I have some very important information about a major security problem that could hit the Internet soon. If I were to give you this information, you would be able to protect yourself and your company from falling victim to this problem.
Now, Im completely willing to provide this information—eventually. However, Ive realized that, on the Internet, knowledge is power. Or, more accurately, knowledge is money.
So, Ive decided that I could make some easy cash by developing a "gold" or "premium" program, wherein companies will have to pay me to get this information before everyone else does.
I know youre wondering how I could do this—how I could leave the vast majority of users and companies vulnerable to this problem for a period of time while giving early warning to a select, moneyed few. And how could I do this after regularly preaching in this column the importance of security and how it should trump almost any other concern?
But you have to understand—this is a different situation. Ive realized that by exposing the majority to danger while extorting—I mean offering—premier service to some, I can make some serious cash. And isnt making more money always the most important thing?
OK, Im kidding. I dont have knowledge of a forthcoming security problem, and if I did, I would follow good vulnerability notification policies by revealing it to affected vendors and then to the community at large. But in the general Internet security community, this kind of premier early warning happens all the time. In fact, most people consider it standard operating procedure, and everyone from major vendors such as Microsoft to government-supported groups such as CERT does it. But that doesnt make it acceptable or proper. By doing this, too many vendors and security companies are trying to have it both ways.
Im not against all early warnings. Obviously, vendors that are affected by a problem should find out about it before the world does so they can come up with some form of fix or workaround. And with big problems, it makes good sense to give early warnings to big ISPs and other caretakers of the Internet backbone.
But, in my book, money is not a good reason for providing early warnings. And it drives me nuts that so many reasonable and vigilant groups and experts in the security community, as well as technology pundits overall, seem to think that this type of behavior is OK.
Think of it this way: Imagine that the National Institutes of Health has information that there is a risk of a SARS-like health problem spreading through the United States. First, NIH does due diligence and gives notice to hospitals, emergency workers and other groups that reasonably need early notification. But then NIH also gives early warning to rich and famous people who have paid for a premier medical warning service but have no more reason to get early warning than the average Joe.
Im sure there are conspiracy theories out there contending that this does happen. But if it did happen and the American people found out that it was happening, there would be a huge outcry, and a lot of heads would roll. And you can be sure that no one in the public eye would stand up and say that providing early warning about public health risks for pay was simply a cost of doing good business.
Security organizations take vendors and users to task for not practicing proper security policies, but then these same security vendors leave the vast majority of computer users vulnerable to problems by withholding certain security information so that it can be sold to premier customers through an early-notification service.
Security organizations and vendors do need to make money. And, in most cases, I think a company that has invested time and money into developing expertise should be able to profit from that expertise. But when profit comes up against public welfare, the public good should always win out. And there are plenty of other ways for these groups to generate revenue without leaving most of the Internet vulnerable to a problem for days or even weeks.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.