[Fwd: Re: 0x43434343 - talking of money...]

[Daniele Muscetta <daniele () muscetta com>]

David Maynor wrote:

> On Sat, Nov 22, 2003 at 03:30:55PM +0100, Daniele Muscetta wrote:
>  
>
> > Do you EVER think to third world countries where 300 bucks a month is a 
> > RICH salary ? ...and there are families actually carrying on with that...

Excuse me, but have you answered to this one ?
This way the main point of the whole mail....
How much does EACH person need to earn to be able to live ?
The society shows you all fancy things, cars, accessories, flash bits 
and pieces, women, success, etc etc...
well, my point was not that. My point is that you don't need all of that 
stuff to be happy in life.
You're fine with much less.
I know it does not have anything to do with security.
I apologize to all of you. You're the first one who answered. Please 
feel free to continue this thread off-list.
I will just reply to this one mail on the list.
I don't really feel up to wating dave's bandwitdh nor cpu cycles of his 
mail server... this kind of topics are
those which never end, and everybody remains more or less of his own 
opinion.
But I felt compelled to say my own.



> > Do you ever even feel a tiny bit guilty or greedy for desiring so much ?
> >    
> No. The research that is done will be used to make several company
> large sums of money. 

Yes in many cases this does happen.

In some cases they make money.
In some case the research makes them loose money.
In some other cases they handle the situation so that they don't loose 
that much, by keeping the thing hidden until
a patch is there.... in that case you might also say they make money...

I see how it works, and I don't particularly like it, but I can't change 
other people.

Anyway my point was that each one of us can change himself.

Has always been like that.
There will always be some bigger entity that makes more money with your 
research, in the capitalistic world/economy.


If a company makes huge amount of money with your research.... I don't 
see the point in 'blackmailing'  them asking for more money....
you are not changing the state of things: they will still make HUGE 
amount of money with it, you just want a bigger share of them!

That is a very humble point of view !
I see.
So the problem is NOT them making too much money, I see..... it that you 
want those moeny too !
Right, you then confirm what I was saying, basically.....
So well, you are right. You and those company truly belong to each other.

There are several possibilities you can choose among:
1) You continue doing research for the pleasure of doing it (and I am 
sure you live with the money you make, even if they're not as many as 
you would dream). Maybe (or for sure) someone else will make a lot of 
money with them. On the other end you might be helping the normal people 
get secured. This means you want things to get better, so you find a 
bug, a tell to the vendor to fix it, and hopefully they will. If they 
don't is ultimately their problem and their customer's.... certainly not 
yours. They might thank you and pay you. Not as much as you would like. 
Maybe this will change if they ask you in advance to do so, and you get 
a contract in place with them that defines the terms of the research and 
payiment and all the rest....

2) You might stop doing research for them if you don't like the use they 
make of it. This is also a possibility. You don't like the way the treat 
you, in the free market, you don't collaborate with them, you don't make 
research on their stuff..... And don't tell you don't make research 'for 
them' .... if you are researching a bug in a commercial product.... who 
are you working for, ultimately, if not the vendor of that product ? 
....and most of the times you are doing it spontaneously, they did not 
even ask you to ! Well, then you accept what they are willing to give 
you, or you simply don't do it.

3) Or you could keep it for yourself.
Well, I don't see the point of this last one, if you want to make things 
better.
Better. Better, I mean....
....where for BETTER I mean better for the world, for the people around 
you, for everybody.
If you do security research for such a noble reason of making software 
that's more secure, you should not be worried who makes too much money 
with it.
It should be a mission.
If you just do it because someone makes the big bucks with it, and you 
also want to make big bucks.... then your point is obvious, but it was 
not what I was meaning.
I don't see you being that different from those companies you seem not 
to like too much, then, to be honest.

Instead of finding vulnerabilities for commercial software (that is in 
this loop of economic power where they make too much money), switch to 
find vulnerabilities for open source, free software, where the author 
does not make any money out of it, and you neither. You would be 
contributing to make that ALTERNATIVE software more secure, eventually.

The "they are doing bad things, so we should do bad things too"  is 
never my point.



> If you want to be
> disgusted, direct this at the market that feels these services are worth
> these sums of money.
>  
It is very bad, and no, I do not support it.
I do not like it either.
It's on both sides.
Both the big companies and who works with them wants to make big 
bucks.... I am just asking 'how big'  these big bucks need to be for one 
to live... ?
That is my point. Companies becoming too rich is not right either.
It wasn't a case that I mentioned the third world.

I was meaning how much do people REALLY need to live of ?
And this applies to you,  but it also applies to the big companies, of 
course.
Those are made of people too.



> > I am just disgusted by your being greedy and just trying to get rich 
> > with your research.
> > If you do research for the sake of research.... you should be happy to 
> > do it, and that's it!
> > You should not be claiming for money so much !
> > you get compensation already. Those 5K is my wage of TWO months !
> >    
> Many people do, then find their research has been taken and put into
> products. 

These are very sad situations.
No I don't like that either.

Yes, if it is about commercial products you should possibly get 
compensation.... but..... I feel that there is a limit.
And if your purpose is to take as much money as it is possible out of 
those companies I see you not much different from them.



> Do you support this? 
Absolutely not. I do not agree with this, and yes, I am aware that it 
happens.
And no, I don't like companies doing like that: stealing someone else's 
work to package it with their name and then sell it.
But still they do.
They are greedy too.
There are certainly a lot of traits in common between you and those 
companies then, you must really belong to each other!

I don't support companies making a lot of money, but I don't want to be 
one of them either.
I live of the tiny bit I get, and I have seen that in some parts of the 
world people live with even much less.... and then in proportion I 
consider myself lucky, very lucky.
So I don't go after more.
I try to be modest.
...maybe it comes because I am not a 'security researcher' but just a 
mere mortal.....



> I ask becasue you seem to feel
> researchers should get nothing for their effort. 

I have never meant this.
I just was looking at HOW MUCH, man !
You don't get nothing, come on ! You do get something substantially more 
than nothing !
If you are that good I think you do work and live, and you don't starve 
to death I suppose.....



> Lets apply this to
> another industry, like music. What you are suggesting is similiar to
> musicans recording music for lables but getting nothing for it while the
> labels sell the music to the public.
Even in that case, is still the music label that takes too much money 
out of an artist's work.
They usually both want to make to much money: both the label and the artist.
Same applies to soccer player.
Same thing happens in many other fields.
It's called capitalism, and it is about never having enough.....



> > Well, I am all in favour of knowing how things can be made more secure, 
> > but your research is maily about how to break them, most of the 
> > times.... and you even fight with each other about who was able to break 
> > it first...
> >
> > > You must be joking. The best way to understand how to make something
> > > more secure is to break it. 

Not always. This is an old, commonly heard idea, and I am not really 
sure it is always the case.
It might help understanding where the weakness is and try to make the 
thing better, but in the end,
if you are really determined, you will break whatever thing. No matter 
how well it was done.




> > Have you ever tried to BUILD something instead ?
> >
> >    
> Take Aitel for instance: he has written many
> tools, available to the public for free, that help people fox their own
> code and such. Like Spike Proxy.
>  
In fact I appreciate him.
I would not be subscribed to this list otherwise.
And he also writes articles on magazines about how to develop.
He does not only break, he also builds.

And I do agree you might want to get compensation for research.
Great. Nothing to say about that.

I just don't agree with the need to get SO MUCH.

You're brilliant, so you deserve it right ?
To do what with those money ? To get drunk as you were writing in 
another email ? To buy a fancy car ? For what ?
My point was about - no matter how brillinat you might be - think for a 
second to who is less lucky, to who has less than you do.
And admit, for once, that you (we) are all lucky.
But again, it does not have to do anything with computer security, so 
just excuse me, and if you wat bring this discussion to private mailing 
among us.
Let's not bother the list.


>  
>
> > I don't mean to raise a flame.
> > I just hope to make someone think with his hearth instead than with his 
> > wallet for a minute.
> >
> >    
> You are making so many assumptions, mainly that the security industry will
> return the goodwill of researchers.

No most likely they won't. I am afraid of that.
I am not making this assumption.

But for sure you don't change something you're in by just acting like 
everybody else.

If you don't like the big companies becoming so big and rich, and then 
you behave the very same way,  going after the big money....
well, it's a vicious circle....

Try to give an example of a different attitude.

You can't blame someone / some entity or company if you act the same way 
they do.

You might act differently. Then they might copy your example. Most 
likely they won't.  Maybe not.
Let other people do their mistakes.

Sincerely,

Daniele Muscetta





_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave