PDA

View Full Version : How to approach a company about a vuln in their software


bboitano
September 18th, 2009, 05:06
Purely hypothetical of course. Our hero finds himself in this situation :


Situation :

You use software from a company that you like, is actively developed with first rate support. You genuinely find the software useful and it makes you more productive. You know it is a popular target for crackers but at the moment the latest version remains uncracked.

You've found a way to bypass their trial expiration scheme so you can continue to use it without paying, you can get the updates etc etc

Dilemma

If you could afford to pay for the program, you would. You just don't have the money. So for now you use your crack.

Solution?

Approach company and offer to swap your knowledge for a legit license?

Is this legal (different countries, different rules - shall we assume UK for this example)? How would you approach it to ensure it didn't appear as blackmail, demanding xyz with menaces etc? Is it even a good idea?

You are not my lawyer, I am not your client etc etc.

Just wondering if our hero should keep his head down, or try and be constructive and support a release that is very useful to him by bartering what assets he has - the knowledge of how to get it for free.

Discuss

naides
September 18th, 2009, 07:33
My humble opinion, BAD IDEA. Companies are well aware of the cracks and crackers available, and one more update away from counteracting your crack. Doubt they will would be thrilled and thankful for your info, and likely come after you, who are a theat to their bottom line. What you are proposing is illegal in my country.

squidge
September 18th, 2009, 07:39
I've done this with trial software. As in, I've sent them a detailed email saying I was trialling there software and disclosed a list of bugs in there software (including how to reproduce said bugs) and general things I didn't like. They replied with words along the lines of "Thanks very much for your detailed report. Please find enclosed a free license for your efforts. Once we have fixed the bugs you described, you'll find the update on our website."

I very much doubt that every company will do the same however. Some probably won't even answer you. I've had that in the past with IAR systems - got completely ignored and then after sending a second email to them a month later, I was told the issue has been fixed and it would be 499 for the update. Needless to say, I demoed that version long term

As for holes in there protection system, I'd stay clear of telling them those. They are usually a little protective.

bboitano
September 18th, 2009, 08:16
Thanks naides and squidge!

I have approached companies before to highlight holes in the security of their product - when I was young and reckless! Never with a proposition though - just an email (as you did squidge) pointing out some holes and offering to help patch them up (not putting hardcoded plain text serials etc).

In my experience, they have been mostly positive and I have indeed got full licenses from them by way of thanks. It is only recently that I have our hero has yet again fallen into this position and I thought I would ask for feedback as to what our hero should do.

I can understand companies getting uppity about approaches like this, but to me it seems fair that one could approach a company and say "your license costs x, I have information y which I will sell you for (by complete coincidence!) the exact value of your license".

The license costs them literally nothing. It is not a lost sale even as you were using it cracked already. It might protect future revenues by preventing this particular workaround in the future.

As you say naides - they are one update from plugging the hole our hero has found. To me - the knowledge of a workaround would be worth the price of clicking 'Generate Key'. But maybe as a group, us people who get involved in RE value knowledge more than the beancounters and lawyers?

I do worry that a company may interpret our hero's approach as extortion, blackmail or some kind of criminal act - hence the proposition to sell the information. As long as you don't say "Buy my information or else" I think it should be legal - but as I say, I am not a lawyer, our hero is not my client.

Any more viewpoints more than welcome!

Woodmann
September 20th, 2009, 16:11
Uggggg.................you are between a rock and a hard place.

I think our hero needs to better develop his fine art of persuasion so as to not make "the company" feel threatened.

In this instance we are talking about a software retailing for 6 thousand.
You would think that "the company" would reward the person who reveals a security flaw in a program that has not yet been cracked/warezed.

On the other hand, our hero has the ability to deprive "the company" of a lot of profits.
This is the point where IF they feel threatened, the legal department will be notified.

What if our hero approached "the company" and provided just enough info so that they know it's software has been compromised and see what they offer in return.

If they dont come back with an offer our hero likes, he could then explain how he likes the software and would really prefer a valid licensed copy.

Woodmann

squidge
September 20th, 2009, 16:54
Typically a big company selling software for 6 thousand only exposes there first line support email address. These type of people don't know anything (or very little, and a little knowledge can be dangerous) about security and coding. Sending them emails saying you hacked there software will just get the email either ignored or forwarded to the legal department as Woodmann says. Its very difficult to get your email read by someone who understands it. I wouldn't be suprised if you received a reply telling you to reinstall the software or dongle/license manager (if applicable) driver to attempt to "fix" the problem.

Smaller companies have a closer tie with there development staff, and so theres a far higher chance that sending support an email they don't understand internally generates a ticket for someone or some team that understand how all the code works and probably has contact with the actual developers. Thats how it works where I work: support staff working from checklists and knowledge base -> support staff that actually know how the stuff works -> developers of that project. Of course the developers never reply directly, that would be bad. There reply is normally translated first - Answers such as "Yeah, that feature is FUBAR in that version" is never very good PR, and you never want the email addresses of your development staff accessible by end users.

BanMe
September 20th, 2009, 17:58
release a public paper with 'just' enough cracked up information to the public...then 'play' the part of a third party individual and inform them of the release, with some information to 'contact' the author...that might work, it might just get it patched..

CluelessNoob
September 21st, 2009, 09:48
Quote:
[Originally Posted by bboitano;83026]
You've found a way to bypass their trial expiration scheme so you can continue to use it without paying, you can get the updates etc etc


I would stick with the status quo, our hero should keep the information to his/her self.

By not releasing the information our hero is not costing the company any more than what they are requesting for said info (a "free" license).

Best case scenario if our hero does contact the company is he/she gets a valid license and continues to use the software. Company loses nothing, our hero gains nothing he/she didn't already have beyond a company generated random number.

Worst case, men in black coats show up on our hero's doorstep.

But then I've always been against boat rocking.


bboitano
September 21st, 2009, 11:34
Quote:
[Originally Posted by CluelessNoob;83072]I would stick with the status quo, our hero should keep the information to his/her self.

By not releasing the information our hero is not costing the company any more than what they are requesting for said info (a "free" license).

Best case scenario if our hero does contact the company is he/she gets a valid license and continues to use the software. Company loses nothing, our hero gains nothing he/she didn't already have beyond a company generated random number.

Worst case, men in black coats show up on our hero's doorstep.

But then I've always been against boat rocking.



Our hero historically has had the same attitude to boat rocking. I suspect he will end up keeping the info to himself, saving a few pennies (cents) a week and ultimately buying the software.

And then contacting them probably in a more 'by the way, were you aware ..." type of way.

Our hero just feels bad that in this day and age, where you can't move for poorly written, badly supported (yes, I'm looking at you Sage) and more often than not completely useless software that he is unable to contribute to some well written, well supported and darned tootin' genuinely useful software.

Since he can't contribute financially, he feels he should try to help with the skillset that he has.

But, along with the general swell of opinion here, he feels the trouble might be more than it is worth - however well intentioned the inital approach is.

It is a bit of a shame - but still, if by the time our hero has enough money to buy the product the hole is still there, he'll be able to pay back the 'borrowed time' he used the software for with a well presented bug report!

Thanks to everyone for their thoughts - sometimes its nice to see your own feeling crystalised a little.

Our hero thanks you!

CrackZ
September 27th, 2009, 09:04
I had a similar situation not that long ago, the company concerned produced a high-end video/animation product that I'd just finished writing a keygen for.

As part of my research I'd been looking around their site, browsing their msgboards, as well as logging onto their IRC channel and befriending one of the developers (who turned out to be a really nice guy). It was then that I had an attack of conscience.

A few days later someone on the IRC channel had lost their license key and I saw the opportunity to 'help' them whilst support were apparently sleeping, a few hours after that I got a msg from one of the developers.

Far from being angry he was intrigued, moreso when I pointed out to him that each licensed name had hypothetically 3 keys that could be used, (they'd been saving the 2 other keys for future upgrades it turns out), he asked for some example keys with names to test I wasn't lying and I duly provided him with the source code.

They offered me a full legal license for their software even tho I didn't need one and asked advice for how to improve things.

About 6mths later their v3 product came out, and I got a personalised and complimentary license for it via e-mail from the devs (they hadn't forgotten me), I looked at the new protection scheme and found it had been very significantly improved, (it remains uncracked to this day in fact).

So there can be a happy ending, smaller devs seem to be much more realistic, larger co.'s I think you can expect legal trouble ;-).

Regards,

CrackZ.

Aimless
September 28th, 2009, 05:30
Quote:
[Originally Posted by CrackZ;83143](it remains uncracked to this day in fact).



So maybe you can provide me the name of the software and where I can download their demo-ed v3 in a PM?

Have Phun

squidge
September 28th, 2009, 07:13
That reminds me of an author that was boasting that his software couldn't be cracked because of the heavy encryption and obfuscation of specific key functions, and that you couldn't keygen it because it used a public key scheme. He didn't think about people replacing the public key in the software with there own and then writing a keygen using the private key built into the keygen. I've never checked if there was a later version of the software (In fact, I forget its name now, too) but I'm going to guess (or rather, hope) that he at least protected the public key a little better now rather than having it in plain text in the exe, and perhaps adding a checksum.

Kayaker
October 22nd, 2009, 10:39
And then there's this "hero" who tried extorting 2000 euro from an AV company

A Black Hat Loses Control
http://threatpost.com/en_us/blogs/black-hat-loses-control-102209

wishi
October 24th, 2009, 15:47
Hmmh, these software-companies didn't even ask for your expertise on securing their licensing model. If you (dare to) reverse it this falls under DMCA and is illegal therefore within the US afaik. As for Europe in general there're the EULA, which most often contain paragraphs against manipulations or illegal modification. In general Europe is more chaotic .
In any case: you don't necessarily own any rights to alter a bought piece of COTS (binary distributed) software. - And no, I'm neither lawyer nor pro-copyright or DRM protections. It's just the reality: they might even sue you. Just remember Ed Felton's case of suppressed research here.

The idea to approach a company with an expertise like that is a little crazy - in my opinion. Management people are well aware of so called "losses" due to software-piracy. They can turn out to behave like hungry frogs catching small flies with nothing but an honest intention. - Just to have something and make an example.
I have made such bad experiences especially with disclosing exploits or vulnerabilities to software-vendors to make them fix the bugs - free. And I don't see much progress of increasing awareness.

bboitano
October 28th, 2009, 05:34
Quote:
[Originally Posted by Kayaker;83412]And then there's this "hero" who tried extorting 2000 euro from an AV company

A Black Hat Loses Control
http://threatpost.com/en_us/blogs/black-hat-loses-control-102209


Well that is just insane

As wishi says, ultimately our hero would probably end up in more trouble than it is worth. The company in question didn't ask for our hero's help this is true, the legalities of how our hero found his workaround are grey as far as this non-lawyer can tell. Certainly outside of the scope of the DCMA (hero not based in US).

It is just a shame that there are so many idiots like the one kayaker makes reference to, that those 'heroes' that genuinely would like to do something good are automatically assumed to be bad by the behaviour of less scrupulous people.

Our hero was only interested in finding a mutually beneficial solution to two problems - the fact that anyone could bypass the protection which may be/is causing revenue loss to a decent, well supported product line and that he couldn't afford a license.

You'd think there would be someway to achieve that now wouldn't you

As it stands, our hero is going to save up, when he can finally afford the package (which will be some time away with Xmas coming and all) he'll buy it and then release the vuln to the company as a way of saying 'thank you' for the 'extended trial period'

Well - that is as it stands at the moment - unless someone here wants to buy our hero a copy :P

Anyone?

Hello?

<watches tumbleweed blow by>

*tap* *tap* Is this thing on?

SideSwipe
November 12th, 2009, 02:14
Quote:
Originally Posted by Kayaker View Post
And then there's this "hero" who tried extorting 2000 euro from an AV company

A Black Hat Loses Control
http://threatpost.com/en_us/blogs/black-hat-loses-control-102209


I like the first Comment to the above threat post...

DUDE.. You need a NEW HairCut...!

LOL