If you remember, last week a vulnerabilty for Microsoft Excel was put up for auction on eBay. Sadly, the auction has been stopped for violating eBay's terms of service. Specifically, according to eBay, the listing actively encourages "hacking" and therefore had to be removed.
When I first read this, I was a bit irritated, but I couldn't quite put my finger on why. But then it hit me: it's the underlying assumption that ticks me off. In other words, the underlying assumption by eBay is that somehow the auctioner is doing something morally wrong; actually, they take it a step further and imply that somehow what he's done is criminal in addition to being just immoral. eBay stated publicly that "The listing was immediately reviewed and pulled from the site for violating our policy against promoting illegal activity - hacking." Back that truck up there just a second. Is that really true? Is the seller really promoting hacking?
Take a look at the auction content: the seller specifically says, "Your bid indicates that you agree to the following: You may not use this information for malicious or illegal purposes. The information you receive is for educational and research purposes only... The seller does not encourage any illegal activity." Sounds to me like the seller really hammered it home in actively discouraging hacking.
What specifically about this particular auction makes it "promoting illegal activity"? If the answer is "nothing", then the auction was pulled because eBay believes all vulnerability research promotes hacking. Is a vulnerability researcher, by nature of the work they are doing, promoting illegal activity? Does Halliburton actively encourage war by manufacturing munitions? I happen not to think so, but even if you accept that they do - they're clearly allowed to do it in a free market society. Ask Dick Cheney if weapons sales should be disallowed because they "promote war". Granted, eBay has a policy to prevent the sale of firearms and munitions on their site - that's their right, but they don't somehow imply in the process that trying to sell a gun makes you guilty of "promoting homicide."
Give vulnerability researchers a license to sell their wares if you want, make them taxed more heavily, make them register with the state, or whatever other hoops you want to make them jump through - just stop calling them criminals for trying to make a buck. And while we're at it, how about a moritorium on calling them criminals when they're doing it for free too?
It seems to me that all this centers around the question of who has ownership of the vulnerability, and what use a researcher can put their findings to. I'm a capitalist. I believe that a researcher who discovers a flaw owns it, in its entirety, until they choose to disclose it or to transfer ownership to someone else. If they own it, they should be allowed to sell it - and more power to them if they can get a better price by putting it up for auction.
Posted by Ed at December 12, 2005 12:05 PM