchers should disclose the vulnerabilities to the company, giving them some time to fix the problem. Typically, however, if nothing is done to fix the vulnerability, then researchers eventually will disclose it publicly. That's where a lot of the conflict occurs, and there are even some questionable laws that might get you in trouble for publicly discussing a vulnerability. However, does this apply to spyware research as well? Earlier this week, we pointed to Ben Edelman showing how 180solutions adware was still being installed surreptitiously, despite promises from the company that this wouldn't happen any more. Edelman refused to reveal the offending affiliate or related info because he felt that, in the past, 180solutions would take the work of independent security researchers showing problems with 180solutions' software and turn it into self-serving press releases about how they fixed a problem or stopped a rogue affiliate -- when the real issue was that 180solutions should have fixed the problem or stopped the affiliate long before the researcher pointed them out. So what does 180solutions do? You guessed it, they put out a self-serving press release anyway, where they not only brag about shutting down this rogue affiliate who they never should have allowed in the first place, but they also scold Ben Edelman (not by name), saying that they shut down this affiliate "despite an unprecedented effort by some industry critics to keep secret the critical information that would have led to a quicker shutdown of the fraudulent behavior." Since then, the war has escalated, with 180solutions claiming Edelman's failure to turn over his findings to them before announcing it publicly is somehow equivalent to security researchers who post security vulnerabilities publicly. Of course, Edelman has no responsibility to give all of his research to 180solutions, and the real issue is that 180solutions never should have allowed this to happen in the first place. Trying to shift the blame to someone who actually discovered the problem isn't exactly the best way to make the company seem particularly trustworthy.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Andrew Strasser, 23 Feb 2006 @ 8:42pm

    What company doesn't include this stuff anymore?

    Seriously? They just keep doing it and doing it. Someone needs to do something about the companies that cause it not the ones that are doing it. All it takes is one person who has the right info and they will get them in 30 years just like anyone else who's rich. If you were poor believe you me they'd knock on your door today. That's what we seem to find in our neck of the woods and law enforcement anyway.

    reply to this | link to this | view in chronology ]

    • icon
      TechNoFear (profile), 23 Feb 2006 @ 11:17pm

      Re: What company doesn't include this stuff anymor

      You have to follow the trail back to 180 site to find out that the affiliate mentioned in the 180 press release is not the one reported by Ben Edelman. There was another one.

      Wonder if that is the reason Edelman did not disclose which 'affiliate' was corrupt, he knew there was more than one.

      The exploit is basic as well and could easily be prevented if 180 wanted to. Obviously they have a motive not to fix the expolit.

      I wonder if an advertiser can sue 180? Do purchasers pay/purchase based on the size of 180's client/user base? (Which is, of course, exagerated.)

      reply to this | link to this | view in chronology ]

  • identicon
    TomS, 23 Feb 2006 @ 10:54pm

    Anyone who reads Edelman knows this is 180 trash t

    Ben Edelman is a careful, concerned researcher who has devoted considerable effort and time into tracking online security issues. This is a poor reward for the work he has done.
    Spend a few minutes reading his articles at Ben Edelman's site and you'll see the detailed information he provides and the patient dialog he has attempted with problematic web operators, like 180Solutions.
    180Solutions has a team of staffers and a boatload of money, yet after five years of "dilligent work", they still can't seem to control the non-consensual installation of their affiliate-rewarding adware. Gee ... I can see why it's easier to blame Edelman for not providing more information to them, instead of looking at the logs they claim they keep to prevent this fraud.
    I'm not surprised by what 180Solutions says or does, but I am astonished that savvy media outlets bother to print or give credence to what they say. Like the old joke, "How do you know when they are lying? Their lips ...."

    reply to this | link to this | view in chronology ]

    • icon
      Mike (profile), 23 Feb 2006 @ 11:00pm

      Re: Anyone who reads Edelman knows this is 180 tra

      I'm not surprised by what 180Solutions says or does, but I am astonished that savvy media outlets bother to print or give credence to what they say.

      I don't think anyone really is giving credence to what they're saying. If you read the original article, while they present 180solutions side, the writer is pretty clearly skeptical.

      reply to this | link to this | view in chronology ]

  • identicon
    Douglas Brown, 24 Feb 2006 @ 5:38am

    What Responsibility Do Anti-Spyware Researchers Ha

    With a name like "180solutions", should we be surprised they only give half the story?
    (Sorry, bad pun)

    reply to this | link to this | view in chronology ]

  • identicon
    Ben Edelman, 24 Feb 2006 @ 11:16am

    More on this story: 180's false statements, respon

    Ben Edelman here, with an update on this story.
    Earlier this week, Sunbelt and I figured out that 180 had not actually terminated the distributor at issue -- that they caught the wrong guy (a different rule-breaking distributor) on Monday. See analysis in Sunbelt's blog. So that's one false statement in 180's press release: They said they had terminated the distributor on Monday, when they had not actually done so.
    But the story gets worse for 180. 180's press release also said they have already provided re-notification to every affected user: "the S3 functionality enabled the company to go back and re-message every user who received its software from [the distributor at issue] and provide them a one-click uninstall." Neither Sunbelt nor I has received any such "re-messaging."
    I also think 180's "responsible disclosure" argument falls flat. See my analysis of this argument, noting how responsible disclosure principles (e.g. protecting users from new exploits) fail to call for telling an adware vendor about nonconsensual installations of their software. I think my reasoning is generally consistent with Mike's, and with the view of the reporter who published the story linked in the main piece above.
    My analysis concludes: "180's S3 system is still broken in all the ways I initially set out. 180's press release made claims that can be shown to be false, as did 180's prior statements of S3's benefits, but 180 has not properly retracted its false statements. And 180's analogies don't add up. I'd still like to see 180 spend more time improving its practices, and less time on premature press releases and public relations." All in all, I'm not impressed.

    As to TechNoFear's questions: I think 180 makes various false statements to advertisers, some of which could give rise to a legal claim. For example, 180 describes its software as "permission-based" and "opt in" -- but it's well-known (including in my example that triggered this article) that 180 sometimes shows ads even to users who didn't grant permission. Advertisers contract with 180 to show their ads to users who did give permission. If 180 shows ads to users who didn't agree, and charges advertisers for those ads, then advertisers are being charged for something they didn't agree to pay for. It's not much of a leap to think advertisers could rightly complain about such charges, as well as about the nonconsensual display of their ads to non-consenting users.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.