Slashdot Mirror
Auction Site To Sell Security Vulnerabilities
talkinsecurity writes "A Swiss research lab has built an eBay-like marketplace where hackers and researchers can sell the security vulnerabilities they discover to the highest bidder. WabiSabiLabi could replace the back-room, secret sites where researchers and hackers used to sell their exploits and replace them with a neat, clean way to make money by finding security flaws. Those who have seen the site say they are concerned about how the buyers will be vetted, and how the marketplace will ensure the flaws aren't found through illegal methods."
I don't think the big boys are going to play along here, sicking attack dog lawyers on them would probably be less expensive than trying to outbid a group of people who bid on their own stuff when the companies show interest in paying up.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
The whole value of the exploit is that only a few people know it exists. How do you preserve that when you would need to divulge something of the nature of the exploit for it to be marketable?
I wonder if the people putting this on are actually looking to make a point about software vendors and their products. Any chance that they are looking to do nothing more than score some legal victories for the good of the public?
Regards.
http://www.wslabi.com/wabisabilabi/initPublishedBi d.do?
How can anyone exploit a memory leak?
What could possibly go wrong?
You take it, I don't want it...
Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.
I think a free market approach like this is good.
As for vetting buyers and sellers, I don't think that's either necessary or desirable. If people find security holes through "illegal means" (whatever that means), it's a matter for the police and courts. And if the mafia outbids Microsoft, well, then Microsoft will have to live with the consequences or pay more next time. Companies like Microsoft should be exposed to the true costs of their security vulnerabilities, and they will be exposed to that only if the "bad guys" are in on the bidding, because vulnerabilities aren't worth a lot to the other "good guys".
If prices and damages get high enough, companies will invest enough in software development to stop creating security vulnerabilities in the first place.
System - Microsoft Windows
Flaw - You name it
Bid - 1 beeeeellllion dollars
Engineering is the art of compromise.
The summary writer assumes that those currently exploiting flaws would not use "illegal methods" to discover them?
While someone dumb enough to, say, screw over a Russian Mafiya buywer, I can see where there would be more than enough idiots out there who would happily try (and hiding behind eGold and proxies, etc for payments... it may even be feasible )
Not like there would be much in the way of honor among theives when it comes to a near-total-anonymous thing like malware and malware kiddies...
(besides, all one would really have to do to make a killing as a seller is to dredge through securityfocus' vulns DB... the smart crims would avoid bidding on it, and the dumb ones? Well...)
Quo usque tandem abutere, Nimbus, patientia nostra?
Specific exploits. Where would you like me to begin?
I wonder how long it will be before someday auctions a vulnerability discovered in the auction site itself.
100,000++ CREDI7 CARD NUMZ FOR SALEZ!!11!
BANK ACCOUNT INFORMATION FOUND IN HIDDEN FACILITIES BY GABRI31!!
10 WAYS BREAKS INTO NATIONAL RESERVE!!!!
SEX VIDEO OF THE BITCH WHO DUMPED ME
So why is it that telling a company about a security flaw is a quasi-illegal thing to do? If the company has no proof that you ever used it maliciously, then there is no reason that you shouldn't be able to report security flaws and have like a name/handle put onto a page of contributors. Demanding money for telling them about the flaw is extortion, unless they asked you to do it / offered the reward themselves.
Of course offering money for finding exploits might be a bad idea, it might entice people to look for exploits, find a really good one, use it, and never collect the reward, or wait until they're done with it to collect the reward.
Although I don't understand what the problem is with "illegal means" do you think someone who intends to use a security flaw really cares if the means they use are illegal or not?
Start by calling mmep() with MAP_FIXED. This lets you allocate memory at any legal address of your choice. You choose 0, the NULL pointer area which is normally never allocated.
Next, place a pointer there.
Next, run the kernel out of memory.
Next, ask the kernel to do a getsockopt() call that needs memory. The kernel will get back a NULL. The kernel will keep going, eventually using the NULL pointer to get some critical data like a kernel pointer. (a data pointer in this case, but it could well be a function pointer)
Now you've read (or written or executed) memory of your choice from the kernel. Fun!
Difficulties: You probably need to ensure that your page isn't swapped out, and you probably need to rewrite it from some other thread.
"""
and how the marketplace will ensure the flaws aren't found through illegal methods.
"""
In which country?
There will be a global setting to prohibit users from allocating address zero. This will tend to break stuff; maybe root is exempt.
For better control, a SE Linux hook is being added. Not that this isn't an abuse of the SE Linux mechanism, but... it'll work.
I see they want to have a hacker site, but make sure the exploits were obtained through "legal methods." Cigarettes with filters, safe party drugs, condoms, speed limits, and speech codes are the hallmarks of this hypocritical diaper society. I'm sure this will be no different, until an equal and opposite pretense leads to it getting closed down.
Anti-Globalism
It reminds me of the joke:
If its a real vulnerability, you can sell it over and over again. None of the buyers is going to leak it - they'd lose their investment, and chance to make $$$.
So, sell it once for $X, or sell it 20 times for $X/2?
This is just someone else with a lame attempt to insert themselves into a market.
At least such a site will keep those holding our precious information on their toes to make sure any holes are plugged QUICKLY!
Ruby Neural Evolution of Augmenting Topologies
So an exploit is auctioned to the highest bidder, and then on a different account the researcher auctions the same exploit to yet another highest bidder.
Sounds good to me, but don't the buyers feel cheated? I can't see anything to stop this from happening, so it doesn't seem like much of an _auction_ to me.
Also, consequently, after you buy an exploit you could auction it off to a bunch of other people and potentially make all your money back and more.
I don't really see how the auction format can support non-tangible items, is all I'm saying.
This will be interesting to see how it plays out. The two main legitimate vulnerability purchasers at the moment are iDefense's VCP (http://labs.idefense.com/vcp/) and Tippingpoint's ZDI (http://www.zerodayinitiative.com/). An open market place for researchers to sell their work is a good thing if implemented correctly. Previously their is little or no room to negotiate a fair price and all the information must be disclosed to the buyers first (Trust is assumed they will not use the information if they decied not to buy). Having a third party running an auction/fixed price sell will hopefully bring out the legitimate market for this kind of research. On the flip side, their is a large can of ethics laden worms being opened up and again I will be interested to see in a years time if the WabiSabiLabi marketplace is still operating successfully. Here is an interesting paper on The Legitimate Vulnerability Market : http://weis2007.econinfosec.org/papers/29.pdf
While I applaud this free-market approach to vulnerability and that careless software engineering should cost company money, I have to ask the question. How do bidder verified that a bug is indeed found as claim? I mean, what's stop someone from claiming bug X exist, ask for a bid, and leave the bidder in cold? I suppose the same problem with ebay but in ebay, at least there is a picture (not necessarily of the item itself of course). What's there to stop cyber racketeering and blackmailing??
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
This is going to vanish under an avalanche of litigation.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
will be the target of a huge number of hackers. I hope they're an OpenBSD shop.
"To those who are overly cautious, everything is impossible. "
Sure, I'll get right on that.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Might as well post an explanatory link - it's a Japanese term, if anyone was wondering about the origin of the name: http://nobleharbor.com/tea/chado/WhatIsWabi-Sabi.h tm
Perhaps your jihad on condoms has lead to syphilis infecting your brain or maybe I'm just missing the connection between code exploits and speed limits?
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
... on Sunday I encountered a bug in eBay, having to do with last-second bidders. I was involved in an auction, and updated the auction page immediately after it was scheduled to close; it reported me as the winning bidder at a price of $77.01. Since I was at a friend's house, when I got home I went to arrange payment and discovered that a last-seconds bidder had been inserted after the fact, and my winning bid had now jumped to $93.50. I had set a max bid higher than his, otherwise presumably the interloper would have won... but then, since *I* had the original winning bid at $77.01 before it belatedly noticed his bid and inserted it, how would the system have handled that? Would I have been summarily removed as winner after having already been told that I had won?
If anyone can think of a way to have malicious fun with this and make some money, lemme know.
This whole concept is perverted. It is essentially ransoming developers with exploits. There was a story in some magazine recently about a coder who found an exploitable bug in samba, and didn't disclose it for a year because he was after the right price...
As a samba user I find this disgusting... the bug could have been fixed within days or hours of it being reported to developers, but this guy knowingly let millions of users live with a exploitable bug because he 'deserved to be paid for his work'. The greedy fucking dickhead.
Ransom and blackmail, it is.
Sounds like a great way to wash your hands after selling a vulnerability to the mafia. "I don't know who you are, or what you intend to do with this weapon. I don't want to know."
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
I certainly don't feel like making all the middlemen rich off of my organs while my family struggles to survive without me. I'd instantly sign up to be an organ seller if I could.
It's such a load of crap. Nobody can sell organs, but the middlemen can charge huge "handling fees" and "processing fees". Grrr. Well, maybe the icky solution is that my surviving family charge such fees. My wife could stand there next to the doctor, dropping organs into a cooler for $1234567/hour. Yuck! This is stupid. Just let me sell the organs.
It was an InfoSec class in a Masters program.
Question- what do you do if you come upon a security hole?
Answer- ?
Case in point, some grad student in physics accidentally came across a vulnerability in the engineering dept's site. He reported it to his adviser the same day. (Yes, it was all proven). Adviser told the engineering dept., they fixed it, high fives all around. About a year later, the psych dept. gets broken into with a quasi-semi like exploit. Who does the uni and cops go straight after as a suspect? Yup, the kid who turned in the engineering vulnerability. Eventually was cleared, but how great is it to be a "Good Samaritan"?
So now you are student who comes across a commercial exploit. Now what? Auction is off for some moohla, let the company know, sit tight? If you auction it off and don't get sued by the company, does the school have a right to kick you out due to "unethical behavior"? If you let the company know, what kind of exposure do you have then? Can they accuse of being a hacker? If something similar in the future happens, can they come back to you? If you're a fan (or fanboy) of the company and sit tight, and later it gets hit by the same exploit, how is your conscience?
Now ramp the whole thing up to be a person in the commercial field. Tell your boss, etc.?
Now ramp it up to government level. Tell.... ? (underpant gnomes- had to fit that in somewhere)
Now ramp it up to classified level. Wait... nah, you cool as long as you tell your boss so -they- can exploit it.
As an individual at home, you'll probably be fine as long as you don't use the exploit to your advantage, and if you report it to a security site or the company I would think you would be fine.
Personally, I wouldn't touch this site with a 6 foot pole.
Vote monkeys into Congress. They are cheaper and more trustworthy.
The real question is who is going to give out their personal information upon signing up for this site? Doesn't sound like a very good place to be submitting your name, address and etc. to does it?
Here's what I'm thinking.
What you're supposed to do is find some suitable site (preferably running ASP and Cold Fusion), sprinkle it liberally with apostrophe's, and if some MS SQL Server error pops out, stuff the link in there. And then link that site from Slashdot.
Alternatively, spot a comment (or even better: a frontpage story...) which already links to an ASP or CFM site, and goatse that site up after the fact. Funny as hell, as the initial poster tries to justify himself that it was still a safe-for-work site at the moment he linked to it.
Oh, and btw: goat.cx is defunct since long ago. Nowadays it's goatse.ch or goatse.cz.
Have fun!
You're either looking to get someone pregnant, or contract an STI. I guess that's the price you pay for fighting the "hypocritical diaper society".
$nice = $webHosting + $domainNames + $sslCerts
After all, haven't they gone through a couple world wars, plus smaller wars and disputes with only a "We're neutral, but if you give your money to our banks, we'll keep it safe" philosophy? This doesn't seem to fit that mindset at all.
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
If the H-1B and offshoring continue, resulting lower pay for all necessarily creates more incentive for programmers to insert "flaws" and then auction off information about them to get a little more cash on the side, not to mention revenge. Perhaps the existence of open markets for flaws will cause vendors to spend more on development in more than one way. If one does not want the cook spitting in one's food, one does not insult the cook.
Not only does Apple have a ton of security holes, but both Apple and all their users continue to deny any flaws exist.
Guess security through obscurity will continue to be the best Apple (and Lunix) can manage.
Will Adobe give me Photoshop CS3 for free? Of course not.
Then why do people expect these companies to get vulnerabilities for free?
I know, a vulnerability in $SoftwareVendor's product could be exploited by Some Nefarious Person ($SNP) to cause damage. So what's preventing $SoftwareVendor from bidding on the same vulnerability and beating out $SNP?.
Don't companies spend $$$ doing security audits, automated testing, etc.? Then what's wrong with paying someone for exploits? Don't the people who find these exploits need to be paid, just like the company's software engineers?
If companies had to pay big bucks for exploits, you bet they'd make damn sure that such exploits didn't exist anymore.
Disclaimer: I have neither found, nor looked for, an exploit in any piece of software.
It's been many years since Linux messed around with switching segmentation tables. Today every process uses the same few segments. When switching processes, the kernel just changes the set of page tables in use. This is way faster on modern hardware.
User code and data resides in addresses from 0x00000000 to 0xbfffffff. The kernel resides in addresses from 0xc0000000 to 0xffffffff. At all times, both user and kernel stuff is in the page tables. At all times, both user and kernel stuff is mapped. At all times, the segment bases are at 0x00000000. At all times, the segment limits are 0xffffffff. The only thing protecting the kernel is a bit in each page table entry which restricts some memory pages to ring 0 code.
When the kernel acts on behalf of a process, that process is mapped into memory. (during interrupt handlers and kernel-internal processes, the most recent normal process remains mapped) If the kernel wants to access user memory, it just does so, relying on a trap handler to deal with pages that are swapped out or otherwise missing. There is also a simple check to see if the address is too high.
If the kernel INTENDED to access via a pointer to user data, and that pointer were NULL, everything would be OK.
This is a case of the kernel intending to access kernel data via a trusted pointer to kernel data. No user data is supposed to be involved. Problem is though, the kernel's pointer is NULL because the kernel ran out of memory for a moment. Oops! Normally this would be a NULL pointer crash. The NULL pointer area is under user control though, so far worse can happen.
Most people are not engineers and have zero discipline. They act on their emotions and do illogical things. The average person does not enter his true maximum bid into the proxy system. He enters some idea of his max, but then his emotions take over. "Am I willing to lose this auction over $1 or $2?" And he raises his bid.
Watch the bidding on an item for evidence. You'll see some joker increasing his "maximum" bid by $1 or $2 for about a dozen iterations. Sniping protects against this inane bidding behavior.
Multisnipe is also a cool tool, although there is nothing specific to sniping about it. It just bids on every auction in the group until you win one, and then it stops bidding on that group. You could just as easily implement something like that without sniping, but it just happens to typically be bundled with sniping tools.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock