As I’m sure you’re by now aware, a security researcher named Charlie Miller was able to pwn Safari in 10 seconds at CanSecWest yesterday! A truly spectacular feat! I’m not even sure how he was able to type so fast! Let me read on…
Hmmm. Okay, so he didn’t actually do anything in those 10 seconds except copy and paste a URL into the browser. Still, it’s not like he had lots of time to prepare for his moment of supreme glory!
Oh wait. According to this Reg story, he actually had over a year to prepare. (No wonder he was able two weeks ago so confidently to “predict” that Safari would be the first to fall! Not so much his assertion that IE and Firefox would remain standing, though.) And, as numerous alarmed commentards have pointed out, he didn’t tell Apple about this critical security flaw in a piece of software used by millions of people every day.
As one of those users, I have to say I’m not exactly delighted to discover that a so-called security researcher was so breathtakingly cavalier about the safety of my data and the privacy of my personal information. Apparently I’ve been vulnerable to this “idiot-proof” exploit for at least a year, and have only good luck to thank for the fact that no-one used it to drain my bank accounts in the meantime.
Of course, discovering a bug is not the same thing as discovering a ready-to-go exploit, and he had to dig at it with his hacking implements before he was able to make it bleed. But arguably the very fact that he sat on it so long implies he knew it at least had the potential to be exploitable (read: profitable). So rather than reporting the bug to Apple to ensure Safari users around the world would be protected as soon as possible, Miller filed it away so that he might bag himself yet another laptop.
The point I’m trying to make is that this wasn’t “his exploit” to do with as he saw fit. With today’s highly monetized black market for malware authors this kind of bug must not be permitted to exist even for a day, let alone a year. The public good must trump personal gain if we’re to make any headway against today’s increasingly sophisticated criminals. For an employee of a reputable security company to place in danger through his inaction the security, privacy and finances of millions of people is to my mind grotesquely irresponsible, all for the sake of a few grand and another 15 minutes in the limelight. With a successful drive-by browser exploit now likely to cause many millions of dollars worth of damage – not to mention further erode the perceived viability of the Internet as a safe place to do business – I consider such reckless disregard to be unconscionable.
“If this competition hadn’t existed, I never would have found this bug,” Miller told The Reg, with the implication that we, the unwashed know-nothing iProles, should be grateful to him and TippingPoint and CanSecWest for their altruism. But anything laudable about this misguided competition and the bugs it (eventually) reveals is, in my opinion, entirely negated by the absolute ethical void that must accompany any system that incentivizes such antisocial behavior.
But surely I’m going too far. As The Reg points out, critical browser exploits can fetch up to $100,000 on the black market. Isn’t it “remarkable”, then, that these heroic souls were “willing to [sell the exploits to TippingPoint] for well under the going rate”?
I must agree. If we as an industry really have sunk so low that we’re genuinely impressed by the fact that our colleagues aren’t working for criminals then “remarkable” doesn’t seem to quite do it justice.